Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
29/08/2023, 19:39
Static task
static1
Behavioral task
behavioral1
Sample
069303284797fc51fbfc25356e528442a323f009ee858127ce4d2c2f1236b441.exe
Resource
win7-20230712-en
General
-
Target
069303284797fc51fbfc25356e528442a323f009ee858127ce4d2c2f1236b441.exe
-
Size
650KB
-
MD5
11d53aeb002e7e97ec2598bebd30621c
-
SHA1
eee1a497524f9504a6f79f1e0bcd561bf16651a9
-
SHA256
069303284797fc51fbfc25356e528442a323f009ee858127ce4d2c2f1236b441
-
SHA512
f49d1cd55489b1d296949116a704e8ad8d73345669db6ae9a3a3c7a5f49e0a4248d903c4e9a519a3ee7c6d38ac85bf87b0c59beb08ced05975acb0be0cc3f6bc
-
SSDEEP
12288:mutTZV/qb9ylN28aE2GThX8xbNpaF/4esnMzIiTe:BNZEbCfCGTqx+F/IViTe
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/1320-3-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral2/memory/1320-2-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral2/memory/1320-4-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral2/memory/4308-12-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral2/memory/4308-13-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral2/memory/1320-14-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral2/memory/4308-17-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral2/memory/2120-21-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral2/memory/2120-23-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral2/memory/2120-25-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral2/memory/2120-28-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 11 IoCs
resource yara_rule behavioral2/memory/1320-3-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral2/memory/1320-2-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral2/memory/1320-4-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral2/memory/4308-12-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral2/memory/4308-13-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral2/memory/1320-14-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral2/memory/4308-17-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral2/memory/2120-21-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral2/memory/2120-23-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral2/memory/2120-25-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral2/memory/2120-28-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys Jbcst.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Jbcst.exe -
Executes dropped EXE 2 IoCs
pid Process 4308 Jbcst.exe 2120 Jbcst.exe -
resource yara_rule behavioral2/memory/1320-0-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral2/memory/1320-3-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral2/memory/1320-2-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral2/memory/1320-4-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral2/memory/4308-9-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral2/memory/4308-12-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral2/memory/4308-13-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral2/memory/1320-14-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral2/memory/4308-17-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral2/memory/2120-21-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral2/memory/2120-23-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral2/memory/2120-25-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral2/memory/2120-28-0x0000000010000000-0x00000000101BA000-memory.dmp upx -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: Jbcst.exe File opened (read-only) \??\L: Jbcst.exe File opened (read-only) \??\W: Jbcst.exe File opened (read-only) \??\Z: Jbcst.exe File opened (read-only) \??\X: Jbcst.exe File opened (read-only) \??\I: Jbcst.exe File opened (read-only) \??\K: Jbcst.exe File opened (read-only) \??\O: Jbcst.exe File opened (read-only) \??\S: Jbcst.exe File opened (read-only) \??\V: Jbcst.exe File opened (read-only) \??\R: Jbcst.exe File opened (read-only) \??\T: Jbcst.exe File opened (read-only) \??\U: Jbcst.exe File opened (read-only) \??\B: Jbcst.exe File opened (read-only) \??\E: Jbcst.exe File opened (read-only) \??\G: Jbcst.exe File opened (read-only) \??\J: Jbcst.exe File opened (read-only) \??\P: Jbcst.exe File opened (read-only) \??\M: Jbcst.exe File opened (read-only) \??\N: Jbcst.exe File opened (read-only) \??\Q: Jbcst.exe File opened (read-only) \??\Y: Jbcst.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jbcst.exe 069303284797fc51fbfc25356e528442a323f009ee858127ce4d2c2f1236b441.exe File opened for modification C:\Windows\SysWOW64\Jbcst.exe 069303284797fc51fbfc25356e528442a323f009ee858127ce4d2c2f1236b441.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft Jbcst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie Jbcst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" Jbcst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Jbcst.exe Key created \REGISTRY\USER\.DEFAULT\Software Jbcst.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3820 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe 2120 Jbcst.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2120 Jbcst.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1320 069303284797fc51fbfc25356e528442a323f009ee858127ce4d2c2f1236b441.exe Token: SeLoadDriverPrivilege 2120 Jbcst.exe Token: 33 2120 Jbcst.exe Token: SeIncBasePriorityPrivilege 2120 Jbcst.exe Token: 33 2120 Jbcst.exe Token: SeIncBasePriorityPrivilege 2120 Jbcst.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1320 wrote to memory of 2056 1320 069303284797fc51fbfc25356e528442a323f009ee858127ce4d2c2f1236b441.exe 83 PID 1320 wrote to memory of 2056 1320 069303284797fc51fbfc25356e528442a323f009ee858127ce4d2c2f1236b441.exe 83 PID 1320 wrote to memory of 2056 1320 069303284797fc51fbfc25356e528442a323f009ee858127ce4d2c2f1236b441.exe 83 PID 4308 wrote to memory of 2120 4308 Jbcst.exe 84 PID 4308 wrote to memory of 2120 4308 Jbcst.exe 84 PID 4308 wrote to memory of 2120 4308 Jbcst.exe 84 PID 2056 wrote to memory of 3820 2056 cmd.exe 86 PID 2056 wrote to memory of 3820 2056 cmd.exe 86 PID 2056 wrote to memory of 3820 2056 cmd.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\069303284797fc51fbfc25356e528442a323f009ee858127ce4d2c2f1236b441.exe"C:\Users\Admin\AppData\Local\Temp\069303284797fc51fbfc25356e528442a323f009ee858127ce4d2c2f1236b441.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\069303~1.EXE > nul2⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
PID:3820
-
-
-
C:\Windows\SysWOW64\Jbcst.exeC:\Windows\SysWOW64\Jbcst.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\Jbcst.exeC:\Windows\SysWOW64\Jbcst.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
650KB
MD511d53aeb002e7e97ec2598bebd30621c
SHA1eee1a497524f9504a6f79f1e0bcd561bf16651a9
SHA256069303284797fc51fbfc25356e528442a323f009ee858127ce4d2c2f1236b441
SHA512f49d1cd55489b1d296949116a704e8ad8d73345669db6ae9a3a3c7a5f49e0a4248d903c4e9a519a3ee7c6d38ac85bf87b0c59beb08ced05975acb0be0cc3f6bc
-
Filesize
650KB
MD511d53aeb002e7e97ec2598bebd30621c
SHA1eee1a497524f9504a6f79f1e0bcd561bf16651a9
SHA256069303284797fc51fbfc25356e528442a323f009ee858127ce4d2c2f1236b441
SHA512f49d1cd55489b1d296949116a704e8ad8d73345669db6ae9a3a3c7a5f49e0a4248d903c4e9a519a3ee7c6d38ac85bf87b0c59beb08ced05975acb0be0cc3f6bc
-
Filesize
650KB
MD511d53aeb002e7e97ec2598bebd30621c
SHA1eee1a497524f9504a6f79f1e0bcd561bf16651a9
SHA256069303284797fc51fbfc25356e528442a323f009ee858127ce4d2c2f1236b441
SHA512f49d1cd55489b1d296949116a704e8ad8d73345669db6ae9a3a3c7a5f49e0a4248d903c4e9a519a3ee7c6d38ac85bf87b0c59beb08ced05975acb0be0cc3f6bc