Analysis
-
max time kernel
146s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
23/04/2024, 17:46
General
-
Target
https://github.com/ytisf/theZoo
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 2 IoCs
-
NTFS ADS 1 IoCs
-
Opens file in notepad (likely ransom note) 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/ytisf/theZoo"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/ytisf/theZoo2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1748.0.328062374\1902455047" -parentBuildID 20221007134813 -prefsHandle 1236 -prefMapHandle 1228 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {de40296f-3ad4-416a-a45b-73145cfe3847} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" 1300 86d5d58 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1748.1.686843621\880585633" -parentBuildID 20221007134813 -prefsHandle 1504 -prefMapHandle 1500 -prefsLen 21610 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0025a05f-ba42-43cf-b93f-2b9cf26f199f} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" 1516 e70358 socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1748.2.164556469\569345058" -childID 1 -isForBrowser -prefsHandle 2120 -prefMapHandle 2116 -prefsLen 21713 -prefMapSize 233444 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2dea8976-2e41-4550-ab9d-47000075bdd1} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" 2132 1988ce58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1748.3.743817248\2083478804" -childID 2 -isForBrowser -prefsHandle 2800 -prefMapHandle 2796 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9502c1c-575b-42ee-869d-6d6fa875b9e4} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" 2816 1b708858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1748.4.302592768\2138509678" -childID 3 -isForBrowser -prefsHandle 3196 -prefMapHandle 3332 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f59042b-218d-47a6-846c-c80c0442a1ba} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" 3320 e60058 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1748.5.1413562543\1594210105" -childID 4 -isForBrowser -prefsHandle 3936 -prefMapHandle 3940 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb9d643c-5587-4eb9-af0f-59c3f0709ea5} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" 3924 201b2e58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1748.6.1064822743\1083505620" -childID 5 -isForBrowser -prefsHandle 4104 -prefMapHandle 4108 -prefsLen 26251 -prefMapSize 233444 -jsInitHandle 896 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bfec700-5e36-4470-a6af-4311a964a1f6} 1748 "\\.\pipe\gecko-crash-server-pipe.1748" 4088 201b5b58 tab3⤵
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_BAT.Drop.zip\Drop_BATCH.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\Desktop\BAT.Drop\DROP_B~1.BAT" "1⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\BAT.Drop\.DS_Store1⤵
- Modifies registry class
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\Desktop\BAT.Drop\DROP_B~1.BAT" "1⤵
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\BAT.Drop\DROP_B~1.BAT1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\BAT.Drop\DROP_B~1.BAT"1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d48a60bd5780bdf0b6f0feba7f3b0ce8
SHA137806bef524ea91044dd8cb9d5821347f0d501c6
SHA2566e02f63acec8201d8f1427bc10ed69f3a2a6859b9c5eb21c36e0e16366c7ea32
SHA512c65e33d808358be3d8da879415dc8cc2f5c3ff916a97585f72679f148b4388eb54eb9da5f094bbd236e1e347487f2d57e085eac46e99d2429f5d112c6e262341
-
Filesize
745B
MD58fe8e22f9cbc707ba79825a2ad1b78e7
SHA18c5b00f3a0ac7eac711b062494b21423860febae
SHA256156a19f918f4250573b24e076297faf0f6cdd4d330c613924da73ea64f17000b
SHA512de07b4e9f1e5e1a10b1b898a52286b2ac6679f32c6ef44d029b9895322f87ab3c2fe1410b878943e05f7378bff027b3ef6853fdc261e866488779c6ea2ea9afe
-
Filesize
13KB
MD5d55817bef744292c51476301d7498c51
SHA1430bec40c886ea467d38722628ebe70b0b7402b4
SHA256dd027d8cb0a8217e3294daf22f559a959d4a626593ddf823f70d54be06f0fc23
SHA51200232664294efffde834ff54a9d77f5a29650ed75c5c840a0e114749e19f4ecdedd7a7a41eed4b718aee82113742596943dae3029aaef3dafb9e8a77ef9f2b60
-
Filesize
6KB
MD5f851eed6097e500334384294b65570e2
SHA146b53af78c2c3c6883c431cc2bbbb90da276a5ff
SHA2568623944a032238051e54416304c5339d90218de9ab37a3e30571ea0ec12949b9
SHA512ca2e7338064ec32577debf664f86112187921c4fe76ef31a1c874dbc54e60151f32596fc09ed115f8b810119fa074811c8db39158ffd743f32caadb65a24afb9
-
Filesize
6KB
MD5b5076118d2e304f0edfc445af29a9a6f
SHA1107352b706e0ce0f02b8d6ddcb206e2ee55c5d98
SHA2560f14725fb2e3bc2f78168cbe1f7c4a8a6e2cf424ebbbbfa5bcdf63685338f00c
SHA512045ac60820af26f71376a1ffe3236e3cda1626544d22e772174415684fab58c8da67d2f34de8254686777a81dc6041a93b3d18c955be1f88cbfb75b3617274a9
-
Filesize
6KB
MD5cfb925cf84d6a4132ae22215d9c1f4d0
SHA10cc6d0d17ffcac1d6d9ebb79cb4b572bbc6b0f54
SHA256e2dee9408ea9491035eac27bfdfdb1a71b5f40733a314f86cd1d750d5c0be0bf
SHA512a2004f398838a2065b4478f435fde790889806d79d8bbcb93bc344547e07fc497228b27077d541226cc8138c421dffc79ad000f6256872f1ee959a3317ae09ba
-
Filesize
6KB
MD50a5383350a5c7d0ab42d6154f65271f3
SHA1ba0e651e3e66204c32ab4d9cd0613b462a083596
SHA2565b5e7a1c69851ed8c06911f10cc4beb8f8425184c6f04c52d1a555368d057bc6
SHA5121cf50cdd41a5b4ab3719ad4b95529fb8e8277de76b0bfe3b8e6c9373da9d648eb767f0407393f8793439ba44ec3022ef52c0529253a2c5a45b00e056932bfa06
-
Filesize
3KB
MD57062369f408649ddaeb6a87ac3bd860f
SHA14a6a61b7458d7233a8e4fde6c54b586a93c4c6ee
SHA2561aeffef6abbe9bf9e06621981a483f2857e2b76e05e2ffc77fff192bf3c95a64
SHA5122ff5550109d7d0daaf0f43d7427130c73adbce12c7c62767606e94629d20447949eea6b6af50a8a687ca01f38d4d5b92d4aa5c37936ef4979a529af36d821cc2
-
Filesize
3KB
MD5cae2360b7bb83310c8aff8f8e933214a
SHA15398aaf1d1e26f8c5b5478efdf5d2f0621c96d8c
SHA2564b39bf34bd4138fa9b931e97fe2debd082262ddf3430b2144e89a2251a11fa5f
SHA5120f70780acc40e7069fea96684555f8d2f813155215736eb77e2ca4243e40a619996b240003d01551cd5d3433ca9d8c1e2fb997fda6dfd6776fb6f126a0f9fee1
-
Filesize
3KB
MD5c8a32e465c2a1e43313fc2b2f09e0a2b
SHA1e4fcbbb5e10833455d68feb34bf1f3f2f763c5e4
SHA2568e48743654fd49c1db1e51656c0e92c1774df78fdf9932508cab019c6485fba7
SHA512aba87b39be1d7c699f8a05ee5a962bdf9626e12dc587c936f9c9d948edecbd945fc1db66c4f92b0d8461543341e4853f496c3d7d6a49ca89f314b25720e0b235
-
Filesize
3KB
MD5ee84c4122d746c433b2587106818283f
SHA12dbba24e7a17cb582b0372b00e74158ae4b36de8
SHA256524e67dcf22d4690658fb95969701d4b05a0e783fc42b7fd41d02321cef6bd34
SHA51261c4854171e6955a27f30a242b427ec33b3d0214fc8f9ca0a719c38b62d55a19bd2f3327641d232bc5d143496d648737910159097d9236bbf010949fee6d0fbf
-
Filesize
184KB
MD5c09e14712fceb847b7dd6bc434f9bf96
SHA1411f88cd1df0db05df389e38d50e042aa2cd1d8f
SHA25659338c47345d89dab532828d55085e8e68b0127e7b78872554ad073676236f9b
SHA512c3ea66366b98c6d1194c038b0e132f6c95bb39a267f20f2decdd4d1cf6d3b6efa5c72845da4bc5c82e994b582e839748d7a23dad4873232c367de84de25a0aee
-
Filesize
1KB
MD5935ce64b55d3462931375e344da1ce38
SHA1c8ac794923e3ba4edbc8279a58012fddd43b2b3f
SHA256af6b6dc7ec20ce1979fa9bedce80af02f108db398b90ca56e09b7ab7260f4a87
SHA5128a32a5429e785ba671e4693d61e51886e78a0f1e1d26b0e6e09f3199e9befcc9c9661c4d7a8d582bda798c8c01daa2cf4ef47f1f32be2f22d3bb3f33860968d1