Overview
overview
7Static
static
1PokeRandoZ..._0.zip
windows7-x64
1PokeRandoZ..._0.zip
windows10-2004-x64
1PokeRandoZX.jar
windows7-x64
1PokeRandoZX.jar
windows10-2004-x64
7launcher_MAC.command
windows7-x64
3launcher_MAC.command
windows10-2004-x64
3launcher_UNIX.sh
ubuntu-18.04-amd64
1launcher_UNIX.sh
debian-9-armhf
1launcher_UNIX.sh
debian-9-mips
1launcher_UNIX.sh
debian-9-mipsel
1launcher_WINDOWS.bat
windows7-x64
1launcher_WINDOWS.bat
windows10-2004-x64
7Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
25-04-2024 12:52
Static task
static1
Behavioral task
behavioral1
Sample
PokeRandoZX-v4_6_0.zip
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
PokeRandoZX-v4_6_0.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
PokeRandoZX.jar
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
PokeRandoZX.jar
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
launcher_MAC.command
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
launcher_MAC.command
Resource
win10v2004-20240412-en
Behavioral task
behavioral7
Sample
launcher_UNIX.sh
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral8
Sample
launcher_UNIX.sh
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral9
Sample
launcher_UNIX.sh
Resource
debian9-mipsbe-20240226-en
Behavioral task
behavioral10
Sample
launcher_UNIX.sh
Resource
debian9-mipsel-20240226-en
Behavioral task
behavioral11
Sample
launcher_WINDOWS.bat
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
launcher_WINDOWS.bat
Resource
win10v2004-20240412-en
General
-
Target
launcher_MAC.command
-
Size
120B
-
MD5
73a15c4eb0e721d3d547b400f29cebf2
-
SHA1
9e60a0891a1d89b85954bd76c289d8ed8d00df5e
-
SHA256
655f6bc52daa83189aa169da7b8f800606c313e6d61b8805acd043957927e854
-
SHA512
ff8695002de5641b309ca0cdbc443bcc12a887e1052edfef96fd1ce08523857ad8b6c71e29f772e5029fe86b4ec8416a5f7693de59c6940888130367fbef31a8
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\command_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.command\ = "command_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\command_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\command_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\command_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\command_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\command_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2688 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2688 AcroRd32.exe 2688 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2064 wrote to memory of 2156 2064 cmd.exe rundll32.exe PID 2064 wrote to memory of 2156 2064 cmd.exe rundll32.exe PID 2064 wrote to memory of 2156 2064 cmd.exe rundll32.exe PID 2156 wrote to memory of 2688 2156 rundll32.exe AcroRd32.exe PID 2156 wrote to memory of 2688 2156 rundll32.exe AcroRd32.exe PID 2156 wrote to memory of 2688 2156 rundll32.exe AcroRd32.exe PID 2156 wrote to memory of 2688 2156 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\launcher_MAC.command1⤵
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\launcher_MAC.command2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\launcher_MAC.command"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD56ed13e5adfb448fd9baa41b1c834a78f
SHA16bbd924a3e6b8644c5e59c31ad54361ed9fc5362
SHA25634cc749ee9b9b71e96cda4e6f53e865c9652d088b8d30536041951f93f2f8400
SHA5129b93eaae506e4cb0771a3f5bed50107071a53c1ffe0da7b76c716041408ab0ebb8b70a61d1bba8ec7cf542b48ac217c00c584646b23dd56f4bbd9552f253a119