General
-
Target
Readme.jse
-
Size
1KB
-
Sample
220906-ytvx4aaaf2
-
MD5
afbbf88c39646d17dcc0ce6383204b3b
-
SHA1
cd3a92e79faa4e1e9011ac21fa6beeb285657993
-
SHA256
d215bed00e78a30a169a76965364ba10205d24e1803a5d8cabdb22616679ef61
-
SHA512
e500ad5231b81b5ae5a92db03db8fe87c67299b7865b3f36293c98bb46614d17f3e11e712023d6fa06812c4717174f96db17ff36c2c8b2160ce71fe2b8909574
Malware Config
Extracted
https://drive.google.com/uc?id=1iktVtJAbuAyKtOK0xSpQJnmm88EicL4d&export=download
Targets
-
-
Target
Readme.jse
-
Size
1KB
-
MD5
afbbf88c39646d17dcc0ce6383204b3b
-
SHA1
cd3a92e79faa4e1e9011ac21fa6beeb285657993
-
SHA256
d215bed00e78a30a169a76965364ba10205d24e1803a5d8cabdb22616679ef61
-
SHA512
e500ad5231b81b5ae5a92db03db8fe87c67299b7865b3f36293c98bb46614d17f3e11e712023d6fa06812c4717174f96db17ff36c2c8b2160ce71fe2b8909574
Score10/10-
Modifies WinLogon for persistence
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-