Overview

overview

10

Static

static

Gesuchte Maschinen.js

windows7_x64

10

Gesuchte Maschinen.js

windows10_x64

10

Analysis

  • max time kernel
    155s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    30-08-2021 16:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Gesuchte Maschinen.js

  • Size

    313KB

  • MD5

    e1c35fbb0a2f810800e6619448f0fec6

  • SHA1

    8a84a677134b31b93434e8aedc9cea27e91f6058

  • SHA256

    3b9f482300a46bbc1de6579f601e7c77d9c20392dca53733f2c21ba0c2888a06

  • SHA512

    1aafd75162a0857a7eea4551b581e40bd1885556da0bb0ae43af35b6810b56039d83d1b2845e7b840bf4855137fd7886dcf89eddbc5bbdf5a8eb76c4d2031c27

Score
10/10
vjw0rmxloadero7htloaderpersistenceratsuricatatrojanworm

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

o7ht

C2

http://www.tadrxp.com/o7ht/

Decoy

crs-onlineshop.com

desertrosecamping.com

frequencyclips.com

andrewhair.com

leuswim.com

revenuecat.net

payplticket593178197.info

replacementrs.com

flnativemilkmilkweed.com

rintashop.com

shonan5656.com

lexingtonclarke.com

alfapvp2020.xyz

buywetsuitsonline.com

gomihuomh.com

rabo-betaling.xyz

thyhotyoga.com

careplayground.com

bitlineage.com

5923699.com

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Xloader Payload 3 IoCs
    rat
  • Blocklisted process makes network request 17 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1244
    • C:\Windows\system32\wscript.exe
      wscript.exe "C:\Users\Admin\AppData\Local\Temp\Gesuchte Maschinen.js"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:792
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bzTHMuWnfp.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        PID:2008
      • C:\Users\Admin\AppData\Roaming\bin.exe
        "C:\Users\Admin\AppData\Roaming\bin.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1904
        • C:\Windows\SysWOW64\svchost.exe
          "C:\Windows\SysWOW64\svchost.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1556
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Roaming\bin.exe"
            5⤵
              PID:1140

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\bin.exe
      MD5

      387be3e3c86fc9d6a2c1923863f39a7d

      SHA1

      a5143eaf39ac1c94e4dcb0519fc1910ee63a31c2

      SHA256

      1e5a34f0b9021f1760bf583f28a7c1ab4157b09b2b78cf8d9a9ff34c6221efe6

      SHA512

      7333ed1f0880146796d49dddb50999feccc8e9c1ad40f7323c8550f302a925ec99402fab71cf71c87ddcdfe7aa2cbeb3e0865b402655491e1362aea6cfd02b5d

      Download Submit
    • C:\Users\Admin\AppData\Roaming\bin.exe
      MD5

      387be3e3c86fc9d6a2c1923863f39a7d

      SHA1

      a5143eaf39ac1c94e4dcb0519fc1910ee63a31c2

      SHA256

      1e5a34f0b9021f1760bf583f28a7c1ab4157b09b2b78cf8d9a9ff34c6221efe6

      SHA512

      7333ed1f0880146796d49dddb50999feccc8e9c1ad40f7323c8550f302a925ec99402fab71cf71c87ddcdfe7aa2cbeb3e0865b402655491e1362aea6cfd02b5d

      Download Submit
    • C:\Users\Admin\AppData\Roaming\bzTHMuWnfp.js
      MD5

      e2e1a525cffad9ed1e32f5c5c2f182aa

      SHA1

      4009388a60a33416e81f6b6ebe4ee752f2eedeb8

      SHA256

      41609d1f9bbf9fbefba7505632a5de15e8379fa0d468482665ea050e73927030

      SHA512

      609f4d04f638766034b5cdf3d15df25b96652e737ff0afbb655609e51c55accfe410dc9722d8191c615d93f59b6c60820393f8e44b362896499e10d7c7aac792

      Download Submit
    • memory/792-60-0x000007FEFB561000-0x000007FEFB563000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1140-70-0x0000000000000000-mapping.dmp
      Download
    • memory/1244-77-0x00000000048E0000-0x00000000049DE000-memory.dmp
      Filesize

      1016KB

      Download
    • memory/1244-72-0x0000000004220000-0x00000000042EF000-memory.dmp
      Filesize

      828KB

      Download
    • memory/1244-66-0x00000000078A0000-0x0000000007A33000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1556-68-0x0000000000000000-mapping.dmp
      Download
    • memory/1556-75-0x00000000008C0000-0x0000000000BC3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1556-74-0x0000000000080000-0x00000000000A8000-memory.dmp
      Filesize

      160KB

      Download
    • memory/1556-76-0x0000000000490000-0x000000000051F000-memory.dmp
      Filesize

      572KB

      Download
    • memory/1556-73-0x0000000000DF0000-0x0000000000DF8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1556-78-0x0000000075041000-0x0000000075043000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1904-67-0x0000000000110000-0x0000000000120000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1904-65-0x0000000000AA0000-0x0000000000DA3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1904-63-0x0000000000000000-mapping.dmp
      Download
    • memory/1904-71-0x0000000000160000-0x0000000000170000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2008-61-0x0000000000000000-mapping.dmp
      Download