Overview
overview
5Static
static
4var www ht...han.js
windows7-x64
1var www ht...han.js
windows10-2004-x64
1var www ht...022.js
windows7-x64
1var www ht...022.js
windows10-2004-x64
1var www ht...api.js
windows7-x64
1var www ht...api.js
windows10-2004-x64
1var www ht...h.alfa
ubuntu-18.04-amd64
5var www ht...h.alfa
debian-9-armhf
5var www ht...h.alfa
debian-9-mips
1var www ht...h.alfa
debian-9-mipsel
5var www ht...r.alfa
ubuntu-18.04-amd64
var www ht...r.alfa
debian-9-armhf
var www ht...r.alfa
debian-9-mips
var www ht...r.alfa
debian-9-mipsel
var www ht...l.alfa
ubuntu-18.04-amd64
5var www ht...l.alfa
debian-9-armhf
1var www ht...l.alfa
debian-9-mips
1var www ht...l.alfa
debian-9-mipsel
5var www ht...y.alfa
ubuntu-18.04-amd64
var www ht...y.alfa
debian-9-armhf
var www ht...y.alfa
debian-9-mips
var www ht...y.alfa
debian-9-mipsel
var www ht...han.js
windows7-x64
1var www ht...han.js
windows10-2004-x64
1var www ht...ory.js
windows7-x64
1var www ht...ory.js
windows10-2004-x64
1var www ht...a.html
windows7-x64
1var www ht...a.html
windows10-2004-x64
1var www ht...o.html
windows7-x64
1var www ht...o.html
windows10-2004-x64
1var www ht...oto.js
windows7-x64
1var www ht...oto.js
windows10-2004-x64
1Resubmissions
19-07-2023 21:16
230719-z4frlabb95 419-07-2023 21:13
230719-z2sndabb89 511-11-2022 04:56
221111-fkt1bsbcbk 5Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11-11-2022 04:56
Behavioral task
behavioral1
Sample
var www html kemhan/.kemhan.js
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral2
Sample
var www html kemhan/.kemhan.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
var www html kemhan/2022/.2022.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral4
Sample
var www html kemhan/2022/.2022.js
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
var www html kemhan/alfacgiapi/.alfacgiapi.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral6
Sample
var www html kemhan/alfacgiapi/.alfacgiapi.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
var www html kemhan/alfacgiapi/bash.alfa
Resource
ubuntu1804-amd64-en-20211208
ubuntu-18.04-amd64
Behavioral task
behavioral8
Sample
var www html kemhan/alfacgiapi/bash.alfa
Resource
debian9-armhf-en-20211208
debian-9-armhf
Behavioral task
behavioral9
Sample
var www html kemhan/alfacgiapi/bash.alfa
Resource
debian9-mipsbe-en-20211208
debian-9-mips
Behavioral task
behavioral10
Sample
var www html kemhan/alfacgiapi/bash.alfa
Resource
debian9-mipsel-en-20211208
debian-9-mipsel
Behavioral task
behavioral11
Sample
var www html kemhan/alfacgiapi/getheader.alfa
Resource
ubuntu1804-amd64-en-20211208
ubuntu-18.04-amd64
Behavioral task
behavioral12
Sample
var www html kemhan/alfacgiapi/getheader.alfa
Resource
debian9-armhf-en-20211208
debian-9-armhf
Behavioral task
behavioral13
Sample
var www html kemhan/alfacgiapi/getheader.alfa
Resource
debian9-mipsbe-en-20211208
debian-9-mips
Behavioral task
behavioral14
Sample
var www html kemhan/alfacgiapi/getheader.alfa
Resource
debian9-mipsel-en-20211208
debian-9-mipsel
Behavioral task
behavioral15
Sample
var www html kemhan/alfacgiapi/perl.alfa
Resource
ubuntu1804-amd64-en-20211208
ubuntu-18.04-amd64
Behavioral task
behavioral16
Sample
var www html kemhan/alfacgiapi/perl.alfa
Resource
debian9-armhf-en-20211208
debian-9-armhf
Behavioral task
behavioral17
Sample
var www html kemhan/alfacgiapi/perl.alfa
Resource
debian9-mipsbe-en-20211208
debian-9-mips
Behavioral task
behavioral18
Sample
var www html kemhan/alfacgiapi/perl.alfa
Resource
debian9-mipsel-en-20211208
debian-9-mipsel
Behavioral task
behavioral19
Sample
var www html kemhan/alfacgiapi/py.alfa
Resource
ubuntu1804-amd64-en-20211208
ubuntu-18.04-amd64
Behavioral task
behavioral20
Sample
var www html kemhan/alfacgiapi/py.alfa
Resource
debian9-armhf-en-20211208
debian-9-armhf
Behavioral task
behavioral21
Sample
var www html kemhan/alfacgiapi/py.alfa
Resource
debian9-mipsbe-en-20211208
debian-9-mips
Behavioral task
behavioral22
Sample
var www html kemhan/alfacgiapi/py.alfa
Resource
debian9-mipsel-en-20211208
debian-9-mipsel
Behavioral task
behavioral23
Sample
var www html kemhan/arti-logo-kemhan.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral24
Sample
var www html kemhan/arti-logo-kemhan.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
var www html kemhan/category/.category.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral26
Sample
var www html kemhan/category/.category.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
var www html kemhan/category/berita.html
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral28
Sample
var www html kemhan/category/berita.html
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
var www html kemhan/category/foto.html
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral30
Sample
var www html kemhan/category/foto.html
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
var www html kemhan/category/foto/.foto.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral32
Sample
var www html kemhan/category/foto/.foto.js
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
var www html kemhan/category/foto.html
-
Size
65KB
-
MD5
b592d1499fddc236192b42ee031cfc70
-
SHA1
9a858fadae129a94bae8054bf7250df772243436
-
SHA256
6e0b974f966f578469ee922358a302712691319f2f7de5edfd58c187e774198b
-
SHA512
025b5992a0eb01e1ccd02d2fc7705bd5eb7311b66b4749f21720a1e26dfc39e81b414e5491534bf74f570daaecdef1b1ccbedec1f51c4d23587b85402be31b54
-
SSDEEP
1536:+PM+UXmC4BaAnDjYkst+QDXibfHpZ8MrT:dmC4BaAnDjYkkibfHVrT
Malware Config
Signatures
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000915718b965b1644a8d103516520b7956000000000200000000001066000000010000200000001d74c2d254e5407952b2a71033fe13d0133a6c31cd125be9da3df7ac219292e9000000000e8000000002000020000000efe6653c138321d8f1b0d1d8b1fdcd4d5b8f78e94cab0c9976fdf344b1dd952420000000f0a1b2dae21400dc007686a22ca0f40adb24311e78a986e35c793198e595ef39400000007e0d23ad37d54f616b375fe25df9f626e7e8dfab27a6332c80ffb4d3dcf9ea0d59067bc2d73bf08a0292eab0db46ea74aa5efaae5d97931fae50a5c307a9ae55 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90f7638992f5d801 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000915718b965b1644a8d103516520b795600000000020000000000106600000001000020000000be6eb203eee568c320a71f0ad84c480a8b88ed10b50e16c4c6ab834b48a7282e000000000e8000000002000020000000688893b63a9c1fe229b0962c1cd2f47c273acb5520a5ba7f668713b66d1ff4f1900000009de5791c4fb4c3cc22b98f110080f15d176d81e6f07159cc92ef80dbafdfe801b2c60f5bd2ce16c12da1e202961e86710100bb0b767421e5c35162fdeb1935b3a9abf27ea1c73cf68b192dbd1b312892f10a8bc1148923a6af942331190b58b3484ffee3e0b654e0cac1b33be898819fc62066a42a6f9f5eefaf3cd01846e69e87b25ee34d369d4a54d07ab792dce8ee40000000489bfc0cd7c1586fd1969933e20df7c8387cb873d4e3c3710cbb10a76dc5cf60fce05d1f0a6168304ad3f7bc98949d3d07ce4164afe1dd1ca5b93577161a32dc iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "374308109" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A6A9E491-6185-11ED-8AB9-FAB5137186BE} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1492 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1492 iexplore.exe 1492 iexplore.exe 1984 IEXPLORE.EXE 1984 IEXPLORE.EXE 1984 IEXPLORE.EXE 1984 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1492 wrote to memory of 1984 1492 iexplore.exe 29 PID 1492 wrote to memory of 1984 1492 iexplore.exe 29 PID 1492 wrote to memory of 1984 1492 iexplore.exe 29 PID 1492 wrote to memory of 1984 1492 iexplore.exe 29
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\var www html kemhan\category\foto.html"1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1492 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1984
-