Analysis
-
max time kernel
1792s -
max time network
1796s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
17-06-2022 15:19
Static task
static1
Behavioral task
behavioral1
Sample
jyahaoabcs.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
jyahaoabcs.js
Resource
win10-20220414-en
General
-
Target
jyahaoabcs.js
-
Size
953KB
-
MD5
b0858d86fb22aa01d7ad40ef5ab0b069
-
SHA1
6c6c7a2f34149a8702d2ae401294291d38c064a0
-
SHA256
0055c6430d720c28a449fd9df4d9fcb440dfec67f3eff217adfd6e0a2fa97bd0
-
SHA512
980423d2379677a469205c1119cdd323ea36331d53aa46eae98c5fedf67be2cae7023e63e14e7ffb1bb40a378ce3f700f6facfd5edb6a14dba531daddaaba8d6
Malware Config
Signatures
-
Blocklisted process makes network request 64 IoCs
Processes:
WScript.exeflow pid process 2 3040 WScript.exe 4 3040 WScript.exe 5 3040 WScript.exe 7 3040 WScript.exe 11 3040 WScript.exe 12 3040 WScript.exe 13 3040 WScript.exe 14 3040 WScript.exe 15 3040 WScript.exe 16 3040 WScript.exe 17 3040 WScript.exe 18 3040 WScript.exe 19 3040 WScript.exe 20 3040 WScript.exe 21 3040 WScript.exe 22 3040 WScript.exe 23 3040 WScript.exe 24 3040 WScript.exe 25 3040 WScript.exe 26 3040 WScript.exe 27 3040 WScript.exe 28 3040 WScript.exe 29 3040 WScript.exe 30 3040 WScript.exe 31 3040 WScript.exe 32 3040 WScript.exe 33 3040 WScript.exe 34 3040 WScript.exe 35 3040 WScript.exe 36 3040 WScript.exe 37 3040 WScript.exe 38 3040 WScript.exe 39 3040 WScript.exe 40 3040 WScript.exe 41 3040 WScript.exe 46 3040 WScript.exe 47 3040 WScript.exe 48 3040 WScript.exe 49 3040 WScript.exe 50 3040 WScript.exe 51 3040 WScript.exe 52 3040 WScript.exe 55 3040 WScript.exe 56 3040 WScript.exe 57 3040 WScript.exe 58 3040 WScript.exe 59 3040 WScript.exe 60 3040 WScript.exe 61 3040 WScript.exe 62 3040 WScript.exe 63 3040 WScript.exe 64 3040 WScript.exe 65 3040 WScript.exe 66 3040 WScript.exe 67 3040 WScript.exe 68 3040 WScript.exe 69 3040 WScript.exe 70 3040 WScript.exe 71 3040 WScript.exe 72 3040 WScript.exe 73 3040 WScript.exe 74 3040 WScript.exe 75 3040 WScript.exe 76 3040 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yBzacvcZKX.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yBzacvcZKX.js WScript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Windows\CurrentVersion\Run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\yBzacvcZKX.js\"" WScript.exe -
Drops file in Program Files directory 24 IoCs
Processes:
java.exejavaw.exedescription ioc process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb javaw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\Local Settings wscript.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exejavaw.exedescription pid process target process PID 3708 wrote to memory of 3040 3708 wscript.exe WScript.exe PID 3708 wrote to memory of 3040 3708 wscript.exe WScript.exe PID 3708 wrote to memory of 4332 3708 wscript.exe javaw.exe PID 3708 wrote to memory of 4332 3708 wscript.exe javaw.exe PID 4332 wrote to memory of 4700 4332 javaw.exe java.exe PID 4332 wrote to memory of 4700 4332 javaw.exe java.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\jyahaoabcs.js1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\yBzacvcZKX.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ckmcyrpf.txt"2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.44692350648420218561336289143621866.class3⤵
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestampFilesize
50B
MD5083101c35e753ff5378d32e36afcae04
SHA1ce95fbce6c87fbaad41e3cb86c3cf7f9beab693e
SHA2568d48cfef823bd98316515efa36f4f03c4ddefcd3814d7ef3302c522a5a10945d
SHA512de02bfbad16facbf6cd160cf2091110d0909a4ae7d1f01af1a7af9bf27e84ed7a2ad735796bc7a284d6c8d0eb7987e92a4b631d961e0e9e112d53cc366f9d9c9
-
C:\Users\Admin\AppData\Local\Temp\_0.44692350648420218561336289143621866.classFilesize
241KB
MD5781fb531354d6f291f1ccab48da6d39f
SHA19ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA25697d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA5123e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4236190499-842014725-259441995-1000\83aa4cc77f591dfc2374580bbd95f6ba_99ef72a1-556b-4cb4-bc70-9c60abc7d0eaFilesize
45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
C:\Users\Admin\AppData\Roaming\ckmcyrpf.txtFilesize
479KB
MD50af2ffb0e3a810f556a0eef909a5ecc7
SHA1641fe60bfa8569a0a13dc9279ea1cafb5cb912ad
SHA2569d05feba177ac6b9433f0a28bf9e6ba9828f1621f625f7ca80009a1cf5b5374b
SHA512883f01a0d0c2ed6ada0dd3d2b4548d01b54f6cf4fcfd6a39f9a61511147fefc4ea8ad4392873fd54e4d7c1c04adc01c94bf99447ddfcde925340ae4ea409b1c9
-
C:\Users\Admin\AppData\Roaming\yBzacvcZKX.jsFilesize
24KB
MD59cb94db4ae02bd253f2a41995076f5d2
SHA151ff0dc0516a93a8ac5620ccfa4b0e7750ebaeb1
SHA25616288f415596cee7e80051087859c51cd5f2a44cc0c98b708b78a87f89c0a9ec
SHA512f3277d959dc34dc4d920261de1cdcf82712982d543b7901f5ddfa7f0a793a33670aa1fec23aa7468ade221e275b02cfa948d3d15aa8fe63a3a011d3363ee4161
-
memory/3040-117-0x0000000000000000-mapping.dmp
-
memory/4332-118-0x0000000000000000-mapping.dmp
-
memory/4332-125-0x0000000002710000-0x0000000003710000-memory.dmpFilesize
16.0MB
-
memory/4332-151-0x0000000002710000-0x0000000003710000-memory.dmpFilesize
16.0MB
-
memory/4700-131-0x0000000000000000-mapping.dmp
-
memory/4700-142-0x0000000002940000-0x0000000003940000-memory.dmpFilesize
16.0MB
-
memory/4700-150-0x0000000002940000-0x0000000003940000-memory.dmpFilesize
16.0MB