Overview

overview

10

Static

static

1

canadareve...025.js

windows7-x64

10

canadareve...025.js

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    01/08/2024, 16:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    canadarevenueagencypsaccollectiveagreement10025.js

  • Size

    13.7MB

  • MD5

    d8fa75d81370fd9f7a4af91d54b2bf60

  • SHA1

    abb0eb3b2c54a472c53400229f6194592bbf6e26

  • SHA256

    36de118e301097229d31cbeb177ff7422978857e891062c05603d178ac5eb43e

  • SHA512

    b06ea02814bdd01beb9c88dcb2a489147ac4a3dfe68cf30c0864c5747c708e843c2b6de621b51bd01ad1c933dd410f6aace673328f43014dd082bdb7beaea484

  • SSDEEP

    49152:YYRxr8uC0NjaCXHIsgYRxr8uC0NjaCXHIsf:hI0IE

Score
10/10
gootloaderexecutionloader

Malware Config

Signatures

  • GootLoader

    JavaScript loader known for delivering other families such as Gootkit and Cobaltstrike.

    loadergootloader
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\canadarevenueagencypsaccollectiveagreement10025.js
    1⤵
      PID:1544
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {603E19E6-6719-498E-8FD4-CBB7E0740427} S-1-5-21-3502430532-24693940-2469786940-1000:PSBQWFYT\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Windows\system32\wscript.EXE
        C:\Windows\system32\wscript.EXE POSITI~1.JS
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2624
        • C:\Windows\System32\cscript.exe
          "C:\Windows\System32\cscript.exe" "POSITI~1.JS"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2888
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2424

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Macromedia\POSITI~1.JS
      Filesize

      40.7MB

      MD5

      1d275b54bc2453f10032e45246c1e92a

      SHA1

      e12286d467751eb42c576ea0a11be65bf552f067

      SHA256

      641b599867d651952f02a2957e8ba596e617fce6727939a7ba6f190c020b5346

      SHA512

      dc834152cc6226bf37e39f44ce7f6cb008086679053483d1a50c30b91654df35563c3a4e6f7a7893cfde44871ac62625255d494c8c5b43315bdadc9a7e36e4e4

      Download Submit

    • memory/2424-7-0x000000001B630000-0x000000001B912000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2424-8-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

      Filesize

      32KB

      Download