43ae34f089374f6293998924525d9e8516c59bf2cd8150a7c01d6c565c85aa10

Analysis

max time kernel
130s
max time network
122s
platform
windows10_x64
resource
win10v20201028
submitted
20-01-2021 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jojojo.exe
Size

34KB
MD5

5bb718a52c52383cea5361519559b683
SHA1

54298a1c380568d1d76b103fa267ded82d6a778a
SHA256

43ae34f089374f6293998924525d9e8516c59bf2cd8150a7c01d6c565c85aa10
SHA512

36ad2bbb7315f4290844cb433c081265815b69553c2fd025615e989bbf3214f16d0686e100f701db7c827d9c43f0d21f41da9b3d5648ec423b14b35ecc7d9781

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

jojojo.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\jojojo.exe\""	jojojo.exe

Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jojojo.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	jojojo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	jojojo.exe

Drops startup file 2 IoCs

Processes:

jojojo.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jojojo.exe	jojojo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jojojo.exe	jojojo.exe

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

jojojo.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	jojojo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	jojojo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	jojojo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	jojojo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	jojojo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	jojojo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jojojo.exe = "0"	jojojo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\jojojo.exe = "0"	jojojo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jojojo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	jojojo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	jojojo.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

jojojo.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jojojo.exe"	jojojo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\jojojo.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jojojo.exe"	jojojo.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

jojojo.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	jojojo.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	jojojo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

Processes:

jojojo.exe

pid	process
3008	jojojo.exe
3008	jojojo.exe
3008	jojojo.exe
3008	jojojo.exe
3008	jojojo.exe
3008	jojojo.exe
3008	jojojo.exe
3008	jojojo.exe
3008	jojojo.exe
3008	jojojo.exe
3008	jojojo.exe
3008	jojojo.exe
3008	jojojo.exe
3008	jojojo.exe
3008	jojojo.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

jojojo.exe

description	pid	process	target process
PID 3008 set thread context of 3988	3008	jojojo.exe	jojojo.exe
PID 3008 set thread context of 1340	3008	jojojo.exe	jojojo.exe
PID 3008 set thread context of 3612	3008	jojojo.exe	jojojo.exe
PID 3008 set thread context of 4068	3008	jojojo.exe	jojojo.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

jojojo.exepowershell.exepowershell.exepowershell.exejojojo.exepowershell.exe

pid	process
3008	jojojo.exe
3160	powershell.exe
4056	powershell.exe
3836	powershell.exe
3988	jojojo.exe
3988	jojojo.exe
3224	powershell.exe
3160	powershell.exe
3224	powershell.exe
4056	powershell.exe
3836	powershell.exe
4056	powershell.exe
3160	powershell.exe
3836	powershell.exe
3224	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

jojojo.exepowershell.exepowershell.exepowershell.exepowershell.exejojojo.exe

description	pid	process
Token: SeDebugPrivilege	3008	jojojo.exe
Token: SeDebugPrivilege	3160	powershell.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeDebugPrivilege	3988	jojojo.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

