c25c1698395a2edd315158035660df240ab7e5cd43288fa87f207e07eec82d56 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

jooyu.exe
Size

3.6MB
Sample

200709-yndtx19eps
MD5

37d5c635f8d3299b0a83c0e4c372716c
SHA1

161e81a01668f556a41a1c3e1a301c734c784c08
SHA256

c25c1698395a2edd315158035660df240ab7e5cd43288fa87f207e07eec82d56
SHA512

18bf1be4b4c527e27452b71c34977f8f303a767a220640d8f134e9ef3fd8692307fbaa3931fbddf427ab33275bfaedac5cb471a12c4c74d35a725e7548727268

Score

8^/10

persistence spyware vmprotect

Malware Config

Targets

- Target
  
  jooyu.exe
- Size
  
  3.6MB
- MD5
  
  37d5c635f8d3299b0a83c0e4c372716c
- SHA1
  
  161e81a01668f556a41a1c3e1a301c734c784c08
- SHA256
  
  c25c1698395a2edd315158035660df240ab7e5cd43288fa87f207e07eec82d56
- SHA512
  
  18bf1be4b4c527e27452b71c34977f8f303a767a220640d8f134e9ef3fd8692307fbaa3931fbddf427ab33275bfaedac5cb471a12c4c74d35a725e7548727268
Score

8^/10

spyware persistence
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run entry to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

spywarepersistence

behavioral2

spywarepersistence