Analysis Overview
SHA256
8d6b9622624cd70b06e66291bcc27de61ef12aef1a8423ac5af77a9ae33456b0
Threat Level: Known bad
The file sfzs5.cab was found to be: Known bad.
Malicious Activity Summary
Valak JavaScript Loader
Valak
JavaScript code in executable
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2020-11-09 20:07
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-11-09 20:07
Reported
2020-11-10 06:21
Platform
win7v20201028
Max time kernel
74s
Max time network
77s
Command Line
Signatures
Valak
Valak JavaScript Loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
JavaScript code in executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\sfzs5.cab.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\sfzs5.cab.dll,#1
C:\Windows\SysWOW64\wscript.exe
wscript.exe //E:jscript "C:\Users\Public\DB_TGfNqo.RJFl_
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
Files
memory/2008-0-0x0000000000000000-mapping.dmp
memory/1424-1-0x0000000000000000-mapping.dmp
C:\Users\Public\DB_TGfNqo.RJFl_
| MD5 | 2207304e71add81999c26eaa15ebbe18 |
| SHA1 | 68a88e2b71deff00ad5ea7bdcbf65be2e9ca7b20 |
| SHA256 | d785c900d0226c787ab4eaa6ed409f2ee0507b18a2b8182e4f631f22fadd113c |
| SHA512 | 589cffcfb0b6f9f3acb375f02c6b416975796562070baee47f3604729a429e2459e812810cca4855cf4fb1fff70ef8b3f76e617b9f0a87897c8bf3bef8a381c8 |
memory/1424-3-0x0000000002700000-0x0000000002704000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-11-09 20:07
Reported
2020-11-10 06:21
Platform
win10v20201028
Max time kernel
37s
Max time network
102s
Command Line
Signatures
Valak
Valak JavaScript Loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
JavaScript code in executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4760 wrote to memory of 4824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4760 wrote to memory of 4824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4760 wrote to memory of 4824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4824 wrote to memory of 4236 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\wscript.exe |
| PID 4824 wrote to memory of 4236 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\wscript.exe |
| PID 4824 wrote to memory of 4236 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\wscript.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\sfzs5.cab.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\sfzs5.cab.dll,#1
C:\Windows\SysWOW64\wscript.exe
wscript.exe //E:jscript "C:\Users\Public\DB_TGfNqo.RJFl_
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
Files
memory/4824-0-0x0000000000000000-mapping.dmp
memory/4236-1-0x0000000000000000-mapping.dmp
C:\Users\Public\DB_TGfNqo.RJFl_
| MD5 | 2207304e71add81999c26eaa15ebbe18 |
| SHA1 | 68a88e2b71deff00ad5ea7bdcbf65be2e9ca7b20 |
| SHA256 | d785c900d0226c787ab4eaa6ed409f2ee0507b18a2b8182e4f631f22fadd113c |
| SHA512 | 589cffcfb0b6f9f3acb375f02c6b416975796562070baee47f3604729a429e2459e812810cca4855cf4fb1fff70ef8b3f76e617b9f0a87897c8bf3bef8a381c8 |