Resubmissions
11-01-2024 12:13
240111-pd5mxsgcg2 10General
-
Target
Booking.com-1728394029 (3).js
-
Size
231KB
-
Sample
240111-pd5mxsgcg2
-
MD5
2a91f62c613c3697cde4b8ed9baa5561
-
SHA1
d5330fd9022c0f133f0d5c36ba6c11a7962a6445
-
SHA256
2c4cf068b9e7270aa86b449a52f73886d8dbcdc93114fab786a2d04b404dfc31
-
SHA512
4964492ba385d03d9c4271ae3cc497998b2d9d4db6ecc235d1daf3c193c2a7265a6f709652e4e108ffe0d2a195a904e75409190b2ff82ad08a97122e18ee11f3
-
SSDEEP
96:fumTnPP4JVbqOI0QQCEJmn0aXgFEEy1e+4wNA/JM:WInXuMOI0QQbm0aXgFEEy1e+4wNA/JM
Malware Config
Targets
-
-
Target
Booking.com-1728394029 (3).js
-
Size
231KB
-
MD5
2a91f62c613c3697cde4b8ed9baa5561
-
SHA1
d5330fd9022c0f133f0d5c36ba6c11a7962a6445
-
SHA256
2c4cf068b9e7270aa86b449a52f73886d8dbcdc93114fab786a2d04b404dfc31
-
SHA512
4964492ba385d03d9c4271ae3cc497998b2d9d4db6ecc235d1daf3c193c2a7265a6f709652e4e108ffe0d2a195a904e75409190b2ff82ad08a97122e18ee11f3
-
SSDEEP
96:fumTnPP4JVbqOI0QQCEJmn0aXgFEEy1e+4wNA/JM:WInXuMOI0QQbm0aXgFEEy1e+4wNA/JM
Score10/10-
UAC bypass
-
Blocklisted process makes network request
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Registers COM server for autorun
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1