Overview

overview

10

Static

static

10

dist/Gojo ...or.exe

windows10-2004-x64

8

dist/mapper/map.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    gojosim.zip

  • Size

    12.6MB

  • Sample

    250414-3ffcpsyzhs

  • MD5

    f14b9be1cca335e23639445e8e78ac9e

  • SHA1

    ba0aea33cef6cf1f1dcf9741134ac58ae0c717e9

  • SHA256

    4b4c20c87e23a20ea3dafd57907ed3dbb38b65c88d0d15d60fb304228f44dbc4

  • SHA512

    c053d6009578f21e1774306de007ce44144e089f7c73a36ca79fe196590dbbba5c6bd3cbc4e58fe370222e12b46a1788994bbb3c078ca0305fbed2ccdaaa8c32

  • SSDEEP

    196608:z0guj1G8FoLCTt7VwkB8WggI9VD/ZV1InfNESKqDZQrQos4BAK4d41jOt1qejGPU:6eLAwwIgI95xL/C+AK4ojOt1qvOm85

Score
10/10
blankgrabbercollectioncredential_accessdefense_evasiondiscoveryexecutionspywarestealerupxvmprotect

Malware Config

Targets

    • Target

      dist/Gojo simulator.exe

    • Size

      7.8MB

    • MD5

      af5dd5e0736e272360fd2808eb1e570b

    • SHA1

      a67924548f53e09ce4d1e4906a0a12e3cd4b1839

    • SHA256

      bf89680b50b1fa2be445ffc674826d3445c98761a4c65a081e4eb5938eab1736

    • SHA512

      02a6f7ad4cf9cb196b9246d2fb9c94a46b9163a71fff31f8b5dee12bd58cd6aa7175ec37d71a1ce8fa320af222af86e4f236ed44b3c29989d58c4a5ffa8aed57

    • SSDEEP

      196608:mW1CHUOXXKApOgj9fZwQRCgiIKpdzjPOan7j2y283TOnOh:YxMUw8wIKppDO9ih

    Score
    8/10
    collectioncredential_accessdefense_evasiondiscoveryexecutionspywarestealerupx

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Enumerates processes with tasklist

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

    • Target

      dist/mapper/map.exe

    • Size

      5.2MB

    • MD5

      4b7ac12256a768c1f344de2f169f5728

    • SHA1

      40d63f9cf769b2304420737132cbd6a63a44eb96

    • SHA256

      0910c0d226f1f5cb9a6ffaabb70e08b194bbf0b21617beb88109c2cf10987c4e

    • SHA512

      e2f50413ba791b0cf6d92922b8f9db59e686837e8d2f9e1a097f0ad72cf59a66a8bbd2c0d5567e059ef2b05dc28aa443ad9409aced4475d55324096abe9abfaf

    • SSDEEP

      98304:4uUx/rgmBLSmmoVIuKZxi8MHs6W2ZVci5lQ9pOidDXCc41t7uGkNP:pUx/rdSmmylyxz6zVc03gDyc4gN

    Score
    7/10
    vmprotect

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect
    behavioral2

MITRE ATT&CK Enterprise v16

Tasks