Source: 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp |
Malware Configuration Extractor: CobaltStrike {"C2Server": "http://119.45.147.28:443/jquery-3.3.2.slim.min.js", "User Agent": "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.130 Safari/537.36\r\n"} |
Source: 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp |
Malware Configuration Extractor: Metasploit {"Headers": "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nReferer: http://code.jquery.com/\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.130 Safari/537.36\r\n", "Type": "Metasploit Download", "URL": "http://119.45.147.28/jquery-3.3.2.slim.min.js"} |
Source: uA71eQl1nA.exe |
ReversingLabs: Detection: 31% |
Source: uA71eQl1nA.exe |
Virustotal: Detection: 22% |
Perma Link |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_08e1c10da83fbc83\MSVCR90.dll |
Jump to behavior |
Source: uA71eQl1nA.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: Malware configuration extractor |
URLs: http://119.45.147.28:443/jquery-3.3.2.slim.min.js |
Source: Malware configuration extractor |
URLs: http://119.45.147.28/jquery-3.3.2.slim.min.js |
Source: Joe Sandbox View |
ASN Name: CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa |
Source: Network traffic |
Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49711 -> 119.45.147.28:443 |
Source: Network traffic |
Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49719 -> 119.45.147.28:443 |
Source: Network traffic |
Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49723 -> 119.45.147.28:443 |
Source: Network traffic |
Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49726 -> 119.45.147.28:443 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 119.45.147.28 |
Source: uA71eQl1nA.exe, 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000002.3354581565.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp |
String found in binary or memory: http://code.jquery.com/ |
Source: uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000003.2802840791.0000000000C64000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://119.45.147.28/ |
Source: uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://119.45.147.28/8 |
Source: uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000003.2802840791.0000000000C64000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.js |
Source: uA71eQl1nA.exe, 00000000.00000003.3123468056.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000003.2802840791.0000000000C64000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.js# |
Source: uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.js3fovzTE |
Source: uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.jsYvdTA |
Source: uA71eQl1nA.exe, 00000000.00000003.3123468056.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, uA71eQl1nA.exe, 00000000.00000003.2802840791.0000000000C64000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://119.45.147.28/jquery-3.3.2.slim.min.jss |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49711 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49711 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49726 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49719 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49723 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49719 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49726 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49723 |
Source: 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown |
Source: 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown |
Source: 00000000.00000002.3354581565.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown |
Source: 00000000.00000002.3354581565.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Code function: 0_2_0275010C |
0_2_0275010C |
Source: 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23 |
Source: 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23 |
Source: 00000000.00000002.3354581565.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23 |
Source: 00000000.00000002.3354581565.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23 |
Source: classification engine |
Classification label: mal84.troj.winEXE@1/0@0/1 |
Source: uA71eQl1nA.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: uA71eQl1nA.exe |
ReversingLabs: Detection: 31% |
Source: uA71eQl1nA.exe |
Virustotal: Detection: 22% |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
File read: C:\Users\user\Desktop\uA71eQl1nA.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Section loaded: schannel.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 |
Jump to behavior |
Source: uA71eQl1nA.exe |
Static PE information: Image base 0x140000000 > 0x60000000 |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_08e1c10da83fbc83\MSVCR90.dll |
Jump to behavior |
Source: uA71eQl1nA.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Code function: 0_2_0275010C push eax; ret |
0_2_02750387 |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Code function: 0_2_0275012B push eax; ret |
0_2_02750387 |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000C50000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: uA71eQl1nA.exe, 00000000.00000002.3354694858.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW@ |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Code function: 0_2_00007FF6259612F0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,__crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,__crt_debugger_hook,GetCurrentProcess,TerminateProcess, |
0_2_00007FF6259612F0 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Code function: 0_2_00007FF625961820 SetUnhandledExceptionFilter, |
0_2_00007FF625961820 |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Code function: 0_2_00007FF6259612F0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,__crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,__crt_debugger_hook,GetCurrentProcess,TerminateProcess, |
0_2_00007FF6259612F0 |
Source: C:\Users\user\Desktop\uA71eQl1nA.exe |
Code function: 0_2_00007FF625961A64 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, |
0_2_00007FF625961A64 |
Source: Yara match |
File source: 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.3354581565.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.3354927278.0000000002750000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.3354581565.0000000000AFA000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY |