Malware Analysis Report

2024-11-30 20:56

Sample ID 220815-rkyt3abffq
Target Vancouver_police_union_collective_agreement (gsc).js
SHA256 5d17a080294b9ccfb21bccce5b95aee10adabd0467ce54d911b75897945c666f
Tags
gootloader loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d17a080294b9ccfb21bccce5b95aee10adabd0467ce54d911b75897945c666f

Threat Level: Known bad

The file Vancouver_police_union_collective_agreement (gsc).js was found to be: Known bad.

Malicious Activity Summary

gootloader loader

GootLoader

Blocklisted process makes network request

Script User-Agent

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-15 14:15

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-15 14:15

Reported

2022-08-15 14:21

Platform

win7-20220812-en

Max time kernel

184s

Max time network

189s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Vancouver_police_union_collective_agreement (gsc).js"

Signatures

GootLoader

loader gootloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BDE7456F5C07980167D7BD31779FBDF1E4EB25C1\Blob = 1400000001000000140000005f901a3045dbc6af355023ce73d182e31a67091a030000000100000014000000bde7456f5c07980167d7bd31779fbdf1e4eb25c10f0000000100000020000000e5fede913b2f07b78dd43bd811543e7e3160dc5ef4cdad602e75cd356b97cff52000000001000000f9020000308202f5308201dda00302010202103cd052b986d3962f66da8e4df8cdb2d5300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303831313133303030305a170d3237303831303133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100be5a0c621d7c15d3983a1b0f16707dd8223c411a41e79d65fd75615948171e1d030b1b8d4cdf182a5f4e123edcdd70e7530fc8017d79cffacf8c19713e6aeea106b83dedaa74b78be468727a93d4d16c3861eb7d94affff464fdf009c469b6d650d5358b0bf46fd5683888970cb44b4a9a1c2bbc6e470b5929d322a6546ecfeeb3aaeb7534f7bc2588f86cf625a4a7df22169557553660d97d22e7517a98a431ff16c2add5ebc7934f3248398f5d33482767e31a09baf71f19c87427d77d247d99432f022868f558b81447407be7eb6f0846a3fae8b10c1afc3c5f5998623420e0ff3e5965311211c6578deedd7dae3a04fcd576f6bc884c767d97cbdba334a70203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604145f901a3045dbc6af355023ce73d182e31a67091a300d06092a864886f70d01010b050003820101009a039ae4c8a13e9e194208c449d1517fe36b46b6f91720b8e07cc8a4f321a32c0f0fabc181ac4b9f4bc3921992bb653fa87f5ff8e15d95f32ba0ec96d6b0cd2a5205a456904cfeb8211c3a523310a1b0348086ceb1892265872922172ea1dddad656ef8ce6fb6ebca7315689692ea46e44bcbbf13e12bbc04bebe241e85c952d0f7e9d04c166acd8d41e800766658d858f038ef606c5c1b4f31d2c4aa9c34a2d53512587594a4b8de94c8b63dcd49addcb9ce8c3a5af1e1c83fe4553e885e750ecc6d9dbd71ab6a91fb991d08879f04037f21b855d18f6bf97173ef7e8cd97d9e464a1b9ccbc7c0569c8f187bb16639e3fbbeab3a4a5ed37d30c447970b55b89 C:\Windows\system32\wscript.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BDE7456F5C07980167D7BD31779FBDF1E4EB25C1\Blob = 0400000001000000100000001c52d9da4efd4336ab592ff4fc0438200f0000000100000020000000e5fede913b2f07b78dd43bd811543e7e3160dc5ef4cdad602e75cd356b97cff5030000000100000014000000bde7456f5c07980167d7bd31779fbdf1e4eb25c11400000001000000140000005f901a3045dbc6af355023ce73d182e31a67091a2000000001000000f9020000308202f5308201dda00302010202103cd052b986d3962f66da8e4df8cdb2d5300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303831313133303030305a170d3237303831303133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100be5a0c621d7c15d3983a1b0f16707dd8223c411a41e79d65fd75615948171e1d030b1b8d4cdf182a5f4e123edcdd70e7530fc8017d79cffacf8c19713e6aeea106b83dedaa74b78be468727a93d4d16c3861eb7d94affff464fdf009c469b6d650d5358b0bf46fd5683888970cb44b4a9a1c2bbc6e470b5929d322a6546ecfeeb3aaeb7534f7bc2588f86cf625a4a7df22169557553660d97d22e7517a98a431ff16c2add5ebc7934f3248398f5d33482767e31a09baf71f19c87427d77d247d99432f022868f558b81447407be7eb6f0846a3fae8b10c1afc3c5f5998623420e0ff3e5965311211c6578deedd7dae3a04fcd576f6bc884c767d97cbdba334a70203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604145f901a3045dbc6af355023ce73d182e31a67091a300d06092a864886f70d01010b050003820101009a039ae4c8a13e9e194208c449d1517fe36b46b6f91720b8e07cc8a4f321a32c0f0fabc181ac4b9f4bc3921992bb653fa87f5ff8e15d95f32ba0ec96d6b0cd2a5205a456904cfeb8211c3a523310a1b0348086ceb1892265872922172ea1dddad656ef8ce6fb6ebca7315689692ea46e44bcbbf13e12bbc04bebe241e85c952d0f7e9d04c166acd8d41e800766658d858f038ef606c5c1b4f31d2c4aa9c34a2d53512587594a4b8de94c8b63dcd49addcb9ce8c3a5af1e1c83fe4553e885e750ecc6d9dbd71ab6a91fb991d08879f04037f21b855d18f6bf97173ef7e8cd97d9e464a1b9ccbc7c0569c8f187bb16639e3fbbeab3a4a5ed37d30c447970b55b89 C:\Windows\system32\wscript.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BDE7456F5C07980167D7BD31779FBDF1E4EB25C1\Blob = 19000000010000001000000065a3b0a896897499ed82469371da4d2c1400000001000000140000005f901a3045dbc6af355023ce73d182e31a67091a030000000100000014000000bde7456f5c07980167d7bd31779fbdf1e4eb25c10f0000000100000020000000e5fede913b2f07b78dd43bd811543e7e3160dc5ef4cdad602e75cd356b97cff50400000001000000100000001c52d9da4efd4336ab592ff4fc0438202000000001000000f9020000308202f5308201dda00302010202103cd052b986d3962f66da8e4df8cdb2d5300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303831313133303030305a170d3237303831303133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100be5a0c621d7c15d3983a1b0f16707dd8223c411a41e79d65fd75615948171e1d030b1b8d4cdf182a5f4e123edcdd70e7530fc8017d79cffacf8c19713e6aeea106b83dedaa74b78be468727a93d4d16c3861eb7d94affff464fdf009c469b6d650d5358b0bf46fd5683888970cb44b4a9a1c2bbc6e470b5929d322a6546ecfeeb3aaeb7534f7bc2588f86cf625a4a7df22169557553660d97d22e7517a98a431ff16c2add5ebc7934f3248398f5d33482767e31a09baf71f19c87427d77d247d99432f022868f558b81447407be7eb6f0846a3fae8b10c1afc3c5f5998623420e0ff3e5965311211c6578deedd7dae3a04fcd576f6bc884c767d97cbdba334a70203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604145f901a3045dbc6af355023ce73d182e31a67091a300d06092a864886f70d01010b050003820101009a039ae4c8a13e9e194208c449d1517fe36b46b6f91720b8e07cc8a4f321a32c0f0fabc181ac4b9f4bc3921992bb653fa87f5ff8e15d95f32ba0ec96d6b0cd2a5205a456904cfeb8211c3a523310a1b0348086ceb1892265872922172ea1dddad656ef8ce6fb6ebca7315689692ea46e44bcbbf13e12bbc04bebe241e85c952d0f7e9d04c166acd8d41e800766658d858f038ef606c5c1b4f31d2c4aa9c34a2d53512587594a4b8de94c8b63dcd49addcb9ce8c3a5af1e1c83fe4553e885e750ecc6d9dbd71ab6a91fb991d08879f04037f21b855d18f6bf97173ef7e8cd97d9e464a1b9ccbc7c0569c8f187bb16639e3fbbeab3a4a5ed37d30c447970b55b89 C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BDE7456F5C07980167D7BD31779FBDF1E4EB25C1 C:\Windows\system32\wscript.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BDE7456F5C07980167D7BD31779FBDF1E4EB25C1\Blob = 0f0000000100000020000000e5fede913b2f07b78dd43bd811543e7e3160dc5ef4cdad602e75cd356b97cff5030000000100000014000000bde7456f5c07980167d7bd31779fbdf1e4eb25c12000000001000000f9020000308202f5308201dda00302010202103cd052b986d3962f66da8e4df8cdb2d5300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303831313133303030305a170d3237303831303133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100be5a0c621d7c15d3983a1b0f16707dd8223c411a41e79d65fd75615948171e1d030b1b8d4cdf182a5f4e123edcdd70e7530fc8017d79cffacf8c19713e6aeea106b83dedaa74b78be468727a93d4d16c3861eb7d94affff464fdf009c469b6d650d5358b0bf46fd5683888970cb44b4a9a1c2bbc6e470b5929d322a6546ecfeeb3aaeb7534f7bc2588f86cf625a4a7df22169557553660d97d22e7517a98a431ff16c2add5ebc7934f3248398f5d33482767e31a09baf71f19c87427d77d247d99432f022868f558b81447407be7eb6f0846a3fae8b10c1afc3c5f5998623420e0ff3e5965311211c6578deedd7dae3a04fcd576f6bc884c767d97cbdba334a70203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604145f901a3045dbc6af355023ce73d182e31a67091a300d06092a864886f70d01010b050003820101009a039ae4c8a13e9e194208c449d1517fe36b46b6f91720b8e07cc8a4f321a32c0f0fabc181ac4b9f4bc3921992bb653fa87f5ff8e15d95f32ba0ec96d6b0cd2a5205a456904cfeb8211c3a523310a1b0348086ceb1892265872922172ea1dddad656ef8ce6fb6ebca7315689692ea46e44bcbbf13e12bbc04bebe241e85c952d0f7e9d04c166acd8d41e800766658d858f038ef606c5c1b4f31d2c4aa9c34a2d53512587594a4b8de94c8b63dcd49addcb9ce8c3a5af1e1c83fe4553e885e750ecc6d9dbd71ab6a91fb991d08879f04037f21b855d18f6bf97173ef7e8cd97d9e464a1b9ccbc7c0569c8f187bb16639e3fbbeab3a4a5ed37d30c447970b55b89 C:\Windows\system32\wscript.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Vancouver_police_union_collective_agreement (gsc).js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.lukeamiller.net udp
N/A 100.100.25.226:443 www.lukeamiller.net tcp
US 8.8.8.8:53 www.luckies.cc udp
N/A 100.124.142.250:443 www.luckies.cc tcp
US 8.8.8.8:53 www.ludovicmarque.fr udp
N/A 100.82.243.193:443 www.ludovicmarque.fr tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-15 14:15

Reported

2022-08-15 14:21

Platform

win10v2004-20220812-en

Max time kernel

174s

Max time network

178s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Vancouver_police_union_collective_agreement (gsc).js"

Signatures

GootLoader

loader gootloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Vancouver_police_union_collective_agreement (gsc).js"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.221.240:80 tcp
NL 104.80.225.205:443 tcp
IE 13.69.239.73:443 tcp
US 8.8.8.8:53 www.lukeamiller.net udp
N/A 100.97.161.106:443 www.lukeamiller.net tcp
US 8.8.8.8:53 www.luckies.cc udp
N/A 100.89.181.116:443 www.luckies.cc tcp
US 8.8.8.8:53 www.ludovicmarque.fr udp
N/A 100.72.6.68:443 www.ludovicmarque.fr tcp

Files

N/A