General

  • Target

    ARS17291729317291729.js

  • Size

    22KB

  • Sample

    240207-lh41eafdg6

  • MD5

    f11df5cf2e7e9c6b39612f3f60d9e9f2

  • SHA1

    d919fe3bd69418f9e96569f9e73b4a1fa1cde9e9

  • SHA256

    2770b332ef571a1462e5a38778307106e16ba66dca58717fe40f6f76259b717b

  • SHA512

    1629a66eb3f8f48fa15d016995eb26f7b6342420eac8f34fdf42d514db1be5813df7a40f553b63da16b8eb6bde66d35297d23c63cffa252951988a28242e65bf

  • SSDEEP

    384:swbhSjLO+uDvTeLoxguxAR02OY4PLRyxag8YvA9DWWRUwuoLljIzPNWHvrHejQlJ:pwLOxvTeLoxguxARGPLRyxag8YvA9DWu

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://assime.ca/command.php

Extracted

Language
ps1
Source
URLs
exe.dropper

http://sakaleralo.com/ccea268b-8716-46be-9148-3e614b38a0df.txt

Targets

    • Target

      ARS17291729317291729.js

    • Size

      22KB

    • MD5

      f11df5cf2e7e9c6b39612f3f60d9e9f2

    • SHA1

      d919fe3bd69418f9e96569f9e73b4a1fa1cde9e9

    • SHA256

      2770b332ef571a1462e5a38778307106e16ba66dca58717fe40f6f76259b717b

    • SHA512

      1629a66eb3f8f48fa15d016995eb26f7b6342420eac8f34fdf42d514db1be5813df7a40f553b63da16b8eb6bde66d35297d23c63cffa252951988a28242e65bf

    • SSDEEP

      384:swbhSjLO+uDvTeLoxguxAR02OY4PLRyxag8YvA9DWWRUwuoLljIzPNWHvrHejQlJ:pwLOxvTeLoxguxARGPLRyxag8YvA9DWu

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks