Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-03-2021 03:34
Static task
static1
Behavioral task
behavioral1
Sample
jabastin.exe
Resource
win7v20201028
General
-
Target
jabastin.exe
-
Size
219KB
-
MD5
bf2280363178076f4f5e4f6b1560c4bb
-
SHA1
8cff680cbc56da797f68e234901b16a8067abbd8
-
SHA256
c0c03ed0990ed10f1f253b8db22d6126a344388797b920909c64f5307c42da40
-
SHA512
b2b652de7fa1341d8b868c7d995a2713e25184cc12255dc9831ca6d4b04a60d060ecd1b9364deed565114906fae423bd36f4c43182d4215d3505a9f69253aee9
Malware Config
Extracted
xloader
http://www.injectionhub.com/nppk/
jwfbc.com
thebroncooutfitters.com
andaplafonpadang.com
zixi20.com
lanzhoubuxiugang.com
saielectronicsonline.com
amazonishop.com
theblindshops.com
polyanom.com
stunningsinglemama.com
softfsafawt.site
fuyunniu.com
choose-deal.com
pornstarpimp.com
hairthatshappy.com
one-etz.com
sharonbrandman.com
servidordigital.company
don-dejohn.com
malaysianwhitecoffee.com
directfulfillmentusa.com
handohealth.com
biometricappointment.com
kelleherlacrosseclub.com
justmagnificentlimo.com
bellescrafts.com
crit-them.com
romaniamatrimony.com
zffinancial.com
brevardcountyfl.com
wvcee.com
dadiruy.com
faithtemplechurchofboca.com
anloctin.com
thirstytampa.com
xswlwfspn.icu
itsacolorfulllife.com
fmeasds.me
leonardoexp.com
loveypro.com
kato6211.info
zapatosmaxes.com
aprende.website
mompreneurtv.watch
lifedesignforkids.com
commagx4.info
3932899.com
mmhh3.net
xolalounge.com
thelaunchingblueprint.com
ussouthernhome.com
onsale30.com
cvisualee.com
apple-mac.com
aliexpress-search.com
caremaac.com
ishaqalmuhaimin.com
bulkcannabisdelivery.com
maestroabraham.com
allsignaturesolutions.com
healcares.com
meaca-tech.com
disneymovie.info
in10sifiedapparel.net
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/5096-5-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4232-11-0x0000000002DB0000-0x0000000002DD9000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
jabastin.exepid process 4684 jabastin.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
jabastin.exejabastin.execmstp.exedescription pid process target process PID 4684 set thread context of 5096 4684 jabastin.exe jabastin.exe PID 5096 set thread context of 3128 5096 jabastin.exe Explorer.EXE PID 4232 set thread context of 3128 4232 cmstp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
jabastin.exejabastin.execmstp.exepid process 4684 jabastin.exe 4684 jabastin.exe 4684 jabastin.exe 4684 jabastin.exe 4684 jabastin.exe 4684 jabastin.exe 4684 jabastin.exe 4684 jabastin.exe 5096 jabastin.exe 5096 jabastin.exe 5096 jabastin.exe 5096 jabastin.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe 4232 cmstp.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
jabastin.exejabastin.execmstp.exepid process 4684 jabastin.exe 5096 jabastin.exe 5096 jabastin.exe 5096 jabastin.exe 4232 cmstp.exe 4232 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
jabastin.exeExplorer.EXEcmstp.exedescription pid process Token: SeDebugPrivilege 5096 jabastin.exe Token: SeShutdownPrivilege 3128 Explorer.EXE Token: SeCreatePagefilePrivilege 3128 Explorer.EXE Token: SeShutdownPrivilege 3128 Explorer.EXE Token: SeCreatePagefilePrivilege 3128 Explorer.EXE Token: SeDebugPrivilege 4232 cmstp.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
jabastin.exeExplorer.EXEcmstp.exedescription pid process target process PID 4684 wrote to memory of 5096 4684 jabastin.exe jabastin.exe PID 4684 wrote to memory of 5096 4684 jabastin.exe jabastin.exe PID 4684 wrote to memory of 5096 4684 jabastin.exe jabastin.exe PID 4684 wrote to memory of 5096 4684 jabastin.exe jabastin.exe PID 3128 wrote to memory of 4232 3128 Explorer.EXE cmstp.exe PID 3128 wrote to memory of 4232 3128 Explorer.EXE cmstp.exe PID 3128 wrote to memory of 4232 3128 Explorer.EXE cmstp.exe PID 4232 wrote to memory of 3304 4232 cmstp.exe cmd.exe PID 4232 wrote to memory of 3304 4232 cmstp.exe cmd.exe PID 4232 wrote to memory of 3304 4232 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jabastin.exe"C:\Users\Admin\AppData\Local\Temp\jabastin.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jabastin.exe"C:\Users\Admin\AppData\Local\Temp\jabastin.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\jabastin.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsu2B9B.tmp\p3tkf.dllMD5
d4f92f1c48fff5c30de03897eee21c95
SHA13341a9ca0906f94e95856453b19385a7957e101f
SHA2562036564a7e2ffa08e02d3e52a51727e28297e7d7901b3cf659a1142719a52cd4
SHA512e53bd79f0e853f5b699d54482bc94ebbaa627e0ea861e3fc82ff38d3049f04034c91ea85910731dccaec0434ea63b6f78581b26f8872c7d9039a1e768f24411b
-
memory/3128-8-0x0000000004F00000-0x000000000502D000-memory.dmpFilesize
1.2MB
-
memory/3128-15-0x0000000005030000-0x0000000005180000-memory.dmpFilesize
1.3MB
-
memory/3304-12-0x0000000000000000-mapping.dmp
-
memory/4232-9-0x0000000000000000-mapping.dmp
-
memory/4232-10-0x0000000000150000-0x0000000000166000-memory.dmpFilesize
88KB
-
memory/4232-11-0x0000000002DB0000-0x0000000002DD9000-memory.dmpFilesize
164KB
-
memory/4232-13-0x0000000004500000-0x0000000004820000-memory.dmpFilesize
3.1MB
-
memory/4232-14-0x00000000048B0000-0x0000000004940000-memory.dmpFilesize
576KB
-
memory/5096-5-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/5096-7-0x00000000008E0000-0x00000000008F1000-memory.dmpFilesize
68KB
-
memory/5096-6-0x00000000009D0000-0x0000000000CF0000-memory.dmpFilesize
3.1MB
-
memory/5096-3-0x000000000041D090-mapping.dmp