Analysis
-
max time kernel
145s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18-04-2024 21:38
Behavioral task
behavioral1
Sample
2/JudianService.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2/JudianService.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
2/cbappendix.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
2/cbappendix.exe
Resource
win10v2004-20240412-en
General
-
Target
2/JudianService.dll
-
Size
283KB
-
MD5
943cb4b5ffb69926803d7f9c3dd1bc7c
-
SHA1
2459b3ee3761e20439494ab11a7bd5aa96f3913c
-
SHA256
8ccd9591e9438a313a21958c7f8edce4b238bbb147e8284ec4a2b7b488b920ca
-
SHA512
c983494abcee03d98c6daa6e26b6a4afc639d1ffeaafc8ca2a0f0dd27bdcae21926fa4896dcf21fe92d829d959a8c36a6457024acf5c4526a1f5fc412ece3096
-
SSDEEP
6144:UZC4MTZhJZa5u+/c/xDbUkQFXzF7goI1WtkBTkoLOhSo:UUj7Za5a+RF7aTNLOh3
Malware Config
Extracted
metasploit
encoder/shikata_ga_nai
Extracted
cobaltstrike
0
http://chart.expocasheuro.com:443/fromdefault
http://94.237.81.57:443/fromdefault
-
access_type
512
-
beacon_type
2048
-
host
chart.expocasheuro.com,/fromdefault,94.237.81.57,/fromdefault
-
http_header1
AAAACgAAABBIb3N0OiB3d3cucXEuY29tAAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAfQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuNQAAAAoAAAAZQWNjZXB0LUVuY29kaW5nOiBnemlwLCBicgAAAAcAAAAAAAAADwAAAAMAAAACAAAACmNtX2Nvb2tpZT0AAAAGAAAABkNvb2tpZQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_header2
AAAACgAAABBIb3N0OiB3d3cucXEuY29tAAAACgAAAClBY2NlcHQ6IGFwcGxpY2F0aW9uL2pzb24sIHRleHQvcGxhaW4sICovKgAAAAoAAAAVQWNjZXB0LUVuY29kaW5nOiBnemlwAAAABwAAAAAAAAAPAAAAAwAAAAIAAAAKY21fY29va2llPQAAAAYAAAAGQ29va2llAAAABwAAAAEAAAAPAAAAAwAAAAIAAAAQeyJwYWdlIjoyLCJ1aW4iOgAAAAEAAAAOLCJwYWdlU2l6ZSI6M30AAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
http_method1
GET
-
http_method2
POST
-
jitter
6656
-
maxdns
244
-
polling_time
7300
-
port_number
443
-
sc_process32
%windir%\syswow64\taskeng.exe
-
sc_process64
%windir%\sysnative\taskeng.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCgKUlf3RLWKgNJ9S8y26ebK2mGsFDDooTj9uq8fjMrU1OIjQ74FBmAQLpksIts/EPd5KL9KW5KpmrHRqoFWsWWylAQBegxuqj4h2Tyw5fi9fAWRBXMhY9lmo9tjYSbFuLMCFCu4kdLRishHaVfQ0uw6TGHr9q2slEMrom+ypPcvwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
1.001138688e+09
-
unknown2
AAAABAAAAAEAAACOAAAAAgAAAPUAAAADAAAACAAAAA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/app
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0
-
watermark
0
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Blocklisted process makes network request 9 IoCs
flow pid Process 23 1532 rundll32.exe 44 1532 rundll32.exe 46 1532 rundll32.exe 52 1532 rundll32.exe 53 1532 rundll32.exe 57 1532 rundll32.exe 58 1532 rundll32.exe 63 1532 rundll32.exe 64 1532 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1532 rundll32.exe 1532 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4044 wrote to memory of 1532 4044 rundll32.exe 92 PID 4044 wrote to memory of 1532 4044 rundll32.exe 92 PID 4044 wrote to memory of 1532 4044 rundll32.exe 92
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2\JudianService.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2\JudianService.dll,#12⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3960,i,10943981808815347339,15838841970612097850,262144 --variations-seed-version --mojo-platform-channel-handle=3932 /prefetch:81⤵PID:4116