Analysis
-
max time kernel
36s -
max time network
37s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
09-01-2023 06:42
Static task
static1
Behavioral task
behavioral1
Sample
DnsJumper.exe
Resource
win7-20220812-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
DnsJumper.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
DnsJumper.exe
-
Size
884KB
-
MD5
aea6dfbb052b8613b2df44fd2d008d09
-
SHA1
17434441b4d61320edf8ae506923403c36088d51
-
SHA256
7e221e7967570b0deca8e1c4f23ed9e39423dcc0733337bcb6e2c08b3b7b9ba1
-
SHA512
d4ad11a094ea9aa8e47bde543f917ffccb157a8633ab7cb7e0790f3c571cc067c3d62965bf499e630ebd8d0cd8af5e0f31ab9e40ae54ad306fa16aa94f9296d7
-
SSDEEP
12288:aaWzgMg7v3qnCi5ErQohh0F4qCJ8lnynQS53ENqPXJbRchK:VaHMv6CFrjenynQmU0PXJbRd
Score
7/10
Malware Config
Signatures
-
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 208.67.222.222 Destination IP 208.67.220.220 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 5 IoCs
Uses commandline utility to view network configuration.
pid Process 3888 ipconfig.exe 1120 ipconfig.exe 3644 ipconfig.exe 4160 ipconfig.exe 3856 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3392 DnsJumper.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 4604 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4604 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 55 IoCs
pid Process 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe -
Suspicious use of SendNotifyMessage 55 IoCs
pid Process 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe 3392 DnsJumper.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3392 wrote to memory of 3856 3392 DnsJumper.exe 88 PID 3392 wrote to memory of 3856 3392 DnsJumper.exe 88 PID 3392 wrote to memory of 3856 3392 DnsJumper.exe 88 PID 3392 wrote to memory of 3888 3392 DnsJumper.exe 90 PID 3392 wrote to memory of 3888 3392 DnsJumper.exe 90 PID 3392 wrote to memory of 3888 3392 DnsJumper.exe 90 PID 3392 wrote to memory of 1120 3392 DnsJumper.exe 92 PID 3392 wrote to memory of 1120 3392 DnsJumper.exe 92 PID 3392 wrote to memory of 1120 3392 DnsJumper.exe 92 PID 3392 wrote to memory of 3644 3392 DnsJumper.exe 94 PID 3392 wrote to memory of 3644 3392 DnsJumper.exe 94 PID 3392 wrote to memory of 3644 3392 DnsJumper.exe 94 PID 3392 wrote to memory of 4160 3392 DnsJumper.exe 96 PID 3392 wrote to memory of 4160 3392 DnsJumper.exe 96 PID 3392 wrote to memory of 4160 3392 DnsJumper.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\DnsJumper.exe"C:\Users\Admin\AppData\Local\Temp\DnsJumper.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\SysWOW64\ipconfig.exeipconfig.exe /flushdns2⤵
- Gathers network information
PID:3856
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig.exe /flushdns2⤵
- Gathers network information
PID:3888
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig.exe /flushdns2⤵
- Gathers network information
PID:1120
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig.exe /flushdns2⤵
- Gathers network information
PID:3644
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig.exe /flushdns2⤵
- Gathers network information
PID:4160
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x42c 0x2f41⤵
- Suspicious use of AdjustPrivilegeToken
PID:4604