Overview

overview

10

Static

static

10

bJyy.exe

windows7-x64

10

bJyy.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-03-2023 23:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bJyy.exe

  • Size

    138KB

  • MD5

    bdc72c4851b8543f9f57215f1a3fc336

  • SHA1

    b04f8b232040200d68a75400c5e160d0f61387f7

  • SHA256

    59a734c5ae920f5791ace8728981fffe7c9f9270fe26c27c9482dde038dd398c

  • SHA512

    884be565c02616d79feea31aaa2d13926e9fe530ed656a31595d2f295c346867cf4f4c313350b695d3f8b30e56c625995e360e50820bccc605e915ab3cd68599

  • SSDEEP

    3072:6bvu5mz7Bqh1v59Y08mAjs0Ltel+qOeJHlpV8b+Y/Y/:6bvqS7BqjjYHdrqkL/

Score
10/10
arrowrat0xu9g7persistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

0XU9G7

C2

pandora2425.duckdns.org:2425

Mutex

JGLG6C

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 35 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of FindShellTrayWindow 50 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bJyy.exe
    "C:\Users\Admin\AppData\Local\Temp\bJyy.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1500
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3692
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 0XU9G7 pandora2425.duckdns.org 2425 JGLG6C
      2⤵
        PID:1780
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 0XU9G7 pandora2425.duckdns.org 2425 JGLG6C
        2⤵
          PID:4168
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 1500 -s 928
          2⤵
          • Program crash
          PID:4172
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -pss -s 460 -p 1500 -ip 1500
        1⤵
          PID:1652
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:100
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:4488

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{9053766B-1DA2-14CF-1B83-21855938BB42}
          Filesize

          36KB

          MD5

          8aaad0f4eb7d3c65f81c6e6b496ba889

          SHA1

          231237a501b9433c292991e4ec200b25c1589050

          SHA256

          813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1

          SHA512

          1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62

          Download Submit

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_ControlPanel
          Filesize

          36KB

          MD5

          fb5f8866e1f4c9c1c7f4d377934ff4b2

          SHA1

          d0a329e387fb7bcba205364938417a67dbb4118a

          SHA256

          1649ec9493be27f76ae7304927d383f8a53dd3e41ea1678bacaff33120ea4170

          SHA512

          0fbe2843dfeab7373cde0643b20c073fdc2fcbefc5ae581fd1656c253dfa94e8bba4d348e95cc40d1e872456ecca894b462860aeac8b92cedb11a7cad634798c

          Download Submit

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133225365155830715.txt
          Filesize

          75KB

          MD5

          65019a5db517d9fb830d8a57406a03ea

          SHA1

          817faf2ffe8461f653519e7bd96e7ee75021c891

          SHA256

          3ae88b3a99e6b785bdb44760790bc03ac722ef5b673ad5b3ca49b5cc5eecf84f

          SHA512

          bcc985d3fa48efcbb4a334b1a341a6686ef6c69f237d6d9bdcd9885696d148519ab824b9150194d783cb03189c1cc00a483f1b73ebce323f1f6a303a05b8ea62

          Download Submit

        • memory/1500-133-0x000001FA9A320000-0x000001FA9A348000-memory.dmp

          Filesize

          160KB

          Download

        • memory/3692-146-0x00000000033F0000-0x00000000033F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4168-138-0x0000000005840000-0x00000000058A6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4168-141-0x0000000005FA0000-0x0000000005FF0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/4168-144-0x0000000005330000-0x0000000005340000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4168-137-0x00000000059F0000-0x0000000005F94000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4168-136-0x00000000050E0000-0x000000000517C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/4168-303-0x0000000005330000-0x0000000005340000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4168-135-0x0000000005040000-0x00000000050D2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4168-134-0x0000000000400000-0x0000000000416000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4488-152-0x0000026CE1340000-0x0000026CE1360000-memory.dmp

          Filesize

          128KB

          Download

        • memory/4488-154-0x0000026CE1300000-0x0000026CE1320000-memory.dmp

          Filesize

          128KB

          Download

        • memory/4488-157-0x0000026CE1920000-0x0000026CE1940000-memory.dmp

          Filesize

          128KB

          Download