e1d2362f0bf622de97c99833516fa7c50ebce8bc6e824a7a3dedd3f8b487c679 | Triage

Resubmissions

01/09/2024, 14:15 UTC

240901-rkpldssgrl 7

Analysis

max time kernel
210s
max time network
293s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
01/09/2024, 14:15 UTC

Sharing

Report Analysis Logs

General

Target

resources/app.asar.unpacked/node_modules/ssh2/lib/protocol/SFTP.js
Size

106KB
MD5

a5073ccbd57ae415f4bbf164cb8060e7
SHA1

4ce3c58cf87d962bb20de42299f67f6a36e6c867
SHA256

9969e72b877c21bd17234f2084fa26575365b9a516951173d645a7802c43e12f
SHA512

f3aa697a43cc8a507a657020685acf1a1b03a44c1c7bebb2d279804ab49dbebb3282d4facc4541b2fd982b98c40962a765dec1c80d37d9460918d8a89b722ded
SSDEEP

768:u3ot3ZieCIWlpWH+n87niAVJ4UW0UWRKWFWWLoU6WkFWN+GWk0WfBW1WW3kWuhWM:u3+NCMMs9xiiF+EKNBezyr4m7w

Score

3^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\node_modules\ssh2\lib\protocol\SFTP.js
1⤵
PID:1436

Network

DNS

31.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.243.111.52.in-addr.arpa

IN PTR

Response
DNS

14.179.89.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.179.89.13.in-addr.arpa

IN PTR

Response
DNS

14.179.89.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.179.89.13.in-addr.arpa

IN PTR
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

ctldl.windowsupdate.com

Remote address:

8.8.8.8:53

Request

ctldl.windowsupdate.com

IN A

Response

ctldl.windowsupdate.com

IN CNAME

ctldl.windowsupdate.com.delivery.microsoft.com

ctldl.windowsupdate.com.delivery.microsoft.com

IN CNAME

wu-b-net.trafficmanager.net

wu-b-net.trafficmanager.net

IN CNAME

download.windowsupdate.com.edgesuite.net

download.windowsupdate.com.edgesuite.net

IN CNAME

a767.dspw65.akamai.net

a767.dspw65.akamai.net

IN A

2.18.190.79

a767.dspw65.akamai.net

IN A

2.18.190.77
DNS

ctldl.windowsupdate.com

Remote address:

8.8.8.8:53

Request

ctldl.windowsupdate.com

IN A
DNS

79.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.190.18.2.in-addr.arpa

IN PTR

Response

79.190.18.2.in-addr.arpa

IN PTR

a2-18-190-79deploystaticakamaitechnologiescom

No results found

8.8.8.8:53

31.243.111.52.in-addr.arpa

dns

214 B
303 B
3
2

DNS Request

31.243.111.52.in-addr.arpa

DNS Request

14.179.89.13.in-addr.arpa

DNS Request

14.179.89.13.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

211 B
427 B
3
2

DNS Request

95.221.229.192.in-addr.arpa

DNS Request

ctldl.windowsupdate.com

DNS Request

ctldl.windowsupdate.com

DNS Response

2.18.190.79

2.18.190.77
8.8.8.8:53

79.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

79.190.18.2.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads