Overview
overview
10Static
static
7gemme ya b...01.exe
windows7-x64
8gemme ya b...01.exe
windows10-2004-x64
8$PLUGINSDI...os.dll
windows7-x64
3$PLUGINSDI...os.dll
windows10-2004-x64
3$PLUGINSDIR/inetc.dll
windows7-x64
3$PLUGINSDIR/inetc.dll
windows10-2004-x64
3$R9/NsCpuC...32.exe
windows7-x64
7$R9/NsCpuC...32.exe
windows10-2004-x64
7$R9/NsCpuC...64.exe
windows7-x64
7$R9/NsCpuC...64.exe
windows10-2004-x64
7$R9/Plugin...os.dll
windows7-x64
3$R9/Plugin...os.dll
windows10-2004-x64
3$R9/Plugins/inetc.dll
windows7-x64
3$R9/Plugins/inetc.dll
windows10-2004-x64
3info.vbe
windows7-x64
8info.vbe
windows10-2004-x64
8$R9/Plugins/tftp.exe
windows7-x64
8$R9/Plugins/tftp.exe
windows10-2004-x64
10$R9/Stubs/bzip2.exe
windows7-x64
3$R9/Stubs/bzip2.exe
windows10-2004-x64
3$R9/Stubs/...id.exe
windows7-x64
3$R9/Stubs/...id.exe
windows10-2004-x64
3$R9/Stubs/lzma.exe
windows7-x64
3$R9/Stubs/lzma.exe
windows10-2004-x64
3$R9/Stubs/zlib.exe
windows7-x64
3$R9/Stubs/zlib.exe
windows10-2004-x64
3$R9/makensis.exe
windows7-x64
1$R9/makensis.exe
windows10-2004-x64
1$TEMP/tftp.exe
windows7-x64
10$TEMP/tftp.exe
windows10-2004-x64
10gemme ya booty/c.sh
windows7-x64
3gemme ya booty/c.sh
windows10-2004-x64
3General
-
Target
gemme ya booty.zip
-
Size
3.4MB
-
Sample
240411-f4bm4agc8t
-
MD5
22facc5af6e2d7a420d80f92e2cffcb3
-
SHA1
8036cfa1c553d4421329f5a50bb3f3343816dbde
-
SHA256
6b189ad141b75544c1ab7cf29db7d5bb4d570d045d0b99556bc3e742dc0a3a37
-
SHA512
6f139b25a3057ac3698b058274b80807597536b805948fd840201a149822f747a7f8b49db39b56c486156b7ac51b59fee632246784a073e3a9e6b0693695514c
-
SSDEEP
98304:hnOdKjVchU1ZBWlvKlgl8zyxcuoFMJgzS8tB:MvhUnayiSzgeFMJgzS8T
Behavioral task
behavioral1
Sample
gemme ya booty/IMG001.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
gemme ya booty/IMG001.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/ExecDos.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/ExecDos.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/inetc.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
$R9/NsCpuCNMiner32.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$R9/NsCpuCNMiner32.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
$R9/NsCpuCNMiner64.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$R9/NsCpuCNMiner64.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
$R9/Plugins/ExecDos.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
$R9/Plugins/ExecDos.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral13
Sample
$R9/Plugins/inetc.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
$R9/Plugins/inetc.dll
Resource
win10v2004-20240319-en
Behavioral task
behavioral15
Sample
info.vbe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
info.vbe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
$R9/Plugins/tftp.exe
Resource
win7-20240220-en
Behavioral task
behavioral18
Sample
$R9/Plugins/tftp.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
$R9/Stubs/bzip2.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
$R9/Stubs/bzip2.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
$R9/Stubs/bzip2_solid.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
$R9/Stubs/bzip2_solid.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
$R9/Stubs/lzma.exe
Resource
win7-20240220-en
Behavioral task
behavioral24
Sample
$R9/Stubs/lzma.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
$R9/Stubs/zlib.exe
Resource
win7-20240215-en
Behavioral task
behavioral26
Sample
$R9/Stubs/zlib.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral27
Sample
$R9/makensis.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
$R9/makensis.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
$TEMP/tftp.exe
Resource
win7-20240319-en
Behavioral task
behavioral30
Sample
$TEMP/tftp.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
gemme ya booty/c.sh
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
gemme ya booty/c.sh
Resource
win10v2004-20240226-en
Malware Config
Extracted
Protocol: ftp- Host:
43.134.66.228 - Port:
21 - Username:
administrator - Password:
killer
Extracted
Protocol: ftp- Host:
37.251.150.88 - Port:
21 - Username:
administrator - Password:
pass
Extracted
Protocol: ftp- Host:
151.80.164.131 - Port:
21 - Username:
root - Password:
0000
Extracted
Protocol: ftp- Host:
35.214.143.230 - Port:
21 - Username:
admin - Password:
andrew
Extracted
Protocol: ftp- Host:
103.8.25.150 - Port:
21 - Username:
admin - Password:
123456789
Extracted
Protocol: ftp- Host:
62.109.26.179 - Port:
21 - Username:
admin - Password:
windows
Targets
-
-
Target
gemme ya booty/IMG001.exe
-
Size
3.4MB
-
MD5
908bb37015af1c863e8e73bb76fdb127
-
SHA1
da3c0542e7223d9a1caf327164a1d54597afa59b
-
SHA256
ff2787534a0da486583ac6aabed1f30b9af3d0c7ac2390771c167a60f2dd266c
-
SHA512
e96de2faa86c70361a9e15397e01b73e1126f6f97c195fa06d1ad491f874376f0a1b3a45518639e8eb594640048126bc73b924b8f2dce961dabf364dabad0155
-
SSDEEP
98304:MmVPnq1y5tQOM33ZNqCtBixHl54Oyjes1bof:zVPq1yLanrqTr43eSQ
Score8/10-
Contacts a large (888) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
$PLUGINSDIR/ExecDos.dll
-
Size
6KB
-
MD5
d7b975049ec3aba50e4b7cc654a28214
-
SHA1
25f2578945ebc9ac037fef7b7f94c5d48e42388b
-
SHA256
42422d912b9c626ad93eb8c036ad82ee67cfa48cf75259c20c327eddd4cc376f
-
SHA512
f95f7875aeab586d42ee48029f7feed6e2fd8a7d106671e225ff5cf9ad83375f0ec3b8b288177c5d48b4c51eeddde687d67e7b07ad324e24059cff0a6516c270
-
SSDEEP
96:31pNOe2w5QbJHsBiyw4uM4jEFVliuOtac32FOeSMV7WhWD:dj5Qb1sBPuijiu6avTyhW
Score3/10 -
-
-
Target
$PLUGINSDIR/inetc.dll
-
Size
21KB
-
MD5
d7a3fa6a6c738b4a3c40d5602af20b08
-
SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a
-
SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
-
SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
-
SSDEEP
384:oW4gLK82JvtosNCPhXKJ18hcEP1+f+pvMPbkdTg1Zahzs60Ac9khYLMkIX0+Gbyk:oW4i/2JloB5IQ9AhkwZaKRu
Score3/10 -
-
-
Target
$R9/NsCpuCNMiner32.exe
-
Size
1.4MB
-
MD5
3afeb8e9af02a33ff71bf2f6751cae3a
-
SHA1
fd358cfe41c7aa3aa9e4cf62f832d8ae6baa8107
-
SHA256
a0eba3fda0d7b22a5d694105ec700df7c7012ddc4ae611c3071ef858e2c69f08
-
SHA512
11a2c12d7384d2743d25b9e28fc4ea0c3e2771aca92875fd3350f457df66c66827d175f67108f1a56d958f3b1163f3a89eedb8919bf7973d037241a1e59231d5
-
SSDEEP
24576:gWKqa4hnzP3w7L3rmZmpk7FSQFW2iJ+N07/TwYV1CdZdQ+4lT+iFgiGTtswAtdz:gSrwf3aZmpOFU2iQNIUc1LxGTtswgd
Score7/10-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
$R9/NsCpuCNMiner64.exe
-
Size
1.5MB
-
MD5
eedb9d86ae8abc65fa7ac7c6323d4e8f
-
SHA1
ce1fbf382e89146ea5a22ae551b68198c45f40e4
-
SHA256
d0326f0ddce4c00f93682e3a6f55a3125f6387e959e9ed6c5e5584e78e737078
-
SHA512
9de3390197a02965feed6acdc77a292c0ef160e466fbfc9500fa7de17b0225a935127da71029cb8006bc7a5f4b5457319362b7a7caf4c0bf92174d139ed52ab5
-
SSDEEP
24576:Mf79KQimeoyEgM8dSGDeCAQ4GYwEkYEDI3BiiVzKJo23bvH5xh8wtDzgClYAdC51:b3EciPG9E/LBVeJo2Vsw57lYAA51
Score7/10-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
$R9/Plugins/ExecDos.dll
-
Size
6KB
-
MD5
d7b975049ec3aba50e4b7cc654a28214
-
SHA1
25f2578945ebc9ac037fef7b7f94c5d48e42388b
-
SHA256
42422d912b9c626ad93eb8c036ad82ee67cfa48cf75259c20c327eddd4cc376f
-
SHA512
f95f7875aeab586d42ee48029f7feed6e2fd8a7d106671e225ff5cf9ad83375f0ec3b8b288177c5d48b4c51eeddde687d67e7b07ad324e24059cff0a6516c270
-
SSDEEP
96:31pNOe2w5QbJHsBiyw4uM4jEFVliuOtac32FOeSMV7WhWD:dj5Qb1sBPuijiu6avTyhW
Score3/10 -
-
-
Target
$R9/Plugins/inetc.dll
-
Size
21KB
-
MD5
d7a3fa6a6c738b4a3c40d5602af20b08
-
SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a
-
SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
-
SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
-
SSDEEP
384:oW4gLK82JvtosNCPhXKJ18hcEP1+f+pvMPbkdTg1Zahzs60Ac9khYLMkIX0+Gbyk:oW4i/2JloB5IQ9AhkwZaKRu
Score3/10 -
-
-
Target
info.vbe
-
Size
1KB
-
MD5
e9ffdb716af3d355b25096a8ed4de8ef
-
SHA1
66e2b15ba4dbfa127c3ec86abce666870a4a168a
-
SHA256
30daba44a4a25ff5750508613f897057a55337458f19b562e2ed1172c77e626b
-
SHA512
f157dc99dfd4c1bec37deba85ed5250f70e169ab2d21b2c75d7d94b4463608c3c74ed9ab773e1359735cb95cb1f38333887d3c8e65c80c0cdfeee8bcb0d019f3
Score8/10-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
$R9/Plugins/tftp.exe
-
Size
92KB
-
MD5
c9869112b8ea084c76f34dbba826f828
-
SHA1
e209c404bb404ec87b0b1cfd4577999f0064eb25
-
SHA256
bd2a4c80801303a763c0ed0ca329744fa4d514ecedd635703108c034a62a6cea
-
SHA512
474c113a2bb7c544027fe6fc433bbeae9616098248af4a62a1e470daa54ec97b023e72ed2cdc2eddcfbd967525b44b57f9508ec8543892bed9ab0982d2491bdc
-
SSDEEP
1536:SOiJzywynfnJ0t1Pv2DURV0Q6aoxPxNUqwGI7Uns:4fyfJ0f2wR1VUns
Score10/10-
Contacts a large (1068) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
-
-
Target
$R9/Stubs/bzip2
-
Size
34KB
-
MD5
7ac2315d458a6c78f81f7167b164ef37
-
SHA1
f501956f346fe7ac49454f5eae54907eeb247f1d
-
SHA256
a32a41c520aa1d08d8e5cbc18c1994f92d47bede5cb8d3aca761579d242d249d
-
SHA512
00802299e1161ac3a3849678a0515e2ed4548a9c1397635fb546683a525f2dbaab8b90875d81821bc66b76c6669a309922284e818f510fb0d81d0c317458919b
-
SSDEEP
768:FqVnDX38+t1ehxQ7unyskUplx3tUeLTjWfgeOVGM4jjfS3XJvai:kjs+t1ehxQuntkULceeM4sXJz
Score3/10 -
-
-
Target
$R9/Stubs/bzip2_solid
-
Size
34KB
-
MD5
0a108faf2f740e2b1a97d64985fdd1b4
-
SHA1
e349e668f756ea4b9460bcb2be54504dc357d3d1
-
SHA256
5a9ecc6d9dbd32c54507496f022ecca949e18235bb0865e1aa345eb84e6af0cf
-
SHA512
3f27d919d40dfbd431c1516a8803178d5e699f91856e8f9616b7f3fdc755af863f25c29cf08191775ab04d1457a0db8741e1697a66bd2c84252de58942c16faf
-
SSDEEP
768:/Jyky/Nki4Q/JRQ/RZ49ylKR2e7jbEcIKFvGmjXO3XJOai:hiki4Q/JR2RZ49A1ecjXJ+
Score3/10 -
-
-
Target
$R9/Stubs/lzma
-
Size
33KB
-
MD5
9557ea4608e64b857c1125eb41ba7429
-
SHA1
d7276eccc032919c84fc05f206d3cdd0b40fe1fb
-
SHA256
b72d402fce699b21bbf0a4a86ab9fb7f8a083aeacd4f797be7a7f6f91ef93d62
-
SHA512
8eb238cd34668c12779553b7ef15cbeb4d8dd7aac36b5f044c680b83b04f7e2564905625e14ae5c5e06e4e9b5ccdb1663a08aa63a95e176266d59924061a6ce8
-
SSDEEP
768:/ip/4K0wirQK33PaH81Fej4w0kGvFONg4jjfS3XJWai:6Zr0wirt3/aEecbsg4sXJW
Score3/10 -
-
-
Target
$R9/Stubs/zlib
-
Size
35KB
-
MD5
346d3c8665f307a06aba85f8745360e8
-
SHA1
de87ba7e2553f0efd531d30d6a5997dab9a6bc2f
-
SHA256
c96383fe97a213140741bf5df71f322753200c094cb22db634e050d2be744a4f
-
SHA512
6d9910251618226bfd94c94661b86db0b6c07d5dbc5445cbd0ae7bd34fc42e0b2af53fbd14b57969cda9deb747dae7837209eb4c61b4b130b0170f584b839aa2
-
SSDEEP
768:x0gFJMBrbxJQJFiXDYwQ5NTdKqP5sCOfZ7jrG0D3cjfS3XJQai:xfYBrbzmFizYwUK1G0DRXJQ
Score3/10 -
-
-
Target
$R9/makensis.exe
-
Size
484KB
-
MD5
e79833cb0d7b2573819ded2122b57bdd
-
SHA1
71ead8cd4a95704a0cade630bb3ce280af7e028e
-
SHA256
572a6f9cb5b37b6eec13b578d346c2568ce3ec88bb711d75dac9e82fc01c8860
-
SHA512
4b023e60392ead0691621a1306286fda6cdc4c447f164c8f249c59db2500d8b98514d93c7a7e8d3cfd60818d2ca74e84ec24163492765b6c17fe94ea0385bd69
-
SSDEEP
12288:LhHlj+wtKJVIo9ZoACV6sil8+eSycI+Tt0XCyzLHWj:Lxl+0KJVpneV6siy+I+TtcCyzLHW
Score1/10 -
-
-
Target
$TEMP/tftp.exe
-
Size
92KB
-
MD5
c9869112b8ea084c76f34dbba826f828
-
SHA1
e209c404bb404ec87b0b1cfd4577999f0064eb25
-
SHA256
bd2a4c80801303a763c0ed0ca329744fa4d514ecedd635703108c034a62a6cea
-
SHA512
474c113a2bb7c544027fe6fc433bbeae9616098248af4a62a1e470daa54ec97b023e72ed2cdc2eddcfbd967525b44b57f9508ec8543892bed9ab0982d2491bdc
-
SSDEEP
1536:SOiJzywynfnJ0t1Pv2DURV0Q6aoxPxNUqwGI7Uns:4fyfJ0f2wR1VUns
Score10/10-
Contacts a large (1053) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
-
-
Target
gemme ya booty/c.sh
-
Size
996B
-
MD5
0a746666a3c70b422673c91741cfbcbd
-
SHA1
3f946cc6aa0ef42705c6e52c697aa6908ed3e0c0
-
SHA256
691740332f2f6663cb2a7b774077317dedf6fc9921ee215209d4dd8f3247abad
-
SHA512
71c8af30d205978b3847d6c149601d2d51d83b6945156017186335e28ca3114d75053f4d156a0c9a6add1a2ce132e2c96b38e671ff00665bde34d558a68259b1
Score3/10 -
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1