096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e

Analysis

max time kernel
19s
max time network
128s
platform
windows10_x64
resource
win10v20210408
submitted
21-08-2021 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jooyu.exe
Size

971KB
MD5

aed57d50123897b0012c35ef5dec4184
SHA1

568571b12ca44a585df589dc810bf53adf5e8050
SHA256

096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e
SHA512

ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4132	jfiag3g_gg.exe
4200	jfiag3g_gg.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000000689-115.dat	upx
behavioral2/files/0x0008000000000689-116.dat	upx
behavioral2/files/0x000200000001a4f4-119.dat	upx
behavioral2/files/0x000200000001a4f4-120.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4200	jfiag3g_gg.exe
4200	jfiag3g_gg.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4652 wrote to memory of 4132	4652	jooyu.exe	73
PID 4652 wrote to memory of 4132	4652	jooyu.exe	73
PID 4652 wrote to memory of 4132	4652	jooyu.exe	73
PID 4652 wrote to memory of 4200	4652	jooyu.exe	75
PID 4652 wrote to memory of 4200	4652	jooyu.exe	75
PID 4652 wrote to memory of 4200	4652	jooyu.exe	75

C:\Users\Admin\AppData\Local\Temp\jooyu.exe
"C:\Users\Admin\AppData\Local\Temp\jooyu.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  - Executes dropped EXE
  PID:4132
- C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads