Analysis Overview
SHA256
fbd4e06219737ce801ecf9c15c10df19d60fcacbc73d7ecf54d21bd13839b73d
Threat Level: Shows suspicious behavior
The file f4237f22e131216fc80bd6038ad92642_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
UPX packed file
Reads CPU attributes
Checks CPU configuration
Enumerates kernel/hardware configuration
Unsigned PE
Enumerates physical storage devices
Reads runtime system information
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-16 19:09
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral6
Detonation Overview
Submitted
2024-04-16 19:08
Reported
2024-04-16 19:11
Platform
win10v2004-20240412-en
Max time kernel
93s
Max time network
116s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Libloader[gui]v3.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2428 wrote to memory of 2876 | N/A | C:\Users\Admin\AppData\Local\Temp\Libloader[gui]v3.exe | C:\Windows\system32\cmd.exe |
| PID 2428 wrote to memory of 2876 | N/A | C:\Users\Admin\AppData\Local\Temp\Libloader[gui]v3.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Libloader[gui]v3.exe
"C:\Users\Admin\AppData\Local\Temp\Libloader[gui]v3.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\515C.tmp\515D.tmp\516E.bat C:\Users\Admin\AppData\Local\Temp\Libloader[gui]v3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.63.96.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.90.28.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/2428-0-0x0000000140000000-0x0000000140027000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\515C.tmp\515D.tmp\516E.bat
| MD5 | 711f5ad5d6b048ff59bdcc288d9b0d34 |
| SHA1 | fd9f247f5b6ef89a5aa7b5ee48e90d6eff61bd3d |
| SHA256 | b1d6606f612077f05b7ac402e54482e11a5be1c3a32eab51e280176d1d2e87e8 |
| SHA512 | 20f34257e493dbf4c5e5f038a072e625b938b85ab0f5e81ee7f0318010413338d3094264c62cc4d6c04791496c7007f4c40f71ace381c8cbc7b875b12b2ddce6 |
memory/2428-3-0x0000000140000000-0x0000000140027000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-04-16 19:08
Reported
2024-04-16 19:11
Platform
debian9-armhf-20240226-en
Max time kernel
10s
Command Line
Signatures
Processes
/tmp/node_modules/.bin/mime.ps1
[/tmp/node_modules/.bin/mime.ps1]
/usr/local/sbin/pwsh
[pwsh /tmp/node_modules/.bin/mime.ps1]
/usr/local/bin/pwsh
[pwsh /tmp/node_modules/.bin/mime.ps1]
/usr/sbin/pwsh
[pwsh /tmp/node_modules/.bin/mime.ps1]
/usr/bin/pwsh
[pwsh /tmp/node_modules/.bin/mime.ps1]
/sbin/pwsh
[pwsh /tmp/node_modules/.bin/mime.ps1]
/bin/pwsh
[pwsh /tmp/node_modules/.bin/mime.ps1]
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-04-16 19:08
Reported
2024-04-16 19:11
Platform
debian9-mipsel-20240226-en
Max time kernel
6s
Command Line
Signatures
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /bin/sed | N/A |
Processes
/tmp/node_modules/.bin/mime
[/tmp/node_modules/.bin/mime]
/bin/sed
[sed -e s,\\,/,g]
/usr/bin/dirname
[dirname /tmp/node_modules/.bin/mime]
/bin/uname
[uname]
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-04-16 19:08
Reported
2024-04-16 19:11
Platform
ubuntu1804-amd64-20240226-en
Max time kernel
0s
Max time network
135s
Command Line
Signatures
Processes
/tmp/node_modules/.bin/mime.ps1
[/tmp/node_modules/.bin/mime.ps1]
/usr/local/sbin/pwsh
[pwsh /tmp/node_modules/.bin/mime.ps1]
/usr/local/bin/pwsh
[pwsh /tmp/node_modules/.bin/mime.ps1]
/usr/sbin/pwsh
[pwsh /tmp/node_modules/.bin/mime.ps1]
/usr/bin/pwsh
[pwsh /tmp/node_modules/.bin/mime.ps1]
/sbin/pwsh
[pwsh /tmp/node_modules/.bin/mime.ps1]
/bin/pwsh
[pwsh /tmp/node_modules/.bin/mime.ps1]
/snap/bin/pwsh
