General
-
Target
readme.js
-
Size
9KB
-
Sample
210218-gtpzsdcqhe
-
MD5
e294d6f427c64f77b5b61bb7b17dd12c
-
SHA1
ccdae3ada854cc441106ec52c12823439bab6cba
-
SHA256
9cf63310788e97f6e08598309cbbf19960162123e344df017b066ca8fcbed719
-
SHA512
2c974b0969e4d9b3d1ded364c0a6033e827f0a4890730b9b062c76b690425f8fefc90aa8c9e6dfc599a7909e18a949c6a4b2d4b5dd5787a3bbac0834e70fe82a
Static task
static1
Behavioral task
behavioral1
Sample
readme.js
Resource
win7v20201028
Behavioral task
behavioral2
Sample
readme.js
Resource
win10v20201028
Malware Config
Extracted
http://t.zz3r0.com
Extracted
http://t.zer9g.com
Extracted
http://t.bb3u9.com
Extracted
http://t.bb3u9.com
Targets
-
-
Target
readme.js
-
Size
9KB
-
MD5
e294d6f427c64f77b5b61bb7b17dd12c
-
SHA1
ccdae3ada854cc441106ec52c12823439bab6cba
-
SHA256
9cf63310788e97f6e08598309cbbf19960162123e344df017b066ca8fcbed719
-
SHA512
2c974b0969e4d9b3d1ded364c0a6033e827f0a4890730b9b062c76b690425f8fefc90aa8c9e6dfc599a7909e18a949c6a4b2d4b5dd5787a3bbac0834e70fe82a
-
XMRig Miner Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Stops running service(s)
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-