hxxps://github[.]com/pankoza2-pl/Trashy-Malwares

Analysis

max time kernel
54s
max time network
35s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
13-06-2024 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/pankoza2-pl/Trashy-Malwares

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2208	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	firefox.exe
Token: SeDebugPrivilege	2700	firefox.exe
Token: SeDebugPrivilege	2208	taskmgr.exe
Token: SeDebugPrivilege	2788	taskmgr.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
2700	firefox.exe
2700	firefox.exe
2700	firefox.exe
2700	firefox.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe

Suspicious use of SendNotifyMessage 61 IoCs

pid	Process
2700	firefox.exe
2700	firefox.exe
2700	firefox.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2208	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe
2788	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2700	2368	firefox.exe	28
PID 2368 wrote to memory of 2700	2368	firefox.exe	28
PID 2368 wrote to memory of 2700	2368	firefox.exe	28
PID 2368 wrote to memory of 2700	2368	firefox.exe	28
PID 2368 wrote to memory of 2700	2368	firefox.exe	28
PID 2368 wrote to memory of 2700	2368	firefox.exe	28
PID 2368 wrote to memory of 2700	2368	firefox.exe	28
PID 2368 wrote to memory of 2700	2368	firefox.exe	28
PID 2368 wrote to memory of 2700	2368	firefox.exe	28
PID 2368 wrote to memory of 2700	2368	firefox.exe	28
PID 2368 wrote to memory of 2700	2368	firefox.exe	28
PID 2368 wrote to memory of 2700	2368	firefox.exe	28
PID 2700 wrote to memory of 2696	2700	firefox.exe	29
PID 2700 wrote to memory of 2696	2700	firefox.exe	29
PID 2700 wrote to memory of 2696	2700	firefox.exe	29
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2920	2700	firefox.exe	30
PID 2700 wrote to memory of 2592	2700	firefox.exe	31
PID 2700 wrote to memory of 2592	2700	firefox.exe	31
PID 2700 wrote to memory of 2592	2700	firefox.exe	31
PID 2700 wrote to memory of 2592	2700	firefox.exe	31
PID 2700 wrote to memory of 2592	2700	firefox.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/pankoza2-pl/Trashy-Malwares"
1⤵
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/pankoza2-pl/Trashy-Malwares
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.0.1627266281\1047687066" -parentBuildID 20221007134813 -prefsHandle 1204 -prefMapHandle 1136 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7e81be5-21f9-4ae9-b36e-f0455beeebb8} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 1280 45d3e58 gpu
    3⤵
    PID:2696
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.1.430304733\1802840496" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 21610 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc089401-18b2-46a7-8a72-0d6fe49f6c16} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 1496 e73b58 socket
    3⤵
    PID:2920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.2.320750557\1816942493" -childID 1 -isForBrowser -prefsHandle 2044 -prefMapHandle 2040 -prefsLen 21648 -prefMapSize 233444 -jsInitHandle 888 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7614204d-c90f-458a-a664-18583ece4e3e} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 2060 1a988e58 tab
    3⤵
    PID:2592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.3.1492162475\769952051" -childID 2 -isForBrowser -prefsHandle 2812 -prefMapHandle 2808 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 888 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {adfd18a3-183f-47b7-b862-205124ff4c32} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 2824 1d0d4358 tab
    3⤵
    PID:840
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.4.861250815\1945165680" -childID 3 -isForBrowser -prefsHandle 3640 -prefMapHandle 3636 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 888 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f4b268e-252e-4c36-a28b-6aa121d52a3c} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 3652 1d781258 tab
    3⤵
    PID:1692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.5.956661281\1499394177" -childID 4 -isForBrowser -prefsHandle 3680 -prefMapHandle 3752 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 888 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2882c966-e9c3-4bf5-9b3e-86b1e9f340ab} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 3860 2027a858 tab
    3⤵
    PID:2828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2700.6.579765208\234431995" -childID 5 -isForBrowser -prefsHandle 3972 -prefMapHandle 3976 -prefsLen 26170 -prefMapSize 233444 -jsInitHandle 888 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {04f69c55-33a1-4406-8833-2cedcd711565} 2700 "\\.\pipe\gecko-crash-server-pipe.2700" 3964 2027cf58 tab
    3⤵
    PID:1572

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2208

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\datareporting\glean\db\data.safe.bin

Filesize
3KB

MD5
8a728dea88ba841bba3df36a1fbdff9d

SHA1
18fd9e665815ee602dbcefabc47d6580c9c11d76

SHA256
4113de5e51f9345f3f1fba33e424ff61ff6918526e597ff9ec7e05327d4a7508

SHA512
1c1cd7d6f3ecf71d482b38c67531558ece141b2eed2064dafccd1d2435f0b40ddcea0b73be1a05e297b2c74cc36c1bfe9d9cc881ac4b6cd197522bdec7c35f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
9f44f6e899c12b3d6e0085892d4f5060

SHA1
682e7a60186ba0f6bdba403cf0cb3fafdf0e7a4a

SHA256
fe658c6d43bd652548992581b106f22669210ff948aebaa58ca8f1c4690b78fa

SHA512
4e2b214fb8bcb0907ccc4349db4a289f27f346b6e31886e033345a6d8ddb954fca162a2fb8289dfd5866e70366bad7333105859b947730d84fc29284940755e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\datareporting\glean\pending_pings\1389b233-cd61-40c4-817a-859f824376ae

Filesize
745B

MD5
6235bd1ca066543bd18094223a0fdbbc

SHA1
10d19a86cb1d5f4c08dbe85209806065cb26892d

SHA256
90df1f08ba448620761769aba7f2f52304871fb07fe7930cf118533e97c88242

SHA512
383c7ba77d585a97a4833a62a660624d3f7f7c9c2c42b2b7a5d05b5a12fc8432157b6f3cf05061d169f5f0b2930e432d001ba24dc74b6812829079d40eed0f30

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\datareporting\glean\pending_pings\cd72502d-8512-4b10-aeda-f1028d844463

Filesize
11KB

MD5
1a6e0c2982d89ea1d4459c8c705b24fa

SHA1
b60c3591ed86916277ab554ffbe454ba8b56be56

SHA256
e447a9ca2d6156921ef246ee2b5a0879d1048973056f31bd6907405dd2b64652

SHA512
e53d739fa659d389c2202ce127f8d104130bc264af61f93dc57a7c5b70c7dd47919468786cbd19624162b2a122814bc5a0a67bc889b5ace90b96fe80e266366c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\prefs-1.js

Filesize
6KB

MD5
062f2573811fc6ca998d92aa86208fbe

SHA1
23d0188fb99680d7dc934c34515fed48d3de0512

SHA256
6d11f6f40eaf90b002a53affcb6e31f86709c692bc9d715baf45edefdc2f3dcb

SHA512
5b07793b8b030be76350a3360a170e710f481514abcf8e800820bba0f5a3cdab3fd0991461c58436db14ee3d8b7e8938330df551b1db6bd2e2e2bad98256ca15

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\prefs-1.js

Filesize
6KB

MD5
50020d117d174956615f2808d44e4307

SHA1
a14a0a55be13eb3b545eda036d3e341f2d9db2d9

SHA256
01dd95148dd13d08ccd7af9eacfcf5309684302e2b951413a9e0434fc4c38155

SHA512
d281027bc6fa2166bd4e20ec2d88275895d3af056d0c49707460b735d93db8cbe000ae233427570fb6a96346f02272757bb711d7b34100610dea6323304c0bd9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
8e44000a3292d3f33da6b4c546479216

SHA1
506d41ac9f6fb77b8759ed5def88363d014d2bb0

SHA256
d8d52eea3e579c309e588810411930cca767b44740ee61b6041cbaca67581b34

SHA512
cce6d065c93ee6fc80f32687c6499022b99fa46df5e667d6c318d9364bd80b85ad3f5070b507ba824bdd2f07d88d66b819085ff2a71c3ded2ee2e988b28376aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
faef523b20acc6884c473417243ea246

SHA1
f18792fb00321747b59a2ebfe4c1cd9b9a09bca5

SHA256
7bf347531f17f61699fd73a4b3be905893474e417c2a48b71f88f9f42c05db0f

SHA512
fc5ff22139699c45cf94df27f08993852ceec98a3ca96234361c24dab358b0ca24541b8e7788399e35b97315b865aa454fa25aa1f1b26dc0272362a4427b7643

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xkoyglns.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
5e408510e49e400798db0c3d8d9d24b9

SHA1
bdf1af36f1d03934209eac72ca486cf4c9810b45

SHA256
81d5663f7cdc1caed0e23fb10c3798a9791c0bdac67b6ca96d321cdfe71c9532

SHA512
20a1f7b4d4eb3117f0fae575a6d91bd37207c81fc831ee1baa54c752a3a1b547284ab198126eee37f0687dde2aae81085a555e0101074f391665317a61903357

Download Submit
memory/2208-209-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2208-236-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2208-215-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2208-210-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2788-258-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download