[pwsh /tmp/node_modules/.bin/mime.ps1]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 151.101.194.49:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| GB | 195.181.164.21:443 | tcp | |
| US | 1.1.1.1:53 | cdn.fwupd.org | udp |
| US | 1.1.1.1:53 | cdn.fwupd.org | udp |
| US | 151.101.66.49:443 | cdn.fwupd.org | tcp |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.62:443 | tcp | |
| US | 151.101.193.91:443 | tcp | |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| US | 1.1.1.1:53 | 1527653184.rsc.cdn77.org | udp |
| GB | 89.187.167.9:443 | 1527653184.rsc.cdn77.org | tcp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-04-16 19:08
Reported
2024-04-16 19:11
Platform
win7-20240221-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\node_modules\array-flatten\array-flatten.js
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-04-16 19:08
Reported
2024-04-16 19:11
Platform
win7-20240319-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\node_modules\accepts\index.js
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-04-16 19:08
Reported
2024-04-16 19:12
Platform
win7-20240221-en
Max time kernel
122s
Max time network
140s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\node_modules\body-parser\lib\read.js
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-04-16 19:08
Reported
2024-04-16 19:11
Platform
win10v2004-20240412-en
Max time kernel
147s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\node_modules\body-parser\lib\read.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.63.96.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.90.28.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-16 19:08
Reported
2024-04-16 19:11
Platform
win10v2004-20240412-en
Max time kernel
147s
Max time network
154s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1944 wrote to memory of 1956 | N/A | C:\Users\Admin\AppData\Local\Temp\FluxVerify[x32].exe | C:\Windows\system32\cmd.exe |
| PID 1944 wrote to memory of 1956 | N/A | C:\Users\Admin\AppData\Local\Temp\FluxVerify[x32].exe | C:\Windows\system32\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\FluxVerify[x32].exe
"C:\Users\Admin\AppData\Local\Temp\FluxVerify[x32].exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5757.tmp\5758.tmp\5759.bat C:\Users\Admin\AppData\Local\Temp\FluxVerify[x32].exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\5757.tmp\5758.tmp\5759.bat
| MD5 | 6d0f4158dd4535af1ab5b8f328f065c9 |
| SHA1 | 7ece4ab8cc7a2be48336b5c0f48dd68c68881aa3 |
| SHA256 | 588e0e165fa613bb53b2c3c8d7e40bd468c0c9fafb1929969c6fb84c15964a00 |
| SHA512 | 60bb1dbfac1d441ceea2296a74c5bff9957dbb638545e492180da7c1d89200c7e756002cce33d9f0c37e29958f142699ad1386360a8034d5da4c8f5e7881bbe1 |
Analysis: behavioral13
Detonation Overview
Submitted
2024-04-16 19:08
Reported
2024-04-16 19:11
Platform
win7-20231129-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\node_modules\.bin\mime.cmd"
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-04-16 19:08
Reported
2024-04-16 19:11
Platform
win10v2004-20240412-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\node_modules\.bin\mime.cmd"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 171.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.63.96.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.90.28.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.126.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-04-16 19:08
Reported
2024-04-16 19:11
Platform
win10v2004-20240412-en
Max time kernel
148s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\node_modules\accepts\index.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.63.96.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.90.28.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.126.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-04-16 19:08
Reported
2024-04-16 19:11
Platform
win10v2004-20240412-en
Max time kernel
92s
Max time network
116s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\node_modules\array-flatten\README.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.63.96.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.90.28.184.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.126.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-04-16 19:08
Reported
2024-04-16 19:11
Platform
win7-20240319-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\node_modules\body-parser\index.js
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-16 19:08
Reported
2024-04-16 19:11
Platform
win7-20231129-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 624 wrote to memory of 2368 | N/A | C:\Users\Admin\AppData\Local\Temp\FluxVerify[x32].exe | C:\Windows\system32\cmd.exe |
| PID 624 wrote to memory of 2368 | N/A | C:\Users\Admin\AppData\Local\Temp\FluxVerify[x32].exe | C:\Windows\system32\cmd.exe |
| PID 624 wrote to memory of 2368 | N/A | C:\Users\Admin\AppData\Local\Temp\FluxVerify[x32].exe | C:\Windows\system32\cmd.exe |
| PID 624 wrote to memory of 2368 | N/A | C:\Users\Admin\AppData\Local\Temp\FluxVerify[x32].exe | C:\Windows\system32\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\FluxVerify[x32].exe
"C:\Users\Admin\AppData\Local\Temp\FluxVerify[x32].exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\117E.tmp\117F.tmp\1180.bat C:\Users\Admin\AppData\Local\Temp\FluxVerify[x32].exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\117E.tmp\117F.tmp\1180.bat
| MD5 | 6d0f4158dd4535af1ab5b8f328f065c9 |
| SHA1 | 7ece4ab8cc7a2be48336b5c0f48dd68c68881aa3 |
| SHA256 | 588e0e165fa613bb53b2c3c8d7e40bd468c0c9fafb1929969c6fb84c15964a00 |
| SHA512 | 60bb1dbfac1d441ceea2296a74c5bff9957dbb638545e492180da7c1d89200c7e756002cce33d9f0c37e29958f142699ad1386360a8034d5da4c8f5e7881bbe1 |
Analysis: behavioral10
Detonation Overview
Submitted
2024-04-16 19:08
Reported
2024-04-16 19:11
Platform
debian9-armhf-20240226-en
Max time kernel
6s
Command Line
Signatures
Checks CPU configuration
| Description | Indicator | Process | Target |
| File opened for reading | /proc/cpuinfo | /usr/bin/node | N/A |
Reads CPU attributes
| Description | Indicator | Process | Target |
| File opened for reading | /sys/devices/system/cpu/online | N/A | N/A |
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/fs/cgroup/memory/memory.limit_in_bytes | /usr/bin/node | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /bin/sed | N/A |
| File opened for reading | /proc/meminfo | /usr/bin/node | N/A |
Processes
/tmp/node_modules/.bin/mime
[/tmp/node_modules/.bin/mime]
/bin/sed
[sed -e s,\\,/,g]
/usr/bin/dirname
[dirname /tmp/node_modules/.bin/mime]
/bin/uname
[uname]
/usr/bin/node
[node /tmp/node_modules/.bin/../mime/cli.js]
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-04-16 19:08
Reported
2024-04-16 19:11
Platform
win7-20240221-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\node_modules\accepts\README.js
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-04-16 19:08
Reported
2024-04-16 19:11
Platform
win10v2004-20240412-en
Max time kernel
147s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\node_modules\accepts\README.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.63.96.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.90.28.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-04-16 19:08
Reported
2024-04-16 19:11
Platform
win10v2004-20240412-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\node_modules\body-parser\README.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.63.96.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.90.28.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-04-16 19:08
Reported
2024-04-16 19:11
Platform
win7-20240319-en
Max time kernel
119s
Max time network
126s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2056 wrote to memory of 2376 | N/A | C:\Users\Admin\AppData\Local\Temp\WebContent.exe | C:\Windows\system32\cmd.exe |
| PID 2056 wrote to memory of 2376 | N/A | C:\Users\Admin\AppData\Local\Temp\WebContent.exe | C:\Windows\system32\cmd.exe |
| PID 2056 wrote to memory of 2376 | N/A | C:\Users\Admin\AppData\Local\Temp\WebContent.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\WebContent.exe
"C:\Users\Admin\AppData\Local\Temp\WebContent.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5245.tmp\5246.tmp\5247.bat C:\Users\Admin\AppData\Local\Temp\WebContent.exe"
Network
Files
memory/2056-0-0x0000000140000000-0x0000000140027000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5245.tmp\5246.tmp\5247.bat
| MD5 | 711f5ad5d6b048ff59bdcc288d9b0d34 |
| SHA1 | fd9f247f5b6ef89a5aa7b5ee48e90d6eff61bd3d |
| SHA256 | b1d6606f612077f05b7ac402e54482e11a5be1c3a32eab51e280176d1d2e87e8 |
| SHA512 | 20f34257e493dbf4c5e5f038a072e625b938b85ab0f5e81ee7f0318010413338d3094264c62cc4d6c04791496c7007f4c40f71ace381c8cbc7b875b12b2ddce6 |
memory/2056-3-0x0000000140000000-0x0000000140027000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-04-16 19:08
Reported
2024-04-16 19:11
Platform
debian9-mipsbe-20240226-en
Max time kernel
2s
Command Line
Signatures
Processes
/tmp/node_modules/.bin/mime.ps1
[/tmp/node_modules/.bin/mime.ps1]
/usr/local/sbin/pwsh
[pwsh /tmp/node_modules/.bin/mime.ps1]
/usr/local/bin/pwsh
[pwsh /tmp/node_modules/.bin/mime.ps1]
/usr/sbin/pwsh
[pwsh /tmp/node_modules/.bin/mime.ps1]
/usr/bin/pwsh
[pwsh /tmp/node_modules/.bin/mime.ps1]
/sbin/pwsh
[pwsh /tmp/node_modules/.bin/mime.ps1]
/bin/pwsh
[pwsh /tmp/node_modules/.bin/mime.ps1]
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-04-16 19:08
Reported
2024-04-16 19:11
Platform
win10v2004-20240412-en
Max time kernel
148s
Max time network
155s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\node_modules\array-flatten\array-flatten.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.185:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 25.63.96.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.90.28.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-04-16 19:08
Reported
2024-04-16 19:11
Platform
debian9-mipsbe-20240226-en
Max time kernel
2s
Command Line
Signatures
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /bin/sed | N/A |
Processes
/tmp/node_modules/.bin/mime
[/tmp/node_modules/.bin/mime]
/bin/sed
[sed -e s,\\,/,g]
/usr/bin/dirname
[dirname /tmp/node_modules/.bin/mime]
/bin/uname
[uname]
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-04-16 19:08
Reported
2024-04-16 19:11
Platform
debian9-mipsel-20240226-en
Max time kernel
2s
Command Line
Signatures
Processes
/tmp/node_modules/.bin/mime.ps1
[/tmp/node_modules/.bin/mime.ps1]
/usr/local/sbin/pwsh
[pwsh /tmp/node_modules/.bin/mime.ps1]
/usr/local/bin/pwsh
[pwsh /tmp/node_modules/.bin/mime.ps1]
/usr/sbin/pwsh
[pwsh /tmp/node_modules/.bin/mime.ps1]
/usr/bin/pwsh
[pwsh /tmp/node_modules/.bin/mime.ps1]
/sbin/pwsh
[pwsh /tmp/node_modules/.bin/mime.ps1]
/bin/pwsh
[pwsh /tmp/node_modules/.bin/mime.ps1]
Network
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-04-16 19:08
Reported
2024-04-16 19:11
Platform
win7-20240221-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\node_modules\array-flatten\README.js
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-04-16 19:08
Reported
2024-04-16 19:11
Platform
win7-20231129-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\node_modules\body-parser\README.js
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-16 19:08
Reported
2024-04-16 19:11
Platform
win7-20240221-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2988 wrote to memory of 2164 | N/A | C:\Users\Admin\AppData\Local\Temp\FluxVerify[x64].exe | C:\Windows\system32\cmd.exe |
| PID 2988 wrote to memory of 2164 | N/A | C:\Users\Admin\AppData\Local\Temp\FluxVerify[x64].exe | C:\Windows\system32\cmd.exe |
| PID 2988 wrote to memory of 2164 | N/A | C:\Users\Admin\AppData\Local\Temp\FluxVerify[x64].exe | C:\Windows\system32\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\FluxVerify[x64].exe
"C:\Users\Admin\AppData\Local\Temp\FluxVerify[x64].exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4328.tmp\4329.tmp\432A.bat C:\Users\Admin\AppData\Local\Temp\FluxVerify[x64].exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\4328.tmp\4329.tmp\432A.bat
| MD5 | 6d0f4158dd4535af1ab5b8f328f065c9 |
| SHA1 | 7ece4ab8cc7a2be48336b5c0f48dd68c68881aa3 |
| SHA256 | 588e0e165fa613bb53b2c3c8d7e40bd468c0c9fafb1929969c6fb84c15964a00 |
| SHA512 | 60bb1dbfac1d441ceea2296a74c5bff9957dbb638545e492180da7c1d89200c7e756002cce33d9f0c37e29958f142699ad1386360a8034d5da4c8f5e7881bbe1 |
Analysis: behavioral5
Detonation Overview
Submitted
2024-04-16 19:08
Reported
2024-04-16 19:11
Platform
win7-20240215-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2824 wrote to memory of 2244 | N/A | C:\Users\Admin\AppData\Local\Temp\Libloader[gui]v3.exe | C:\Windows\system32\cmd.exe |
| PID 2824 wrote to memory of 2244 | N/A | C:\Users\Admin\AppData\Local\Temp\Libloader[gui]v3.exe | C:\Windows\system32\cmd.exe |
| PID 2824 wrote to memory of 2244 | N/A | C:\Users\Admin\AppData\Local\Temp\Libloader[gui]v3.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Libloader[gui]v3.exe
"C:\Users\Admin\AppData\Local\Temp\Libloader[gui]v3.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1880.tmp\1881.tmp\1882.bat C:\Users\Admin\AppData\Local\Temp\Libloader[gui]v3.exe"
Network
Files
memory/2824-0-0x0000000140000000-0x0000000140027000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1880.tmp\1881.tmp\1882.bat
| MD5 | 711f5ad5d6b048ff59bdcc288d9b0d34 |
| SHA1 | fd9f247f5b6ef89a5aa7b5ee48e90d6eff61bd3d |
| SHA256 | b1d6606f612077f05b7ac402e54482e11a5be1c3a32eab51e280176d1d2e87e8 |
| SHA512 | 20f34257e493dbf4c5e5f038a072e625b938b85ab0f5e81ee7f0318010413338d3094264c62cc4d6c04791496c7007f4c40f71ace381c8cbc7b875b12b2ddce6 |
memory/2824-3-0x0000000140000000-0x0000000140027000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-04-16 19:08
Reported
2024-04-16 19:11
Platform
win10v2004-20240412-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\WebContent.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1152 wrote to memory of 4764 | N/A | C:\Users\Admin\AppData\Local\Temp\WebContent.exe | C:\Windows\system32\cmd.exe |
| PID 1152 wrote to memory of 4764 | N/A | C:\Users\Admin\AppData\Local\Temp\WebContent.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\WebContent.exe
"C:\Users\Admin\AppData\Local\Temp\WebContent.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3E80.tmp\3E81.tmp\3E82.bat C:\Users\Admin\AppData\Local\Temp\WebContent.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.63.96.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.90.28.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
Files
memory/1152-0-0x0000000140000000-0x0000000140027000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3E80.tmp\3E81.tmp\3E82.bat
| MD5 | 711f5ad5d6b048ff59bdcc288d9b0d34 |
| SHA1 | fd9f247f5b6ef89a5aa7b5ee48e90d6eff61bd3d |
| SHA256 | b1d6606f612077f05b7ac402e54482e11a5be1c3a32eab51e280176d1d2e87e8 |
| SHA512 | 20f34257e493dbf4c5e5f038a072e625b938b85ab0f5e81ee7f0318010413338d3094264c62cc4d6c04791496c7007f4c40f71ace381c8cbc7b875b12b2ddce6 |
memory/1152-3-0x0000000140000000-0x0000000140027000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-16 19:08
Reported
2024-04-16 19:11
Platform
win10v2004-20240412-en
Max time kernel
93s
Max time network
116s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1456 wrote to memory of 1788 | N/A | C:\Users\Admin\AppData\Local\Temp\FluxVerify[x64].exe | C:\Windows\system32\cmd.exe |
| PID 1456 wrote to memory of 1788 | N/A | C:\Users\Admin\AppData\Local\Temp\FluxVerify[x64].exe | C:\Windows\system32\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\FluxVerify[x64].exe
"C:\Users\Admin\AppData\Local\Temp\FluxVerify[x64].exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\33C2.tmp\33C3.tmp\33C4.bat C:\Users\Admin\AppData\Local\Temp\FluxVerify[x64].exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.63.96.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.90.28.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\33C2.tmp\33C3.tmp\33C4.bat
| MD5 | 6d0f4158dd4535af1ab5b8f328f065c9 |
| SHA1 | 7ece4ab8cc7a2be48336b5c0f48dd68c68881aa3 |
| SHA256 | 588e0e165fa613bb53b2c3c8d7e40bd468c0c9fafb1929969c6fb84c15964a00 |
| SHA512 | 60bb1dbfac1d441ceea2296a74c5bff9957dbb638545e492180da7c1d89200c7e756002cce33d9f0c37e29958f142699ad1386360a8034d5da4c8f5e7881bbe1 |
Analysis: behavioral9
Detonation Overview
Submitted
2024-04-16 19:08
Reported
2024-04-16 19:11
Platform
ubuntu1804-amd64-20240226-en
Max time kernel
0s
Max time network
132s
Command Line
Signatures
Enumerates kernel/hardware configuration
| Description | Indicator | Process | Target |
| File opened for reading | /sys/fs/cgroup/memory/memory.limit_in_bytes | /usr/bin/node | N/A |
Reads runtime system information
| Description | Indicator | Process | Target |
| File opened for reading | /proc/filesystems | /bin/sed | N/A |
| File opened for reading | /proc/meminfo | /usr/bin/node | N/A |
Processes
/tmp/node_modules/.bin/mime
[/tmp/node_modules/.bin/mime]
/bin/sed
[sed -e s,\\,/,g]
/usr/bin/dirname
[dirname /tmp/node_modules/.bin/mime]
/bin/uname
[uname]
/usr/bin/node
[node /tmp/node_modules/.bin/../mime/cli.js]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 151.101.194.49:443 | tcp | |
| US | 1.1.1.1:53 | cdn.fwupd.org | udp |
| US | 1.1.1.1:53 | cdn.fwupd.org | udp |
| US | 151.101.194.49:443 | cdn.fwupd.org | tcp |
| GB | 185.125.188.62:443 | tcp | |
| GB | 185.125.188.61:443 | tcp | |
| US | 151.101.129.91:443 | tcp | |
| US | 151.101.129.91:443 | tcp | |
| GB | 89.187.167.3:443 | tcp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-04-16 19:08
Reported
2024-04-16 19:11
Platform
win10v2004-20240412-en
Max time kernel
147s
Max time network
165s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\node_modules\body-parser\index.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| NL | 23.62.61.185:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 25.63.96.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.90.28.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |