b2ab0c3f2f135714d2e5567cd653363f9d416d8345c23968ab50f11817aaa024

Analysis

max time kernel
149s
max time network
150s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
25/06/2024, 01:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

CPU-qjetski-1.9.7-Linux/appsettings.json
Size

522B
MD5

8deccc4c56f958848414e9b63f85a639
SHA1

cf5db327308b72bf13dd912691e1a845790f11cf
SHA256

fa04b7084329025d5a61f68f999d05649454d997b99ebab6ea5d20bb81487471
SHA512

e14966ba387558f28dd872944a2d5dd76755700ba70f229f8aeb2f08cd5da7318987ae8243430d4d0080ac8c347a788ad0a6d5a628f22cd5633863c45d464561

Score

6^/10

Malware Config

Signatures

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
140	api.ipify.org
141	api.ipify.org
8	whoer.net
9	whoer.net
10	whoer.net
11	whoer.net

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133637545023394104"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4996	chrome.exe
4996	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe
Token: SeShutdownPrivilege	4996	chrome.exe
Token: SeCreatePagefilePrivilege	4996	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe
4996	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5084	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 2752	4996	chrome.exe	83
PID 4996 wrote to memory of 2752	4996	chrome.exe	83
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2128	4996	chrome.exe	85
PID 4996 wrote to memory of 2184	4996	chrome.exe	86
PID 4996 wrote to memory of 2184	4996	chrome.exe	86
PID 4996 wrote to memory of 1680	4996	chrome.exe	87
PID 4996 wrote to memory of 1680	4996	chrome.exe	87
PID 4996 wrote to memory of 1680	4996	chrome.exe	87
PID 4996 wrote to memory of 1680	4996	chrome.exe	87
PID 4996 wrote to memory of 1680	4996	chrome.exe	87
PID 4996 wrote to memory of 1680	4996	chrome.exe	87
PID 4996 wrote to memory of 1680	4996	chrome.exe	87
PID 4996 wrote to memory of 1680	4996	chrome.exe	87
PID 4996 wrote to memory of 1680	4996	chrome.exe	87
PID 4996 wrote to memory of 1680	4996	chrome.exe	87
PID 4996 wrote to memory of 1680	4996	chrome.exe	87
PID 4996 wrote to memory of 1680	4996	chrome.exe	87
PID 4996 wrote to memory of 1680	4996	chrome.exe	87
PID 4996 wrote to memory of 1680	4996	chrome.exe	87
PID 4996 wrote to memory of 1680	4996	chrome.exe	87
PID 4996 wrote to memory of 1680	4996	chrome.exe	87
PID 4996 wrote to memory of 1680	4996	chrome.exe	87
PID 4996 wrote to memory of 1680	4996	chrome.exe	87
PID 4996 wrote to memory of 1680	4996	chrome.exe	87
PID 4996 wrote to memory of 1680	4996	chrome.exe	87
PID 4996 wrote to memory of 1680	4996	chrome.exe	87
PID 4996 wrote to memory of 1680	4996	chrome.exe	87

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\CPU-qjetski-1.9.7-Linux\appsettings.json
1⤵
- Modifies registry class
PID:4788

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5084

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --single-argument C:\Users\Admin\Desktop\StartPublish.shtml
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0x90,0xd8,0x7ffa3a659758,0x7ffa3a659768,0x7ffa3a659778
  2⤵
  PID:2752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1532 --field-trial-handle=1796,i,2203935845479461125,1827082416238869011,131072 /prefetch:2
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1828 --field-trial-handle=1796,i,2203935845479461125,1827082416238869011,131072 /prefetch:8
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2084 --field-trial-handle=1796,i,2203935845479461125,1827082416238869011,131072 /prefetch:8
  2⤵
  PID:1680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2892 --field-trial-handle=1796,i,2203935845479461125,1827082416238869011,131072 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2900 --field-trial-handle=1796,i,2203935845479461125,1827082416238869011,131072 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=5112 --field-trial-handle=1796,i,2203935845479461125,1827082416238869011,131072 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 --field-trial-handle=1796,i,2203935845479461125,1827082416238869011,131072 /prefetch:8
  2⤵
  PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 --field-trial-handle=1796,i,2203935845479461125,1827082416238869011,131072 /prefetch:8
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4488 --field-trial-handle=1796,i,2203935845479461125,1827082416238869011,131072 /prefetch:8
  2⤵
  PID:1852

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\8d279a52-436f-4816-9ce8-48a81880e656.tmp

Filesize
288KB

MD5
29ac41950d2e42936a552bf78b9da086

SHA1
c6d4ce62be27fe07a369b8de1e6bd59ed131f323

SHA256
667e62b23093e49f64c1bf1138f42d45d558bf4e410396ab3f5206ff3126c419

SHA512
de3081e0ad24c7ccd3219d0d22270862d2e52bb2676982bd65112ce79b9ebacf58fedcdb51889880964b9dd11372591e1d01d4608a2b884f4da06ef8b999e549

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1018B

MD5
518b649fff3599baaf249a7ceb968782

SHA1
f94dffcddab10da1bdc8b4cec46b353b32c03b90

SHA256
0c4a041dcb8e45aa13658913baca6ba2dcbee54051037d55821ae431ac69850b

SHA512
889fd2ae9bed04c9231eaa69d1ef62493aa6025160bd08a545a079116abf7a83b95db522bd315a6553e933785028df2cfbfb681bc09d8d4fa70f24f4de450708

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
8edaeb1a020b6221cee4700f39112c76

SHA1
cc35b75c9028ee194b0bd3ba78e80e43bf377a7a

SHA256
9150c623d922f13104e277fd5ca89425ae5c0f77460f3f59f9b261f7d745b151

SHA512
76447bba276fd18e3e70a8a91fd2626b91b782319c04b7fd8baa9e944a31984699c8f603ec9b7907ea5d5b361a6bf86189d3c81c6a43f6b22e41f21ccdf545e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
dda940e48bcb4828604e6ae5c8b3813f

SHA1
8ef143da0f3d5256365022dd0eed50d4f400c2d3

SHA256
2bc3edfcd6ad493620a863abd8296b7eea394e63fcd9c54338c863b88f2ae112

SHA512
9030d22826cd21f9cbf69af21c6b6190370538a7041808756779d19175923657fe18e8dc2bc474bfb475669378b789c662c26350bc9e0ce91271f46527528eb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit