1d305787202474fcc79a210caf6cd88c7722fed5249797483817da4a04967f7b

General

Target

11EAEB2EE4191C259F66302AD1C03B1E.exe
Size

1.8MB
MD5

11eaeb2ee4191c259f66302ad1c03b1e
SHA1

1035878efe2fce53d7414e72430756a11e1c4c04
SHA256

1d305787202474fcc79a210caf6cd88c7722fed5249797483817da4a04967f7b
SHA512

817a6724d17c7f4049163d9e774ae501c7b7122e10c782ecb4d31c0bef69134106e8d340466eddbc379b8868507ce9dc9c16d625aa30ff0396db4ef377bce969
SSDEEP

49152:qKVXGViAGZjn2vLDo/BeacqBfzqEP/JoX9RUW:qKpAGZjuLDo/BebqBfPBoNRUW

Score

8^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

jwxfloader.exe

pid process

3432 jwxfloader.exe

pid	process
3432	jwxfloader.exe

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\jwxfloader.exe	vmprotect
\??\c:\jwxfloader.exe	vmprotect
behavioral2/memory/3432-139-0x0000000000400000-0x0000000000916000-memory.dmp	vmprotect
behavioral2/memory/3432-138-0x0000000000400000-0x0000000000916000-memory.dmp	vmprotect
behavioral2/memory/3432-156-0x0000000000400000-0x0000000000916000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

11EAEB2EE4191C259F66302AD1C03B1E.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	11EAEB2EE4191C259F66302AD1C03B1E.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

jwxfloader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	jwxfloader.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1	jwxfloader.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

jwxfloader.exe

description	pid	process	target process
PID 3432 set thread context of 3720	3432	jwxfloader.exe	svchost.exe
PID 3432 set thread context of 1952	3432	jwxfloader.exe	svchost.exe

Drops file in Windows directory 2 IoCs

Processes:

svchost.exe

description ioc process

File created C:\WINDOWS\loktbglc.log svchost.exe
File opened for modification C:\WINDOWS\loktbglc.log svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2412 PING.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

jwxfloader.exesvchost.exesvchost.exe

pid process

3432 jwxfloader.exe
3432 jwxfloader.exe
3720 svchost.exe
3720 svchost.exe
1952 svchost.exe
1952 svchost.exe

description	ioc	process
File created	C:\WINDOWS\loktbglc.log	svchost.exe
File opened for modification	C:\WINDOWS\loktbglc.log	svchost.exe

pid	process
2412	PING.EXE

pid	process
3432	jwxfloader.exe
3432	jwxfloader.exe
3720	svchost.exe
3720	svchost.exe
1952	svchost.exe
1952	svchost.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

11EAEB2EE4191C259F66302AD1C03B1E.execmd.exejwxfloader.exe

description	pid	process	target process
PID 4864 wrote to memory of 3140	4864	11EAEB2EE4191C259F66302AD1C03B1E.exe	cmd.exe
PID 4864 wrote to memory of 3140	4864	11EAEB2EE4191C259F66302AD1C03B1E.exe	cmd.exe
PID 4864 wrote to memory of 3140	4864	11EAEB2EE4191C259F66302AD1C03B1E.exe	cmd.exe
PID 3140 wrote to memory of 2412	3140	cmd.exe	PING.EXE
PID 3140 wrote to memory of 2412	3140	cmd.exe	PING.EXE
PID 3140 wrote to memory of 2412	3140	cmd.exe	PING.EXE
PID 3140 wrote to memory of 3432	3140	cmd.exe	jwxfloader.exe
PID 3140 wrote to memory of 3432	3140	cmd.exe	jwxfloader.exe
PID 3140 wrote to memory of 3432	3140	cmd.exe	jwxfloader.exe
PID 3432 wrote to memory of 3720	3432	jwxfloader.exe	svchost.exe
PID 3432 wrote to memory of 3720	3432	jwxfloader.exe	svchost.exe
PID 3432 wrote to memory of 3720	3432	jwxfloader.exe	svchost.exe
PID 3432 wrote to memory of 3720	3432	jwxfloader.exe	svchost.exe
PID 3432 wrote to memory of 3720	3432	jwxfloader.exe	svchost.exe
PID 3432 wrote to memory of 3720	3432	jwxfloader.exe	svchost.exe
PID 3432 wrote to memory of 3720	3432	jwxfloader.exe	svchost.exe
PID 3432 wrote to memory of 3720	3432	jwxfloader.exe	svchost.exe
PID 3432 wrote to memory of 3720	3432	jwxfloader.exe	svchost.exe
PID 3432 wrote to memory of 1952	3432	jwxfloader.exe	svchost.exe
PID 3432 wrote to memory of 1952	3432	jwxfloader.exe	svchost.exe
PID 3432 wrote to memory of 1952	3432	jwxfloader.exe	svchost.exe
PID 3432 wrote to memory of 1952	3432	jwxfloader.exe	svchost.exe
PID 3432 wrote to memory of 1952	3432	jwxfloader.exe	svchost.exe
PID 3432 wrote to memory of 1952	3432	jwxfloader.exe	svchost.exe
PID 3432 wrote to memory of 1952	3432	jwxfloader.exe	svchost.exe
PID 3432 wrote to memory of 1952	3432	jwxfloader.exe	svchost.exe
PID 3432 wrote to memory of 1952	3432	jwxfloader.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\11EAEB2EE4191C259F66302AD1C03B1E.exe
"C:\Users\Admin\AppData\Local\Temp\11EAEB2EE4191C259F66302AD1C03B1E.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\jw.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 12
3⤵
- Runs ping.exe
PID:2412

