Resubmissions
17-04-2024 09:29
240417-lf1vzaah95 1017-04-2024 09:29
240417-lf1j7sce6y 1017-04-2024 09:29
240417-lfzynsah94 1017-04-2024 09:28
240417-lfvnysah89 1017-04-2024 09:28
240417-lft3esah88 1016-04-2024 13:46
240416-q3e91adb3v 10Analysis
-
max time kernel
300s -
max time network
304s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 09:28
Behavioral task
behavioral1
Sample
365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral2
Sample
365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08.exe
Resource
win10v2004-20240412-en
General
-
Target
365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08.exe
-
Size
30KB
-
MD5
2ad2c7b5700f4246447b90f07ec5359b
-
SHA1
e9bf283f6dba0c0707a748fbd4a7c6f0c330f7d7
-
SHA256
365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08
-
SHA512
625090c4b634c6d95b08bc8965d7445307c242ca9d6fb9e17cf402e82de317c33b21a3a894ec9ff12fbffa2c4fd17d7647c5db3414b81c6f48f565dd2257214c
-
SSDEEP
768:j4Fd5REMkNoYKNen9OztmVWj9n52yoJImwJcaP:+1EMkNoxMgYVen0yoif
Malware Config
Extracted
systembc
gmstar23.xyz:4044
scgsdstat14tp.xyz:4044
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
jrimaur.exepid process 1296 jrimaur.exe -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 88.216.223.5 -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org 7 ip4.seeip.org 8 ip4.seeip.org 5 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
Processes:
365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08.exedescription ioc process File created C:\Windows\Tasks\jrimaur.job 365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08.exe File opened for modification C:\Windows\Tasks\jrimaur.job 365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08.exepid process 2032 365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 2060 wrote to memory of 1296 2060 taskeng.exe jrimaur.exe PID 2060 wrote to memory of 1296 2060 taskeng.exe jrimaur.exe PID 2060 wrote to memory of 1296 2060 taskeng.exe jrimaur.exe PID 2060 wrote to memory of 1296 2060 taskeng.exe jrimaur.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08.exe"C:\Users\Admin\AppData\Local\Temp\365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {FE298BB0-D7BD-4530-A342-EC7D7AA51693} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\mjxgj\jrimaur.exeC:\ProgramData\mjxgj\jrimaur.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\mjxgj\jrimaur.exeFilesize
30KB
MD52ad2c7b5700f4246447b90f07ec5359b
SHA1e9bf283f6dba0c0707a748fbd4a7c6f0c330f7d7
SHA256365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08
SHA512625090c4b634c6d95b08bc8965d7445307c242ca9d6fb9e17cf402e82de317c33b21a3a894ec9ff12fbffa2c4fd17d7647c5db3414b81c6f48f565dd2257214c