Malware Analysis Report

2024-11-15 09:08

Sample ID 201109-h6ys3fx4r2
Target sfzs5.cab
SHA256 8d6b9622624cd70b06e66291bcc27de61ef12aef1a8423ac5af77a9ae33456b0
Tags
valak Loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8d6b9622624cd70b06e66291bcc27de61ef12aef1a8423ac5af77a9ae33456b0

Threat Level: Known bad

The file sfzs5.cab was found to be: Known bad.

Malicious Activity Summary

valak Loader

Valak JavaScript Loader

Valak

JavaScript code in executable

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2020-11-09 20:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-11-09 20:07

Reported

2020-11-10 06:21

Platform

win7v20201028

Max time kernel

74s

Max time network

77s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\sfzs5.cab.dll,#1

Signatures

Valak

Loader valak

Valak JavaScript Loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

JavaScript code in executable

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\sfzs5.cab.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\sfzs5.cab.dll,#1

C:\Windows\SysWOW64\wscript.exe

wscript.exe //E:jscript "C:\Users\Public\DB_TGfNqo.RJFl_

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

N/A

Files

memory/2008-0-0x0000000000000000-mapping.dmp

memory/1424-1-0x0000000000000000-mapping.dmp

C:\Users\Public\DB_TGfNqo.RJFl_

MD5 2207304e71add81999c26eaa15ebbe18
SHA1 68a88e2b71deff00ad5ea7bdcbf65be2e9ca7b20
SHA256 d785c900d0226c787ab4eaa6ed409f2ee0507b18a2b8182e4f631f22fadd113c
SHA512 589cffcfb0b6f9f3acb375f02c6b416975796562070baee47f3604729a429e2459e812810cca4855cf4fb1fff70ef8b3f76e617b9f0a87897c8bf3bef8a381c8

memory/1424-3-0x0000000002700000-0x0000000002704000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-11-09 20:07

Reported

2020-11-10 06:21

Platform

win10v20201028

Max time kernel

37s

Max time network

102s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\sfzs5.cab.dll,#1

Signatures

Valak

Loader valak

Valak JavaScript Loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

JavaScript code in executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4760 wrote to memory of 4824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4760 wrote to memory of 4824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4760 wrote to memory of 4824 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4824 wrote to memory of 4236 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wscript.exe
PID 4824 wrote to memory of 4236 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wscript.exe
PID 4824 wrote to memory of 4236 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\wscript.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\sfzs5.cab.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\sfzs5.cab.dll,#1

C:\Windows\SysWOW64\wscript.exe

wscript.exe //E:jscript "C:\Users\Public\DB_TGfNqo.RJFl_

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

N/A

Files

memory/4824-0-0x0000000000000000-mapping.dmp

memory/4236-1-0x0000000000000000-mapping.dmp

C:\Users\Public\DB_TGfNqo.RJFl_

MD5 2207304e71add81999c26eaa15ebbe18
SHA1 68a88e2b71deff00ad5ea7bdcbf65be2e9ca7b20
SHA256 d785c900d0226c787ab4eaa6ed409f2ee0507b18a2b8182e4f631f22fadd113c
SHA512 589cffcfb0b6f9f3acb375f02c6b416975796562070baee47f3604729a429e2459e812810cca4855cf4fb1fff70ef8b3f76e617b9f0a87897c8bf3bef8a381c8