Malware Analysis Report

2024-11-13 16:37

Sample ID 220912-rt1d9ahcbj
Target cf289365a712b071fb54a4fe548f55c4f569cf21471267bd4abda272a07f0177.js
SHA256 cf289365a712b071fb54a4fe548f55c4f569cf21471267bd4abda272a07f0177
Tags
gootloader loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cf289365a712b071fb54a4fe548f55c4f569cf21471267bd4abda272a07f0177

Threat Level: Known bad

The file cf289365a712b071fb54a4fe548f55c4f569cf21471267bd4abda272a07f0177.js was found to be: Known bad.

Malicious Activity Summary

gootloader loader

GootLoader

Blocklisted process makes network request

Script User-Agent

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-09-12 14:29

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-12 14:29

Reported

2022-09-12 14:32

Platform

win10v2004-20220812-en

Max time kernel

148s

Max time network

152s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\cf289365a712b071fb54a4fe548f55c4f569cf21471267bd4abda272a07f0177.js

Signatures

GootLoader

loader gootloader

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\cf289365a712b071fb54a4fe548f55c4f569cf21471267bd4abda272a07f0177.js

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 13.107.4.50:80 tcp
US 93.184.220.29:80 tcp
US 20.189.173.7:443 tcp
US 13.107.4.50:80 tcp
US 13.107.4.50:80 tcp
US 13.107.4.50:80 tcp
US 8.8.8.8:53 www.lovlr.com udp
DK 77.111.240.6:443 www.lovlr.com tcp
US 8.8.8.8:53 www.lukeamiller.net udp
US 69.163.163.127:443 www.lukeamiller.net tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-12 14:29

Reported

2022-09-12 14:32

Platform

win7-20220812-en

Max time kernel

103s

Max time network

106s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\cf289365a712b071fb54a4fe548f55c4f569cf21471267bd4abda272a07f0177.js

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\cf289365a712b071fb54a4fe548f55c4f569cf21471267bd4abda272a07f0177.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.lovlr.com udp
DK 77.111.240.6:443 www.lovlr.com tcp
DK 77.111.240.6:443 www.lovlr.com tcp

Files

N/A