b6f981e71a5ae535ab355f72ace1b43a1242a9a80c8472868b10b56273d9ecf1

General

Target

FYI Jan2021.js
Size

179KB
MD5

cc6b06080d6ed3d480da394b0ed1c502
SHA1

5a5842f4441de74004240970524830ef82ecc0db
SHA256

b6f981e71a5ae535ab355f72ace1b43a1242a9a80c8472868b10b56273d9ecf1
SHA512

f97e556ff60622c8ae5843285f2365b0be975c9d9a04c413dafdabfbe9a7bc293a3cb455ba3d14a1fd09fe8e35ddaf7f40a94f9c5a173f9a7475171d02b83392

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 7 IoCs

Processes:

wscript.exe

flow pid process

8 1480 wscript.exe
10 1480 wscript.exe
19 1480 wscript.exe
20 1480 wscript.exe
21 1480 wscript.exe
22 1480 wscript.exe
23 1480 wscript.exe

flow	pid	process
8	1480	wscript.exe
10	1480	wscript.exe
19	1480	wscript.exe
20	1480	wscript.exe
21	1480	wscript.exe
22	1480	wscript.exe
23	1480	wscript.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FYI Jan2021.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FYI Jan2021.js	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\FYI Jan2021 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\FYI Jan2021.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FYI Jan2021 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\FYI Jan2021.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\FYI Jan2021 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\FYI Jan2021.js\""	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FYI Jan2021 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\FYI Jan2021.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\software\microsoft\windows\currentversion\run	wscript.exe

JavaScript code in executable 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\FYI Jan2021.js	js

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip-api.com
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

wscript.exe

description pid process target process

PID 576 wrote to memory of 1480 576 wscript.exe wscript.exe
PID 576 wrote to memory of 1480 576 wscript.exe wscript.exe

flow	ioc
7	ip-api.com

description	pid	process	target process
PID 576 wrote to memory of 1480	576	wscript.exe	wscript.exe
PID 576 wrote to memory of 1480	576	wscript.exe	wscript.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\FYI Jan2021.js"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\FYI Jan2021.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FYI Jan2021.js
MD5
cc6b06080d6ed3d480da394b0ed1c502

SHA1
5a5842f4441de74004240970524830ef82ecc0db

SHA256
b6f981e71a5ae535ab355f72ace1b43a1242a9a80c8472868b10b56273d9ecf1

SHA512
f97e556ff60622c8ae5843285f2365b0be975c9d9a04c413dafdabfbe9a7bc293a3cb455ba3d14a1fd09fe8e35ddaf7f40a94f9c5a173f9a7475171d02b83392

Download Submit
memory/1480-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads