Overview
overview
3Static
static
3idleon.zip
windows7-x64
1idleon.zip
windows10-2004-x64
1InjectCheatsF5.exe
windows7-x64
1InjectCheatsF5.exe
windows10-2004-x64
1cheats.js
windows7-x64
3cheats.js
windows10-2004-x64
3config.cus...ple.js
windows7-x64
3config.cus...ple.js
windows10-2004-x64
3config.js
windows7-x64
3config.js
windows10-2004-x64
3main.js
windows7-x64
3main.js
windows10-2004-x64
3package-lock.json
windows7-x64
3package-lock.json
windows10-2004-x64
3package.json
windows7-x64
3package.json
windows10-2004-x64
3Resubmissions
16-08-2024 20:36
240816-zdtwjawakc 316-08-2024 20:31
240816-za2rzayfml 716-08-2024 19:15
240816-xybjkssakc 3Analysis
-
max time kernel
103s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
16-08-2024 19:15
Static task
static1
Behavioral task
behavioral1
Sample
idleon.zip
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
idleon.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
InjectCheatsF5.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
InjectCheatsF5.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
cheats.js
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
cheats.js
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
config.custom.example.js
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
config.custom.example.js
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
config.js
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
config.js
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
main.js
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
main.js
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
package-lock.json
Resource
win7-20240705-en
Behavioral task
behavioral14
Sample
package-lock.json
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
package.json
Resource
win7-20240704-en
Behavioral task
behavioral16
Sample
package.json
Resource
win10v2004-20240802-en
General
-
Target
package.json
-
Size
502B
-
MD5
6fae43b43119fb1a90d0d939ff2fd417
-
SHA1
26d54286ae79af1fa37f6993f57ecc979c9ed8c1
-
SHA256
4c657641b9a51982e2affbc26c43f57e8bf4e8fc07a962712dbc9d5caa883f56
-
SHA512
2576e8b7a6023a2c0f8257003139115bd2f08e9ac8804e9c40a1ef920cbe1befd222619494e6402e9942e5e830e46331ef9953aa3c426c6d787eacd8aeed2e91
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\json_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.json\ = "json_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\json_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\json_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\json_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\.json rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\json_auto_file\shell\Read rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2916 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2916 AcroRd32.exe 2916 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 3036 wrote to memory of 2832 3036 cmd.exe rundll32.exe PID 3036 wrote to memory of 2832 3036 cmd.exe rundll32.exe PID 3036 wrote to memory of 2832 3036 cmd.exe rundll32.exe PID 2832 wrote to memory of 2916 2832 rundll32.exe AcroRd32.exe PID 2832 wrote to memory of 2916 2832 rundll32.exe AcroRd32.exe PID 2832 wrote to memory of 2916 2832 rundll32.exe AcroRd32.exe PID 2832 wrote to memory of 2916 2832 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\package.json1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\package.json2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\package.json"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD5ed77368f5aa97eb7e71b3d32b76f27ff
SHA120eb49a37d6b85372c44f5c08e1bf6e3094b50a4
SHA256512568c6df75504c66c480324c33d655d607025c6d0974bf520e19ee9e05e9d1
SHA512c84714134c734cd2de712408d77e4305c67ebf405a2ba39e9b21295ef32a2e9d3eb3f253736647de53c05c911e64f660dd73689454dfb5ea856b8803cb3f7d87