\??\c:\jwxfloader.exe
c:\jwxfloader.exe
3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3432

C:\WINDOWS\SysWOW64\svchost.exe
C:\WINDOWS\system32\svchost.exe
4⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3720

C:\WINDOWS\SysWOW64\svchost.exe
C:\WINDOWS\system32\svchost.exe Jw_Hlj_20140417
4⤵
- Suspicious use of SetWindowsHookEx
PID:1952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\jw.bat
Filesize
56B

MD5
b2e1f69fb14ec4e432843ecbc26134ef

SHA1
120f2236468228c1c3c05b764b45787fd65254b7

SHA256
dadcb66afa7049544f9d0fffa563ee936ea59167c31980c55208ac1cfe4b2c1a

SHA512
5610bd2627f2a4800ec280dcfc2554b1bff9d13b8b497707401d395b72f5be63ec7dad0b5bbb5643d9109323983cae26c7b2bbd648fd917f1cdb15f441a36a8a

Download Submit
C:\jwxfloader.exe
Filesize
1.7MB

MD5
a43bb3b6c1cfc3ff41f10da4db84ab85

SHA1
200dfe039b3ed1331104dbc8f59a42172f0cf868

SHA256
83ef0f10d40a74aa0da8d7b6d44f0a701f982520f75b464b7f795a8d158e29a1

SHA512
5243b4cd5f1f737b15d1d945a79a9544c089658b924163d06c6c2559f871267dab3387b7a2b7e9a7a94d11f800c740244e75004669e3902e415ae83ae21f6c02

Download Submit
\??\c:\jwxfloader.exe
Filesize
1.7MB

MD5
a43bb3b6c1cfc3ff41f10da4db84ab85

SHA1
200dfe039b3ed1331104dbc8f59a42172f0cf868

SHA256
83ef0f10d40a74aa0da8d7b6d44f0a701f982520f75b464b7f795a8d158e29a1

SHA512
5243b4cd5f1f737b15d1d945a79a9544c089658b924163d06c6c2559f871267dab3387b7a2b7e9a7a94d11f800c740244e75004669e3902e415ae83ae21f6c02

Download Submit
\??\c:\mainpro.ini
Filesize
367B

MD5
c789dcf2272e43755a0fa0b58eeb8eed

SHA1
0ab3b84be0a987c78af85ff9e930bef53d2592ec

SHA256
b468e56de0fe04b280e77ad81318e0b1980f05705b15a6650d632578deeb054e

SHA512
69a07c9dee0f196f2492f78e5c267e3d5bac62b6b874f30a570260baca2cd6cfa94707d988770775c2b8c724a470a26853e1c7827cacf26a7504085f53702079

Download Submit
memory/1952-147-0x0000000000000000-mapping.dmp

Download
memory/1952-155-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1952-150-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1952-152-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1952-149-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1952-151-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/2412-134-0x0000000000000000-mapping.dmp

Download
memory/3140-132-0x0000000000000000-mapping.dmp

Download
memory/3432-135-0x0000000000000000-mapping.dmp

Download
memory/3432-139-0x0000000000400000-0x0000000000916000-memory.dmp

Filesize
5.1MB

Download
memory/3432-138-0x0000000000400000-0x0000000000916000-memory.dmp

Filesize
5.1MB

Download
memory/3432-156-0x0000000000400000-0x0000000000916000-memory.dmp

Filesize
5.1MB

Download
memory/3720-145-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/3720-144-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/3720-148-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/3720-143-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/3720-142-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/3720-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads