f198adaad638a3cfa620cee0e2580c52a91026fc4b538290456e700578df7586 | Triage

Resubmissions

10-06-2023 07:08

230610-hx74tsec98 9

10-06-2023 07:05

230610-hwj1lsfa9v 3

Sharing

General

Target

jokescript-main.zip
Size

201KB
Sample

230610-hx74tsec98
MD5

0d08c67727acec16c9438c97fbd75bbc
SHA1

0da02d711a2253e76b42cf8d100c6210e38aca2b
SHA256

f198adaad638a3cfa620cee0e2580c52a91026fc4b538290456e700578df7586
SHA512

32e018210c8780995ebdf8e8224e2492a53b31eba4318a4da2a6278b6f247fac32832a67d3476d2d4dedb1f0aedc45d7c004d8b28dcc7113a40af4d4c347e3dc
SSDEEP

6144:0iDhcQKq3vENf1dnapnLbESOsOolMk2r9Rvk:0ixncp8n3wsOsmRs

Score

9^/10

microsoft discovery persistence phishing ransomware spyware stealer

Malware Config

Targets

- Target
  
  jokescript-main/ygn-redbot-whowhere-garticflix/garticflix/fav.svg
- Size
  
  1019B
- MD5
  
  56a34e9ec7074dcf1c5e143174c0ab30
- SHA1
  
  f909d8344d0064647b9607e1224ca62684aaee28
- SHA256
  
  2008a37d2a97b9412804537bfa4a43661088108614d27e9c9e26337eb7a0826a
- SHA512
  
  cd321c1e8327931dcdc982b87828fd4cdc0847b3e541989843a8874c010405df79058825cbc85b1428a67c86579408b3c2eebb27d013ff3ef1990d509c915365
Score

1^/10
behavioral1
- Target
  
  jokescript-main/ygn-redbot-whowhere-garticflix/garticflix/garticflix.html
- Size
  
  7KB
- MD5
  
  078289d49d4043e3aa1baa210b9cf8be
- SHA1
  
  aa83b26be1663c81e8bbfb18cfc6578b1130b5d0
- SHA256
  
  3f20bf9d0f9d12f401cbb23a0df463a3d3c31dff4f9532f1a8065be77d229f28
- SHA512
  
  b3108f0980ec780aeff855aa923602134043609071b678f81115448e1d0035051c60987912ee50e9e909e4cd6defe3d5f997b136145a533b0302c20536305fdd
- SSDEEP
  
  192:M12ZWJRb73fdkKCnIaQp4AyVwbw1DFh/RkVILhxzeEy/qC5:M12ZWJRn4Iac4vqEy/9
Score

9^/10

microsoft discovery persistence phishing ransomware spyware stealer
- Renames multiple (58) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Detected potential entity reuse from brand microsoft.
  phishing microsoft
- Drops file in System32 directory
behavioral2
- Target
  
  jokescript-main/ygn-redbot-whowhere-garticflix/garticflix/main.html
- Size
  
  647B
- MD5
  
  cd9ed8054df88addf05ec27fee20930e
- SHA1
  
  9850444822ae0fd96b3ab6be309b0f6120dc0b89
- SHA256
  
  d711943b49e527b4875375a34b4767e28775d48e57d169545acee32da33e456e
- SHA512
  
  2ff06674336098f5c085c38293cba2b27d7e5556df3c27d4b3a4fe388d3db1e0bae83afe5a1afd3e44d90ceb6650f8a47bdeecbb7ec52914813a4f30a8f7d3b7
Score

1^/10
behavioral3
- Target
  
  jokescript-main/ygn-redbot-whowhere-garticflix/garticflix/unfav.svg
- Size
  
  1019B
- MD5
  
  298c389cf76d61a892fe9397b28853da
- SHA1
  
  1e38950eba2ff37184069c37c710be07718af5ff
- SHA256
  
  562230ab9597f98dc12498cf24ddfba7a720f049d057f63a82c4447e8c799ff9
- SHA512
  
  8c79cc0ddb5355a9a8e209f1ad2094e1ab1ff1e7a93e210cf0f7265264bf3b43f3010661ca9146133838ef2f210f64e11e2377dc6f8fb18be59ce38af0e41517
Score

1^/10
behavioral4
- Target
  
  jokescript-main/ygn-redbot-whowhere-garticflix/redbot-v1.7.html
- Size
  
  283KB
- MD5
  
  059f481aa93aeff2bd4e7858b8c5d260
- SHA1
  
  4992e0730045ff64711998266724d631fd86c322
- SHA256
  
  340cfa96ff13a55c3617f54cbb8f7a947b1df2055719b49be455272affd839cf
- SHA512
  
  93a790fdcde4f30b9869d4c88b4e5dbde7d2f6bd6b4b6812e0f47ca6984e6b74bf083fbde09a209fff3950c9e06a5dba1ecb6b4ae9226dd1068d177371ddafe7
- SSDEEP
  
  6144:dtwiOIaYsYSI0wh5vvzy+n4gGVBFGCJd7OhC4/YcwJg8iX05frGQB6ReFKcXFdW5:TwRYSI0whNry+uVBFVJqC4qKQs7c89Og
Score

1^/10
behavioral5
- Target
  
  jokescript-main/ygn-redbot-whowhere-garticflix/redbotv2.html
- Size
  
  138KB
- MD5
  
  2a57bf7d8b6fa9253e61a8610abf70c8
- SHA1
  
  47df0b9355c203adcee443a55d636bcdac87e86e
- SHA256
  
  7fc48e2c691b8857c8cafcd3d1abe287039e89cd69ced84f82d032eb4b09abab
- SHA512
  
  3e3c65762df0d0da1a901c5b3f26b66eeb6976486bf7b815ab27bf4af485080c8cd992cac56a2848bf19645555c872fc9f90878a719f8235c028a38b17fd290b
- SSDEEP
  
  3072:XGLjO9TdSx5WwINvYRwl/3y9VcrMcydmVb4AX3:WLjsAxIwIBYml/3y9VOMcy6b4A3
Score

1^/10
behavioral6
- Target
  
  jokescript-main/ygn-redbot-whowhere-garticflix/whowhere.html
- Size
  
  5KB
- MD5
  
  a315fd50ba29c2ca20c3e811825c4a4a
- SHA1
  
  97aa13da98175213c4ccd796174586e97ec40ca5
- SHA256
  
  9495d9eaf5d1c3c83f45544ac2734346bc016c3c83fae6ba27fe4332425cda56
- SHA512
  
  45e28a072f3aa9b227594bc40c9e1a2b3f7dedcaa2fbaa7df43ee1de946a64b91adf492c11b7693bb02a306d2f00395d4b049b52cff2663fbd4884dcb2a2be1c
- SSDEEP
  
  48:tpIXwIry73fQJhu2WZHwdu98rcXSeC+NduHtS7Jjx6pMvz5SGUsCziDECQWy4eLO:0Fr83fAhNGn9Q2SeC7o2pMhECODej
Score

1^/10
behavioral7

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

microsoftdiscoverypersistencephishingransomwarespywarestealer

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7