Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22/01/2024, 07:36 UTC
Static task
static1
Behavioral task
behavioral1
Sample
SKM_C258201001130020005057.js
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
SKM_C258201001130020005057.js
Resource
win10v2004-20231215-en
General
-
Target
SKM_C258201001130020005057.js
-
Size
469KB
-
MD5
8fed7262f75ec7c978a03e8177dfadab
-
SHA1
3c95b2b69114082581b28a34533cbcddefd72516
-
SHA256
7a2fd40a032e726bde8638b079963c499d20c7c197a0f91544f458977fbd3304
-
SHA512
22a2ca24da0dd5d7a665d84fc58cc36013716d4605518f3c035d0bc5e6944825267e332708eb26623cba4e2d7b57b395caab6c5628b9e88f510fb23a8871e9f2
-
SSDEEP
6144:Qy6COPsZV2SvRmFgI9smdixnlahHhUgy6COPsZV2SvRmFgI9smdixnlahHhUt:wux5mFg6slxuKAux5mFg6slxuKt
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kgjBVaIrAu.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kgjBVaIrAu.js WScript.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2448 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0HKX5ALWLG = "\"C:\\Users\\Admin\\AppData\\Roaming\\kgjBVaIrAu.js\"" WScript.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb javaw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings wscript.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4080 wrote to memory of 8 4080 wscript.exe 86 PID 4080 wrote to memory of 8 4080 wscript.exe 86 PID 4080 wrote to memory of 3224 4080 wscript.exe 88 PID 4080 wrote to memory of 3224 4080 wscript.exe 88 PID 3224 wrote to memory of 2448 3224 javaw.exe 90 PID 3224 wrote to memory of 2448 3224 javaw.exe 90
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\SKM_C258201001130020005057.js1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\kgjBVaIrAu.js"2⤵
- Drops startup file
- Adds Run key to start application
PID:8
-
-
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ayznhqes.txt"2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M3⤵
- Modifies file permissions
PID:2448
-
-
Network
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestbethhavens.duia.roIN AResponse
-
Remote address:8.8.8.8:53Request173.178.17.96.in-addr.arpaIN PTRResponse173.178.17.96.in-addr.arpaIN PTRa96-17-178-173deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestrepo1.maven.orgIN AResponserepo1.maven.orgIN CNAMEdualstack.sonatype.map.fastly.netdualstack.sonatype.map.fastly.netIN A199.232.192.209dualstack.sonatype.map.fastly.netIN A199.232.196.209
-
Remote address:8.8.8.8:53Requestgithub.comIN AResponsegithub.comIN A140.82.121.4
-
Remote address:8.8.8.8:53Request209.192.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request4.121.82.140.in-addr.arpaIN PTRResponse4.121.82.140.in-addr.arpaIN PTRlb-140-82-121-4-fragithubcom
-
Remote address:8.8.8.8:53Request72.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestobjects.githubusercontent.comIN AResponseobjects.githubusercontent.comIN A185.199.108.133objects.githubusercontent.comIN A185.199.109.133objects.githubusercontent.comIN A185.199.110.133objects.githubusercontent.comIN A185.199.111.133
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestbethhavens.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestbethhavens.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestbethhavens.duia.roIN AResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request183.59.114.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestbethhavens.duia.roIN AResponse
-
Remote address:8.8.8.8:53Request18.134.221.88.in-addr.arpaIN PTRResponse18.134.221.88.in-addr.arpaIN PTRa88-221-134-18deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestbethhavens.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestbethhavens.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestbethhavens.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestbethhavens.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestbethhavens.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestbethhavens.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestbethhavens.duia.roIN AResponse
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestbethhavens.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestbethhavens.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestbethhavens.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestbethhavens.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestbethhavens.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestbethhavens.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestbethhavens.duia.roIN AResponse
-
Remote address:8.8.8.8:53Requestbethhavens.duia.roIN AResponse
-
Remote address:8.8.8.8:53Request204.201.50.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestbethhavens.duia.roIN AResponse
-
52 B 1
-
7.4kB 377.2kB 144 278
-
7.9kB 410.6kB 156 302
-
11.8kB 647.7kB 242 472
-
1.4kB 7.0kB 14 15
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
64 B 120 B 1 1
DNS Request
bethhavens.duia.ro
-
72 B 137 B 1 1
DNS Request
173.178.17.96.in-addr.arpa
-
61 B 140 B 1 1
DNS Request
repo1.maven.org
DNS Response
199.232.192.209199.232.196.209
-
56 B 72 B 1 1
DNS Request
github.com
DNS Response
140.82.121.4
-
74 B 128 B 1 1
DNS Request
209.192.232.199.in-addr.arpa
-
71 B 115 B 1 1
DNS Request
4.121.82.140.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
72.32.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
75 B 139 B 1 1
DNS Request
objects.githubusercontent.com
DNS Response
185.199.108.133185.199.109.133185.199.110.133185.199.111.133
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
64 B 120 B 1 1
DNS Request
bethhavens.duia.ro
-
64 B 120 B 1 1
DNS Request
bethhavens.duia.ro
-
64 B 120 B 1 1
DNS Request
bethhavens.duia.ro
-
72 B 158 B 1 1
DNS Request
183.59.114.20.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
64 B 120 B 1 1
DNS Request
bethhavens.duia.ro
-
72 B 137 B 1 1
DNS Request
18.134.221.88.in-addr.arpa
-
64 B 120 B 1 1
DNS Request
bethhavens.duia.ro
-
64 B 120 B 1 1
DNS Request
bethhavens.duia.ro
-
64 B 120 B 1 1
DNS Request
bethhavens.duia.ro
-
64 B 120 B 1 1
DNS Request
bethhavens.duia.ro
-
64 B 120 B 1 1
DNS Request
bethhavens.duia.ro
-
64 B 120 B 1 1
DNS Request
bethhavens.duia.ro
-
64 B 120 B 1 1
DNS Request
bethhavens.duia.ro
-
72 B 158 B 1 1
DNS Request
14.227.111.52.in-addr.arpa
-
64 B 120 B 1 1
DNS Request
bethhavens.duia.ro
-
64 B 120 B 1 1
DNS Request
bethhavens.duia.ro
-
64 B 120 B 1 1
DNS Request
bethhavens.duia.ro
-
64 B 120 B 1 1
DNS Request
bethhavens.duia.ro
-
64 B 120 B 1 1
DNS Request
bethhavens.duia.ro
-
64 B 120 B 1 1
DNS Request
bethhavens.duia.ro
-
64 B 120 B 1 1
DNS Request
bethhavens.duia.ro
-
64 B 120 B 1 1
DNS Request
bethhavens.duia.ro
-
72 B 158 B 1 1
DNS Request
204.201.50.20.in-addr.arpa
-
64 B 120 B 1 1
DNS Request
bethhavens.duia.ro
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD5a9ca4bef049cff32a358bdc6129dfedc
SHA1f163cdb4f06bce6ab7d5e2f70bf0f6d2bbd3eb2c
SHA25639a7d30b5e37c24d2d12f17886cf39a185aa2bbd32c6ef35a419721f885a0cf1
SHA512d2e8c44f4dea8f21f2d0b625db18b5c8c3773288ce6d0b1845872803aa6f7bbe6f756f238509a3a2963422a65c17260db75911e3a98596d6b44df9702925a8bc
-
Filesize
107KB
MD5e38670aa13e73105b5b518779c4983df
SHA1dbed21eea88ad1574999e3db2b6d7eb19b5a2979
SHA256e0141d12da8d9172a5ea7bad725a5f0c4a766473b914d1f6b2b1485a7eeadf8f
SHA512f2fa507968f7c817ca55001215610a39cebd35ab76696593f87efc7f504572e2da3cdf5355c80cb420eb767dee950b5a7b71f83ba898ac08ac11f6be099c397e
-
Filesize
14KB
MD5f74ee95cc8fbe51c705384a7dcc5a701
SHA1b15a636ca2ce2f45dd466e5ee463f1cfed9fd64b
SHA256a86309235858dbc9f91f1a8405a3599a70f2394b7671889c9f6a1b05831c3407
SHA512e68783102258f983e31d4ffd7f4b532957072207dad9b892f388924d17e8909ac21cb59d823cd3dcedb066f69ac9053c8992cc40204f86798932eef2179d3ad6