Overview

overview

10

Static

static

1

update.js

windows10-1703-x64

10

update.js

windows10-2004-x64

10

update.js

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    update.js

  • Size

    114KB

  • Sample

    240129-wxswssfhe4

  • MD5

    1e5517d4390ea9cf0a97bc08a88ce8f9

  • SHA1

    75ab46b29fb2a43710cee16f6947dc31763921ca

  • SHA256

    7a153e840b1e15b0ca6f9c99072fb34efc759c6f96e24b1c01d8cfc1b5cf9e78

  • SHA512

    354d548f71853a127d993285b97420e7c89cef1526535d9d0bb058a798b4accd9c0d98fe13b4bfb45452beb1c8a7b8254723ebe2ad50fe18dceeab61bf28036f

  • SSDEEP

    1536:AlarcxElarcxElarcxRlarcx4QNlarcxElarcxElarcx8larcxElarcxElarcxu:ADxEDxEDxRDxxDxEDxEDx8DxEDxEDxu

Score
10/10
netsupportpersistencerat

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://ghostcitygames.com/data.php?8788
exe.dropper

https://ghostcitygames.com/data.php?8788

Targets

    • Target

      update.js

    • Size

      114KB

    • MD5

      1e5517d4390ea9cf0a97bc08a88ce8f9

    • SHA1

      75ab46b29fb2a43710cee16f6947dc31763921ca

    • SHA256

      7a153e840b1e15b0ca6f9c99072fb34efc759c6f96e24b1c01d8cfc1b5cf9e78

    • SHA512

      354d548f71853a127d993285b97420e7c89cef1526535d9d0bb058a798b4accd9c0d98fe13b4bfb45452beb1c8a7b8254723ebe2ad50fe18dceeab61bf28036f

    • SSDEEP

      1536:AlarcxElarcxElarcxRlarcx4QNlarcxElarcxElarcx8larcxElarcxElarcxu:ADxEDxEDxRDxxDxEDxEDx8DxEDxEDxu

    Score
    10/10
    netsupportpersistencerat

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

      ratnetsupport

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2behavioral3

MITRE ATT&CK Enterprise v15

Tasks