Overview

overview

10

Static

static

3

4e44dd4325...1N.exe

windows7-x64

10

4e44dd4325...1N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    96s
  • max time network
    107s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    16/10/2024, 13:12 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4e44dd4325beaf5d9e46cf3a34357d90280f7972e74f65ddf22bbf41398f6ae1N.exe

  • Size

    2.1MB

  • MD5

    cc39d6c48eb9e93bb63e0b57af43e910

  • SHA1

    8272d6188a3133092d5dcdc3777e262a74bc0912

  • SHA256

    4e44dd4325beaf5d9e46cf3a34357d90280f7972e74f65ddf22bbf41398f6ae1

  • SHA512

    1281b968c7a203a5d07efe67f3c7e1188366c0b13d7f24efba3d4c5576fe741191b11c0e02b89fa1b34195eefa960f573ec871c942d890a4beb02775d511eb86

  • SSDEEP

    24576:bOyHutimZ9VSly2hVvHW6qMnSbTBBhBMNKrWPoqnJGCNY1nJGCNYB+93dt:GHPkVOBTKKrWgUka+9Nt

Score
10/10
gh0stratpurplefoxdiscoverypersistenceratrootkittrojan

Malware Config

Signatures

  • Detect PurpleFox Rootkit 1 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e44dd4325beaf5d9e46cf3a34357d90280f7972e74f65ddf22bbf41398f6ae1N.exe
    "C:\Users\Admin\AppData\Local\Temp\4e44dd4325beaf5d9e46cf3a34357d90280f7972e74f65ddf22bbf41398f6ae1N.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\4E44DD~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 2 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2760
  • C:\Windows\SysWOW64\Jbrja.exe
    C:\Windows\SysWOW64\Jbrja.exe -auto
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2192
    • C:\Windows\SysWOW64\Jbrja.exe
      C:\Windows\SysWOW64\Jbrja.exe -acsi
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:3060

Network

    No results found
  • 203.195.158.28:8080
    Jbrja.exe
    152 B
     3
  • 203.195.158.28:8080
    Jbrja.exe
    152 B
     3
  • 203.195.158.28:8080
    Jbrja.exe
    152 B
     3
  • 203.195.158.28:8080
    Jbrja.exe
    152 B
     3
  • 203.195.158.28:8080
    Jbrja.exe
    152 B
     3
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Jbrja.exe
    Filesize

    2.1MB

    MD5

    cc39d6c48eb9e93bb63e0b57af43e910

    SHA1

    8272d6188a3133092d5dcdc3777e262a74bc0912

    SHA256

    4e44dd4325beaf5d9e46cf3a34357d90280f7972e74f65ddf22bbf41398f6ae1

    SHA512

    1281b968c7a203a5d07efe67f3c7e1188366c0b13d7f24efba3d4c5576fe741191b11c0e02b89fa1b34195eefa960f573ec871c942d890a4beb02775d511eb86

    Download Submit

  • memory/3032-0-0x0000000010000000-0x000000001019F000-memory.dmp

    Filesize

    1.6MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.