jojojo.exe

description	pid	process	target process
PID 3008 wrote to memory of 3160	3008	jojojo.exe	powershell.exe
PID 3008 wrote to memory of 3160	3008	jojojo.exe	powershell.exe
PID 3008 wrote to memory of 3160	3008	jojojo.exe	powershell.exe
PID 3008 wrote to memory of 4056	3008	jojojo.exe	powershell.exe
PID 3008 wrote to memory of 4056	3008	jojojo.exe	powershell.exe
PID 3008 wrote to memory of 4056	3008	jojojo.exe	powershell.exe
PID 3008 wrote to memory of 3224	3008	jojojo.exe	powershell.exe
PID 3008 wrote to memory of 3224	3008	jojojo.exe	powershell.exe
PID 3008 wrote to memory of 3224	3008	jojojo.exe	powershell.exe
PID 3008 wrote to memory of 3836	3008	jojojo.exe	powershell.exe
PID 3008 wrote to memory of 3836	3008	jojojo.exe	powershell.exe
PID 3008 wrote to memory of 3836	3008	jojojo.exe	powershell.exe
PID 3008 wrote to memory of 3988	3008	jojojo.exe	jojojo.exe
PID 3008 wrote to memory of 3988	3008	jojojo.exe	jojojo.exe
PID 3008 wrote to memory of 3988	3008	jojojo.exe	jojojo.exe
PID 3008 wrote to memory of 3988	3008	jojojo.exe	jojojo.exe
PID 3008 wrote to memory of 3988	3008	jojojo.exe	jojojo.exe
PID 3008 wrote to memory of 3988	3008	jojojo.exe	jojojo.exe
PID 3008 wrote to memory of 3988	3008	jojojo.exe	jojojo.exe
PID 3008 wrote to memory of 3988	3008	jojojo.exe	jojojo.exe
PID 3008 wrote to memory of 1340	3008	jojojo.exe	jojojo.exe
PID 3008 wrote to memory of 1340	3008	jojojo.exe	jojojo.exe
PID 3008 wrote to memory of 1340	3008	jojojo.exe	jojojo.exe
PID 3008 wrote to memory of 1340	3008	jojojo.exe	jojojo.exe
PID 3008 wrote to memory of 1340	3008	jojojo.exe	jojojo.exe
PID 3008 wrote to memory of 1340	3008	jojojo.exe	jojojo.exe
PID 3008 wrote to memory of 1340	3008	jojojo.exe	jojojo.exe
PID 3008 wrote to memory of 1340	3008	jojojo.exe	jojojo.exe
PID 3008 wrote to memory of 3612	3008	jojojo.exe	jojojo.exe
PID 3008 wrote to memory of 3612	3008	jojojo.exe	jojojo.exe
PID 3008 wrote to memory of 3612	3008	jojojo.exe	jojojo.exe
PID 3008 wrote to memory of 3612	3008	jojojo.exe	jojojo.exe
PID 3008 wrote to memory of 3612	3008	jojojo.exe	jojojo.exe
PID 3008 wrote to memory of 3612	3008	jojojo.exe	jojojo.exe
PID 3008 wrote to memory of 3612	3008	jojojo.exe	jojojo.exe
PID 3008 wrote to memory of 3612	3008	jojojo.exe	jojojo.exe
PID 3008 wrote to memory of 4068	3008	jojojo.exe	jojojo.exe
PID 3008 wrote to memory of 4068	3008	jojojo.exe	jojojo.exe
PID 3008 wrote to memory of 4068	3008	jojojo.exe	jojojo.exe
PID 3008 wrote to memory of 4068	3008	jojojo.exe	jojojo.exe

C:\Users\Admin\AppData\Local\Temp\jojojo.exe
"C:\Users\Admin\AppData\Local\Temp\jojojo.exe"
1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jojojo.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jojojo.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jojojo.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\jojojo.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\Users\Admin\AppData\Local\Temp\jojojo.exe
"C:\Users\Admin\AppData\Local\Temp\jojojo.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Users\Admin\AppData\Local\Temp\jojojo.exe
"C:\Users\Admin\AppData\Local\Temp\jojojo.exe"
2⤵
PID:1340

C:\Users\Admin\AppData\Local\Temp\jojojo.exe
"C:\Users\Admin\AppData\Local\Temp\jojojo.exe"
2⤵
PID:3612

C:\Users\Admin\AppData\Local\Temp\jojojo.exe
"C:\Users\Admin\AppData\Local\Temp\jojojo.exe"
2⤵
PID:4068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
64e34d33210e1203471687e2ad48558a

SHA1
25c2a45aec0ba1cc4c0f6b2e8a646929e001e9f6

SHA256
6935841f8479e74c10c5a894ab15fb1bf748fdc7e6d1385068ba67382b5610b9

SHA512
e1c0cd8e54c45dbd21d76a2daaaedc0dd55c1a4e7d891797305009a77532adad5bfd840464593e5dba3a2abf62ee396d5ee7823b00e2045bc1a6f1ce8faf2b4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
64e34d33210e1203471687e2ad48558a

SHA1
25c2a45aec0ba1cc4c0f6b2e8a646929e001e9f6

SHA256
6935841f8479e74c10c5a894ab15fb1bf748fdc7e6d1385068ba67382b5610b9

SHA512
e1c0cd8e54c45dbd21d76a2daaaedc0dd55c1a4e7d891797305009a77532adad5bfd840464593e5dba3a2abf62ee396d5ee7823b00e2045bc1a6f1ce8faf2b4f

Download Submit
memory/1340-33-0x00000000733A0000-0x0000000073A8E000-memory.dmp

Filesize
6.9MB

Download
memory/1340-32-0x000000000043748E-mapping.dmp

Download
memory/3008-10-0x0000000000C20000-0x0000000000C84000-memory.dmp

Filesize
400KB

Download
memory/3008-2-0x00000000733A0000-0x0000000073A8E000-memory.dmp

Filesize
6.9MB

Download
memory/3008-8-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/3008-11-0x00000000060F0000-0x00000000060F1000-memory.dmp

Filesize
4KB

Download
memory/3008-54-0x0000000006540000-0x0000000006541000-memory.dmp

Filesize
4KB

Download
memory/3008-7-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/3008-6-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/3008-5-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/3008-3-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3008-9-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/3160-120-0x000000007EF70000-0x000000007EF71000-memory.dmp

Filesize
4KB

Download
memory/3160-73-0x00000000074C0000-0x00000000074C1000-memory.dmp

Filesize
4KB

Download
memory/3160-20-0x0000000007510000-0x0000000007511000-memory.dmp

Filesize
4KB

Download
memory/3160-133-0x0000000006ED3000-0x0000000006ED4000-memory.dmp

Filesize
4KB

Download
memory/3160-116-0x0000000009120000-0x0000000009121000-memory.dmp

Filesize
4KB

Download
memory/3160-84-0x0000000008FF0000-0x0000000009023000-memory.dmp

Filesize
204KB

Download
memory/3160-16-0x00000000733A0000-0x0000000073A8E000-memory.dmp

Filesize
6.9MB

Download
memory/3160-18-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/3160-69-0x0000000007490000-0x0000000007491000-memory.dmp

Filesize
4KB

Download
memory/3160-50-0x0000000007200000-0x0000000007201000-memory.dmp

Filesize
4KB

Download
memory/3160-12-0x0000000000000000-mapping.dmp

Download
memory/3160-42-0x0000000006ED2000-0x0000000006ED3000-memory.dmp

Filesize
4KB

Download
memory/3160-39-0x0000000006ED0000-0x0000000006ED1000-memory.dmp

Filesize
4KB

Download
memory/3160-55-0x0000000007B40000-0x0000000007B41000-memory.dmp

Filesize
4KB

Download
memory/3160-34-0x0000000007060000-0x0000000007061000-memory.dmp

Filesize
4KB

Download
memory/3224-19-0x00000000733A0000-0x0000000073A8E000-memory.dmp

Filesize
6.9MB

Download
memory/3224-14-0x0000000000000000-mapping.dmp

Download
memory/3224-115-0x000000007EB10000-0x000000007EB11000-memory.dmp

Filesize
4KB

Download
memory/3224-49-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/3224-111-0x0000000006780000-0x0000000006781000-memory.dmp

Filesize
4KB

Download
memory/3224-132-0x0000000000CB3000-0x0000000000CB4000-memory.dmp

Filesize
4KB

Download
memory/3224-52-0x0000000000CB2000-0x0000000000CB3000-memory.dmp

Filesize
4KB

Download
memory/3224-135-0x0000000008E80000-0x0000000008E81000-memory.dmp

Filesize
4KB

Download
memory/3612-41-0x00000000733A0000-0x0000000073A8E000-memory.dmp

Filesize
6.9MB

Download
memory/3612-38-0x000000000043748E-mapping.dmp

Download
memory/3836-57-0x00000000073E0000-0x00000000073E1000-memory.dmp

Filesize
4KB

Download
memory/3836-134-0x00000000073E3000-0x00000000073E4000-memory.dmp

Filesize
4KB

Download
memory/3836-58-0x00000000073E2000-0x00000000073E3000-memory.dmp

Filesize
4KB

Download
memory/3836-23-0x00000000733A0000-0x0000000073A8E000-memory.dmp

Filesize
6.9MB

Download
memory/3836-143-0x0000000009C60000-0x0000000009C61000-memory.dmp

Filesize
4KB

Download
memory/3836-124-0x000000007F050000-0x000000007F051000-memory.dmp

Filesize
4KB

Download
memory/3836-15-0x0000000000000000-mapping.dmp

Download
memory/3988-26-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3988-30-0x00000000733A0000-0x0000000073A8E000-memory.dmp

Filesize
6.9MB

Download
memory/3988-27-0x000000000043748E-mapping.dmp

Download
memory/3988-46-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/3988-129-0x00000000059D0000-0x00000000059D1000-memory.dmp

Filesize
4KB

Download
memory/4056-17-0x00000000733A0000-0x0000000073A8E000-memory.dmp

Filesize
6.9MB

Download
memory/4056-77-0x0000000008410000-0x0000000008411000-memory.dmp

Filesize
4KB

Download
memory/4056-122-0x000000007EDF0000-0x000000007EDF1000-memory.dmp

Filesize
4KB

Download
memory/4056-131-0x0000000006EB3000-0x0000000006EB4000-memory.dmp

Filesize
4KB

Download
memory/4056-125-0x0000000009700000-0x0000000009701000-memory.dmp

Filesize
4KB

Download
memory/4056-51-0x0000000006EB2000-0x0000000006EB3000-memory.dmp

Filesize
4KB

Download
memory/4056-47-0x0000000006EB0000-0x0000000006EB1000-memory.dmp

Filesize
4KB

Download
memory/4056-13-0x0000000000000000-mapping.dmp

Download
memory/4068-45-0x000000000043748E-mapping.dmp

Download