Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
29/08/2023, 19:39
Static task
static1
Behavioral task
behavioral1
Sample
069303284797fc51fbfc25356e528442a323f009ee858127ce4d2c2f1236b441.exe
Resource
win7-20230712-en
General
-
Target
069303284797fc51fbfc25356e528442a323f009ee858127ce4d2c2f1236b441.exe
-
Size
650KB
-
MD5
11d53aeb002e7e97ec2598bebd30621c
-
SHA1
eee1a497524f9504a6f79f1e0bcd561bf16651a9
-
SHA256
069303284797fc51fbfc25356e528442a323f009ee858127ce4d2c2f1236b441
-
SHA512
f49d1cd55489b1d296949116a704e8ad8d73345669db6ae9a3a3c7a5f49e0a4248d903c4e9a519a3ee7c6d38ac85bf87b0c59beb08ced05975acb0be0cc3f6bc
-
SSDEEP
12288:mutTZV/qb9ylN28aE2GThX8xbNpaF/4esnMzIiTe:BNZEbCfCGTqx+F/IViTe
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1964-3-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral1/memory/1964-4-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral1/memory/1964-17-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral1/memory/2560-18-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral1/memory/2644-22-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral1/memory/2644-24-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral1/memory/2644-27-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral1/memory/2644-29-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 10 IoCs
resource yara_rule behavioral1/memory/1964-2-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral1/memory/1964-3-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral1/memory/1964-4-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral1/memory/2560-11-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral1/memory/1964-17-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral1/memory/2560-18-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral1/memory/2644-22-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral1/memory/2644-24-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral1/memory/2644-27-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral1/memory/2644-29-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys Jbcst.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Jbcst.exe -
Deletes itself 1 IoCs
pid Process 2592 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2560 Jbcst.exe 2644 Jbcst.exe -
Loads dropped DLL 1 IoCs
pid Process 2560 Jbcst.exe -
resource yara_rule behavioral1/memory/1964-0-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral1/memory/1964-2-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral1/memory/1964-3-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral1/memory/1964-4-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral1/memory/2560-11-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral1/memory/1964-17-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral1/memory/2560-18-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral1/memory/2644-22-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral1/memory/2644-24-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral1/memory/2644-27-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral1/memory/2644-29-0x0000000010000000-0x00000000101BA000-memory.dmp upx -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: Jbcst.exe File opened (read-only) \??\T: Jbcst.exe File opened (read-only) \??\W: Jbcst.exe File opened (read-only) \??\Y: Jbcst.exe File opened (read-only) \??\B: Jbcst.exe File opened (read-only) \??\G: Jbcst.exe File opened (read-only) \??\J: Jbcst.exe File opened (read-only) \??\L: Jbcst.exe File opened (read-only) \??\Z: Jbcst.exe File opened (read-only) \??\P: Jbcst.exe File opened (read-only) \??\X: Jbcst.exe File opened (read-only) \??\I: Jbcst.exe File opened (read-only) \??\K: Jbcst.exe File opened (read-only) \??\M: Jbcst.exe File opened (read-only) \??\O: Jbcst.exe File opened (read-only) \??\E: Jbcst.exe File opened (read-only) \??\Q: Jbcst.exe File opened (read-only) \??\U: Jbcst.exe File opened (read-only) \??\H: Jbcst.exe File opened (read-only) \??\R: Jbcst.exe File opened (read-only) \??\S: Jbcst.exe File opened (read-only) \??\V: Jbcst.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jbcst.exe 069303284797fc51fbfc25356e528442a323f009ee858127ce4d2c2f1236b441.exe File opened for modification C:\Windows\SysWOW64\Jbcst.exe 069303284797fc51fbfc25356e528442a323f009ee858127ce4d2c2f1236b441.exe -
Modifies data under HKEY_USERS 6 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft Jbcst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie Jbcst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum Jbcst.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" Jbcst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Jbcst.exe Key created \REGISTRY\USER\.DEFAULT\Software Jbcst.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2648 PING.EXE -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 2644 Jbcst.exe 2644 Jbcst.exe 2644 Jbcst.exe 2644 Jbcst.exe 2644 Jbcst.exe 2644 Jbcst.exe 2644 Jbcst.exe 2644 Jbcst.exe 2644 Jbcst.exe 2644 Jbcst.exe 2644 Jbcst.exe 2644 Jbcst.exe 2644 Jbcst.exe 2644 Jbcst.exe 2644 Jbcst.exe 2644 Jbcst.exe 2644 Jbcst.exe 2644 Jbcst.exe 2644 Jbcst.exe 2644 Jbcst.exe 2644 Jbcst.exe 2644 Jbcst.exe 2644 Jbcst.exe 2644 Jbcst.exe 2644 Jbcst.exe 2644 Jbcst.exe 2644 Jbcst.exe 2644 Jbcst.exe 2644 Jbcst.exe 2644 Jbcst.exe 2644 Jbcst.exe 2644 Jbcst.exe 2644 Jbcst.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2644 Jbcst.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1964 069303284797fc51fbfc25356e528442a323f009ee858127ce4d2c2f1236b441.exe Token: SeLoadDriverPrivilege 2644 Jbcst.exe Token: 33 2644 Jbcst.exe Token: SeIncBasePriorityPrivilege 2644 Jbcst.exe Token: 33 2644 Jbcst.exe Token: SeIncBasePriorityPrivilege 2644 Jbcst.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1964 wrote to memory of 2592 1964 069303284797fc51fbfc25356e528442a323f009ee858127ce4d2c2f1236b441.exe 29 PID 1964 wrote to memory of 2592 1964 069303284797fc51fbfc25356e528442a323f009ee858127ce4d2c2f1236b441.exe 29 PID 1964 wrote to memory of 2592 1964 069303284797fc51fbfc25356e528442a323f009ee858127ce4d2c2f1236b441.exe 29 PID 1964 wrote to memory of 2592 1964 069303284797fc51fbfc25356e528442a323f009ee858127ce4d2c2f1236b441.exe 29 PID 2560 wrote to memory of 2644 2560 Jbcst.exe 30 PID 2560 wrote to memory of 2644 2560 Jbcst.exe 30 PID 2560 wrote to memory of 2644 2560 Jbcst.exe 30 PID 2560 wrote to memory of 2644 2560 Jbcst.exe 30 PID 2560 wrote to memory of 2644 2560 Jbcst.exe 30 PID 2560 wrote to memory of 2644 2560 Jbcst.exe 30 PID 2560 wrote to memory of 2644 2560 Jbcst.exe 30 PID 2592 wrote to memory of 2648 2592 cmd.exe 32 PID 2592 wrote to memory of 2648 2592 cmd.exe 32 PID 2592 wrote to memory of 2648 2592 cmd.exe 32 PID 2592 wrote to memory of 2648 2592 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\069303284797fc51fbfc25356e528442a323f009ee858127ce4d2c2f1236b441.exe"C:\Users\Admin\AppData\Local\Temp\069303284797fc51fbfc25356e528442a323f009ee858127ce4d2c2f1236b441.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\069303~1.EXE > nul2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
PID:2648
-
-
-
C:\Windows\SysWOW64\Jbcst.exeC:\Windows\SysWOW64\Jbcst.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Jbcst.exeC:\Windows\SysWOW64\Jbcst.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
650KB
MD511d53aeb002e7e97ec2598bebd30621c
SHA1eee1a497524f9504a6f79f1e0bcd561bf16651a9
SHA256069303284797fc51fbfc25356e528442a323f009ee858127ce4d2c2f1236b441
SHA512f49d1cd55489b1d296949116a704e8ad8d73345669db6ae9a3a3c7a5f49e0a4248d903c4e9a519a3ee7c6d38ac85bf87b0c59beb08ced05975acb0be0cc3f6bc
-
Filesize
650KB
MD511d53aeb002e7e97ec2598bebd30621c
SHA1eee1a497524f9504a6f79f1e0bcd561bf16651a9
SHA256069303284797fc51fbfc25356e528442a323f009ee858127ce4d2c2f1236b441
SHA512f49d1cd55489b1d296949116a704e8ad8d73345669db6ae9a3a3c7a5f49e0a4248d903c4e9a519a3ee7c6d38ac85bf87b0c59beb08ced05975acb0be0cc3f6bc
-
Filesize
650KB
MD511d53aeb002e7e97ec2598bebd30621c
SHA1eee1a497524f9504a6f79f1e0bcd561bf16651a9
SHA256069303284797fc51fbfc25356e528442a323f009ee858127ce4d2c2f1236b441
SHA512f49d1cd55489b1d296949116a704e8ad8d73345669db6ae9a3a3c7a5f49e0a4248d903c4e9a519a3ee7c6d38ac85bf87b0c59beb08ced05975acb0be0cc3f6bc
-
Filesize
650KB
MD511d53aeb002e7e97ec2598bebd30621c
SHA1eee1a497524f9504a6f79f1e0bcd561bf16651a9
SHA256069303284797fc51fbfc25356e528442a323f009ee858127ce4d2c2f1236b441
SHA512f49d1cd55489b1d296949116a704e8ad8d73345669db6ae9a3a3c7a5f49e0a4248d903c4e9a519a3ee7c6d38ac85bf87b0c59beb08ced05975acb0be0cc3f6bc