096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e

Analysis

max time kernel
52s
max time network
113s
platform
windows10_x64
resource
win10v20210410
submitted
02-06-2021 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aed57d50123897b0012c35ef5dec4184.exe
Size

971KB
MD5

aed57d50123897b0012c35ef5dec4184
SHA1

568571b12ca44a585df589dc810bf53adf5e8050
SHA256

096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e
SHA512

ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1800	jfiag3g_gg.exe
316	jfiag3g_gg.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000000689-115.dat	upx
behavioral2/files/0x0008000000000689-116.dat	upx
behavioral2/files/0x000400000001ab5e-119.dat	upx
behavioral2/files/0x000400000001ab5e-120.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
316	jfiag3g_gg.exe
316	jfiag3g_gg.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 1800	3976	aed57d50123897b0012c35ef5dec4184.exe	75
PID 3976 wrote to memory of 1800	3976	aed57d50123897b0012c35ef5dec4184.exe	75
PID 3976 wrote to memory of 1800	3976	aed57d50123897b0012c35ef5dec4184.exe	75
PID 3976 wrote to memory of 316	3976	aed57d50123897b0012c35ef5dec4184.exe	80
PID 3976 wrote to memory of 316	3976	aed57d50123897b0012c35ef5dec4184.exe	80
PID 3976 wrote to memory of 316	3976	aed57d50123897b0012c35ef5dec4184.exe	80

C:\Users\Admin\AppData\Local\Temp\aed57d50123897b0012c35ef5dec4184.exe
"C:\Users\Admin\AppData\Local\Temp\aed57d50123897b0012c35ef5dec4184.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads