Overview
overview
10Static
static
10123.exe
windows7-x64
1123.exe
windows10-2004-x64
1360sb.exe
windows7-x64
10360sb.exe
windows10-2004-x64
107000.32
ubuntu-18.04-amd64
17000.64
ubuntu-18.04-amd64
7Linux577
ubuntu-18.04-amd64
8Mh.exe
windows7-x64
7Mh.exe
windows10-2004-x64
10Mh1.exe
windows7-x64
7Mh1.exe
windows10-2004-x64
10Mh2.exe
windows7-x64
7Mh2.exe
windows10-2004-x64
10SETUP.exe
windows7-x64
SETUP.exe
windows10-2004-x64
TX98
ubuntu-18.04-amd64
1TX981
ubuntu-18.04-amd64
1TX982
ubuntu-18.04-amd64
7TX984
debian-9-armhf
7TX985
debian-9-mipsel
7TX986
debian-9-mips
7bjyk.exe
windows7-x64
10bjyk.exe
windows10-2004-x64
10ceshi.exe
windows7-x64
10ceshi.exe
windows10-2004-x64
10ddos.exe
windows7-x64
1ddos.exe
windows10-2004-x64
10dhl.exe
windows7-x64
7dhl.exe
windows10-2004-x64
10mh3.exe
windows7-x64
7mh3.exe
windows10-2004-x64
10server.exe
windows7-x64
10Analysis
-
max time kernel
75s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2023 09:42
Behavioral task
behavioral1
Sample
123.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
123.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral3
Sample
360sb.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
360sb.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
7000.32
Resource
ubuntu1804-amd64-20221111-en
Behavioral task
behavioral6
Sample
7000.64
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral7
Sample
Linux577
Resource
ubuntu1804-amd64-20221111-en
Behavioral task
behavioral8
Sample
Mh.exe
Resource
win7-20230220-en
Behavioral task
behavioral9
Sample
Mh.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral10
Sample
Mh1.exe
Resource
win7-20230220-en
Behavioral task
behavioral11
Sample
Mh1.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral12
Sample
Mh2.exe
Resource
win7-20230220-en
Behavioral task
behavioral13
Sample
Mh2.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral14
Sample
SETUP.exe
Resource
win7-20230220-en
Behavioral task
behavioral15
Sample
SETUP.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral16
Sample
TX98
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral17
Sample
TX981
Resource
ubuntu1804-amd64-20221111-en
Behavioral task
behavioral18
Sample
TX982
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral19
Sample
TX984
Resource
debian9-armhf-20221111-en
Behavioral task
behavioral20
Sample
TX985
Resource
debian9-mipsel-en-20211208
Behavioral task
behavioral21
Sample
TX986
Resource
debian9-mipsbe-20221111-en
Behavioral task
behavioral22
Sample
bjyk.exe
Resource
win7-20230220-en
Behavioral task
behavioral23
Sample
bjyk.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral24
Sample
ceshi.exe
Resource
win7-20230220-en
Behavioral task
behavioral25
Sample
ceshi.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral26
Sample
ddos.exe
Resource
win7-20230220-en
Behavioral task
behavioral27
Sample
ddos.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral28
Sample
dhl.exe
Resource
win7-20230220-en
Behavioral task
behavioral29
Sample
dhl.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral30
Sample
mh3.exe
Resource
win7-20230220-en
Behavioral task
behavioral31
Sample
mh3.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral32
Sample
server.exe
Resource
win7-20230220-en
General
-
Target
bjyk.exe
-
Size
377KB
-
MD5
ca7c977b5b315dd62b0189f2619764db
-
SHA1
42ce52b22e5017990660148ba6c5ff0097c5af01
-
SHA256
c6d90ced12fb16ca9ae112787ce6d29379b06e0ba0a90595e337c07453a571fa
-
SHA512
b7be48e4c7ca12e0059a6b0064eaa8e8c1f4bbd7ed62c2a34671a5875ba25715b45b780d54e58f5429b2cade56244f6a820a46c0a45b0f7e9d4567213a499427
-
SSDEEP
6144:xsItKnWUQpBTyPRqyhYPbncTBlhHrbndnkv0oX90Q1vPjrVCTH3mwVaYo7/8FaA/:OtWUzJq8YPbncT3+vXPjc3xVaYo7UFyO
Malware Config
Signatures
-
Gh0st RAT payload 10 IoCs
Processes:
resource yara_rule behavioral23/memory/840-133-0x0000000000400000-0x0000000000432800-memory.dmp family_gh0strat C:\Users\Admin\AppData\Local\dtjxyjfndi family_gh0strat \??\c:\users\admin\appdata\local\dtjxyjfndi family_gh0strat behavioral23/memory/840-148-0x0000000000400000-0x0000000000432800-memory.dmp family_gh0strat behavioral23/memory/1320-155-0x0000000000400000-0x0000000000432800-memory.dmp family_gh0strat \??\c:\programdata\drm\%sessionname%\kmhwp.cc3 family_gh0strat C:\ProgramData\DRM\%SESSIONNAME%\kmhwp.cc3 family_gh0strat behavioral23/memory/1320-162-0x0000000000400000-0x0000000000432800-memory.dmp family_gh0strat C:\ProgramData\DRM\%SESSIONNAME%\kmhwp.cc3 family_gh0strat C:\ProgramData\DRM\%SESSIONNAME%\kmhwp.cc3 family_gh0strat -
ACProtect 1.3x - 1.4x DLL software 5 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\eni862C.tmp acprotect C:\Users\Admin\AppData\Local\Temp\eni862C.tmp acprotect C:\Users\Admin\AppData\Local\Temp\kni8B6C.tmp acprotect C:\Users\Admin\AppData\Local\Temp\kni8B6C.tmp acprotect C:\Users\Admin\AppData\Local\Temp\kni8B6C.tmp acprotect -
Executes dropped EXE 1 IoCs
Processes:
dtjxyjfndipid process 1320 dtjxyjfndi -
Loads dropped DLL 7 IoCs
Processes:
bjyk.exedtjxyjfndisvchost.exesvchost.exesvchost.exepid process 840 bjyk.exe 840 bjyk.exe 1320 dtjxyjfndi 1320 dtjxyjfndi 3904 svchost.exe 3376 svchost.exe 4640 svchost.exe -
Drops file in System32 directory 6 IoCs
Processes:
svchost.exesvchost.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\mcfbfsshhl svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\mcvgdcabuw svchost.exe File opened for modification C:\Windows\SysWOW64\svchost.exe.txt svchost.exe File created C:\Windows\SysWOW64\mbmlclhthi svchost.exe -
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4724 3904 WerFault.exe svchost.exe 4176 3376 WerFault.exe svchost.exe 2152 4640 WerFault.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
dtjxyjfndipid process 1320 dtjxyjfndi 1320 dtjxyjfndi -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
dtjxyjfndisvchost.exesvchost.exesvchost.exedescription pid process Token: SeRestorePrivilege 1320 dtjxyjfndi Token: SeBackupPrivilege 1320 dtjxyjfndi Token: SeBackupPrivilege 1320 dtjxyjfndi Token: SeRestorePrivilege 1320 dtjxyjfndi Token: SeBackupPrivilege 3904 svchost.exe Token: SeRestorePrivilege 3904 svchost.exe Token: SeBackupPrivilege 3904 svchost.exe Token: SeBackupPrivilege 3904 svchost.exe Token: SeSecurityPrivilege 3904 svchost.exe Token: SeSecurityPrivilege 3904 svchost.exe Token: SeBackupPrivilege 3904 svchost.exe Token: SeBackupPrivilege 3904 svchost.exe Token: SeSecurityPrivilege 3904 svchost.exe Token: SeBackupPrivilege 3904 svchost.exe Token: SeBackupPrivilege 3904 svchost.exe Token: SeSecurityPrivilege 3904 svchost.exe Token: SeBackupPrivilege 3904 svchost.exe Token: SeRestorePrivilege 3904 svchost.exe Token: SeBackupPrivilege 3376 svchost.exe Token: SeRestorePrivilege 3376 svchost.exe Token: SeBackupPrivilege 3376 svchost.exe Token: SeBackupPrivilege 3376 svchost.exe Token: SeSecurityPrivilege 3376 svchost.exe Token: SeSecurityPrivilege 3376 svchost.exe Token: SeBackupPrivilege 3376 svchost.exe Token: SeBackupPrivilege 3376 svchost.exe Token: SeSecurityPrivilege 3376 svchost.exe Token: SeBackupPrivilege 3376 svchost.exe Token: SeBackupPrivilege 3376 svchost.exe Token: SeSecurityPrivilege 3376 svchost.exe Token: SeBackupPrivilege 3376 svchost.exe Token: SeRestorePrivilege 3376 svchost.exe Token: SeBackupPrivilege 4640 svchost.exe Token: SeRestorePrivilege 4640 svchost.exe Token: SeBackupPrivilege 4640 svchost.exe Token: SeBackupPrivilege 4640 svchost.exe Token: SeSecurityPrivilege 4640 svchost.exe Token: SeSecurityPrivilege 4640 svchost.exe Token: SeBackupPrivilege 4640 svchost.exe Token: SeBackupPrivilege 4640 svchost.exe Token: SeSecurityPrivilege 4640 svchost.exe Token: SeBackupPrivilege 4640 svchost.exe Token: SeBackupPrivilege 4640 svchost.exe Token: SeSecurityPrivilege 4640 svchost.exe Token: SeBackupPrivilege 4640 svchost.exe Token: SeRestorePrivilege 4640 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
bjyk.exedtjxyjfndipid process 840 bjyk.exe 1320 dtjxyjfndi -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
bjyk.exedescription pid process target process PID 840 wrote to memory of 1320 840 bjyk.exe dtjxyjfndi PID 840 wrote to memory of 1320 840 bjyk.exe dtjxyjfndi PID 840 wrote to memory of 1320 840 bjyk.exe dtjxyjfndi
Processes
-
C:\Users\Admin\AppData\Local\Temp\bjyk.exe"C:\Users\Admin\AppData\Local\Temp\bjyk.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\dtjxyjfndi"C:\Users\Admin\AppData\Local\Temp\bjyk.exe" a -sc:\users\admin\appdata\local\temp\bjyk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 8722⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 11122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3376 -ip 33761⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 8642⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4640 -ip 46401⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\DRM\%SESSIONNAME%\kmhwp.cc3Filesize
20.0MB
MD51eb51fd593858bbdfb872ec9214f9d6e
SHA11627ead1a8046e6d9c32db473aefb82a5531b303
SHA256359147b01d0dc5621014cac3fe4f9eedb53e10fbcba4459726f6b6d69418a308
SHA512d88a4ed49e4e43e52dfe9096caeb70ad9f54a4be58104c474954fe41c8208878a93d25a2c7f4bdd2c4e14638ef9f3afb2602e4e21b2abedd8b04e7803132a586
-
C:\ProgramData\DRM\%SESSIONNAME%\kmhwp.cc3Filesize
20.0MB
MD51eb51fd593858bbdfb872ec9214f9d6e
SHA11627ead1a8046e6d9c32db473aefb82a5531b303
SHA256359147b01d0dc5621014cac3fe4f9eedb53e10fbcba4459726f6b6d69418a308
SHA512d88a4ed49e4e43e52dfe9096caeb70ad9f54a4be58104c474954fe41c8208878a93d25a2c7f4bdd2c4e14638ef9f3afb2602e4e21b2abedd8b04e7803132a586
-
C:\ProgramData\DRM\%SESSIONNAME%\kmhwp.cc3Filesize
20.0MB
MD51eb51fd593858bbdfb872ec9214f9d6e
SHA11627ead1a8046e6d9c32db473aefb82a5531b303
SHA256359147b01d0dc5621014cac3fe4f9eedb53e10fbcba4459726f6b6d69418a308
SHA512d88a4ed49e4e43e52dfe9096caeb70ad9f54a4be58104c474954fe41c8208878a93d25a2c7f4bdd2c4e14638ef9f3afb2602e4e21b2abedd8b04e7803132a586
-
C:\Users\Admin\AppData\Local\Temp\eni862C.tmpFilesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
C:\Users\Admin\AppData\Local\Temp\eni862C.tmpFilesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
C:\Users\Admin\AppData\Local\Temp\kni8B6C.tmpFilesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
C:\Users\Admin\AppData\Local\Temp\kni8B6C.tmpFilesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
C:\Users\Admin\AppData\Local\Temp\kni8B6C.tmpFilesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
C:\Users\Admin\AppData\Local\dtjxyjfndiFilesize
19.2MB
MD5b49686beda51cec1fa9f478a0e59c79c
SHA16d06b15bb5f6b3d76000579e1480360b40b7bdd3
SHA2568fb5247cb386c5bf568dc10509134df4124685f0044b95e0848d8b93a045afae
SHA5120e27fa01c6cc8fc3c2fcc4415c116d120c371fb46a4d68d89d934898b196ba5da0307f521dc6adb7d62a8edc05883143c2ba56219d4f0a7ded366239ad57160f
-
C:\Windows\SysWOW64\svchost.exe.txtFilesize
202B
MD5f3828e6ab553070f5ca2fc56126ad3c1
SHA190bf7710a124cfda7e703117ae1442b47a06dd3d
SHA256c7bd803686f96bef9124cf25bc43cec23b801c73a4ebe3bd26c4974a221a52d5
SHA51292d4c87febeffdad57692973c079bb6cfaa0c668eb5fe4ac871016cb370a3792df691e8dc286226c1f987bd88c3395bfa435a7c2baea1653a5b72bdbe06dea12
-
C:\Windows\SysWOW64\svchost.exe.txtFilesize
303B
MD5a6c80544129e79edacf3610d038c53d0
SHA182eeac2483bbca877d71dcd473c874eff3b0cbef
SHA25657860b71e749450b756f1adf18abb5f5f52285d250da42834a70d24571a47a26
SHA5124df3256397cfc08506645f1b5308c08c254a162e2f904642694947293505b84b3b799a2f24927172eed5e6ce639d2c9868fdea316e1dab94050bcfdf133c9135
-
\??\c:\programdata\drm\%sessionname%\kmhwp.cc3Filesize
20.0MB
MD51eb51fd593858bbdfb872ec9214f9d6e
SHA11627ead1a8046e6d9c32db473aefb82a5531b303
SHA256359147b01d0dc5621014cac3fe4f9eedb53e10fbcba4459726f6b6d69418a308
SHA512d88a4ed49e4e43e52dfe9096caeb70ad9f54a4be58104c474954fe41c8208878a93d25a2c7f4bdd2c4e14638ef9f3afb2602e4e21b2abedd8b04e7803132a586
-
\??\c:\users\admin\appdata\local\dtjxyjfndiFilesize
19.2MB
MD5b49686beda51cec1fa9f478a0e59c79c
SHA16d06b15bb5f6b3d76000579e1480360b40b7bdd3
SHA2568fb5247cb386c5bf568dc10509134df4124685f0044b95e0848d8b93a045afae
SHA5120e27fa01c6cc8fc3c2fcc4415c116d120c371fb46a4d68d89d934898b196ba5da0307f521dc6adb7d62a8edc05883143c2ba56219d4f0a7ded366239ad57160f
-
memory/840-148-0x0000000000400000-0x0000000000432800-memory.dmpFilesize
202KB
-
memory/840-133-0x0000000000400000-0x0000000000432800-memory.dmpFilesize
202KB
-
memory/840-146-0x0000000000590000-0x0000000000603000-memory.dmpFilesize
460KB
-
memory/840-140-0x0000000000590000-0x0000000000603000-memory.dmpFilesize
460KB
-
memory/1320-155-0x0000000000400000-0x0000000000432800-memory.dmpFilesize
202KB
-
memory/1320-162-0x0000000000400000-0x0000000000432800-memory.dmpFilesize
202KB
-
memory/1320-161-0x0000000001F90000-0x0000000002003000-memory.dmpFilesize
460KB
-
memory/1320-160-0x0000000001F90000-0x0000000002003000-memory.dmpFilesize
460KB
-
memory/1320-154-0x0000000001F90000-0x0000000002003000-memory.dmpFilesize
460KB
-
memory/3376-166-0x0000000000FB0000-0x0000000000FB1000-memory.dmpFilesize
4KB
-
memory/3904-163-0x00000000017F0000-0x00000000017F1000-memory.dmpFilesize
4KB
-
memory/4640-170-0x00000000015F0000-0x00000000015F1000-memory.dmpFilesize
4KB