Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

jpGSWjSTSw.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.57705929211832
Filename:	jpGSWjSTSw.exe
Filesize:	37888
MD5:	b1048f879fa97d356045037bddc4add3
SHA1:	5e4a581b9756c930af7f0f07020fa668e1ec7143
SHA256:	3708d1bd614bd0a96c34dc96c7ef75bb6386b401b6e81b019293a8964447c90a
SHA512:	770fba138942174b55982a5c69e8c97d17eeab6a23cb05fbccc28cf2754a6b006d43e2d07edf55990210f0e5d7ec87543b182e648ec8b76e57a7b354eb406f5b
SSDEEP:	384:mmZ+vEiTbZvpWNcZ0y8f1CRDX5CLk6SiprAF+rMRTyN/0L+EcoinblneHQM3epzy:n+dTZ38f1CRDcNSerM+rMRa8Nu4Rt
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A.$f................................. ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation	Access Token Manipulation Software Packing
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API
Contains functionality to log keystrokes (.Net Source)	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Machine Learning detection for sample	AV Detection
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Access Token Manipulation Disable or Modify Tools
Abnormal high CPU Usage	System Summary	Access Token Manipulation
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains functionality for execution timing, often used to detect debuggers	Malware Analysis System Evasion, Anti Debugging
Contains functionality to call native functions	System Summary
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May infect USB drives	Spreading	Replication Through Removable Media Access Token Manipulation
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary	Access Token Manipulation
Uses 32bit PE files	Compliance, System Summary
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Yara signature match	System Summary
Contains functionality to adjust token privileges (e.g. debug / backup)	System Summary	Access Token Manipulation
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging
Creates mutexes	System Summary	Access Token Manipulation
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary	Access Token Manipulation
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries a list of all running processes	Malware Analysis System Evasion
Queries the cryptographic machine GUID	Language, Device and Operating System Detection	Access Token Manipulation
Reads software policies	System Summary	Access Token Manipulation
Sample is known by Antivirus	System Summary	Access Token Manipulation
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary	Access Token Manipulation
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses new MSVCR Dlls	Compliance, System Summary	Access Token Manipulation
Uses Microsoft Silverlight	System Summary	Access Token Manipulation

\Device\ConDrv

ASCII text, with CRLF line terminators

dropped

Details

File:	\Device\ConDrv
Category:	dropped
Dump:	ConDrv.2.dr
ID:	dr_0
Target ID:	2
Process:	C:\Windows\SysWOW64\netsh.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.971939296804078
Encrypted:	false
Ssdeep:	6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
Size:	313
Whitelisted:	false
Reputation:	high

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\jpGSWjSTSw.exe

"C:\Users\user\Desktop\jpGSWjSTSw.exe"

Details

Is windows:	false
Is dropped:	false
PID:	5456
Target ID:	0
Parent PID:	1028
Name:	jpGSWjSTSw.exe
Path:	C:\Users\user\Desktop\jpGSWjSTSw.exe
Commandline:	"C:\Users\user\Desktop\jpGSWjSTSw.exe"
Size:	37888
MD5:	B1048F879FA97D356045037BDDC4ADD3
Time:	00:46:48
Date:	25/04/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7e0000
Modulesize:	65536
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected Njrat	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
May infect USB drives	Spreading	Replication Through Removable Media
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\user\Desktop\jpGSWjSTSw.exe" "jpGSWjSTSw.exe" ENABLE

Details

Is windows:	true
Is dropped:	false
PID:	2460
Target ID:	2
Parent PID:	5456
Name:	netsh.exe
Path:	C:\Windows\SysWOW64\netsh.exe
Commandline:	netsh firewall add allowedprogram "C:\Users\user\Desktop\jpGSWjSTSw.exe" "jpGSWjSTSw.exe" ENABLE
Size:	82432
MD5:	4E89A1A088BE715D6C946E55AB07C7DF
Time:	00:46:54
Date:	25/04/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x1080000
Modulesize:	122880
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Modifies the windows firewall	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Uses netsh to modify the Windows network and firewall settings	Lowering of HIPS / PFW / Operating System Security Settings	Disable or Modify Tools
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	4764
Target ID:	3
Parent PID:	2460
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	00:46:54
Date:	25/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6d64d0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

0.tcp.eu.ngrok.io

Details

Name:	0.tcp.eu.ngrok.io
TargetID:	0
From Memory:	false
Current Path:	C:\Users\user\Desktop\jpGSWjSTSw.exe
Source:	config extractor

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0

unknown

Domains

Name

Malicious

0.tcp.eu.ngrok.io

3.124.142.205

Details

Name:	0.tcp.eu.ngrok.io
IP:	3.124.142.205
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Snort IDS alert for network traffic	Networking
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

3.124.142.205

0.tcp.eu.ngrok.io

United States

Details

IP:	3.124.142.205
TargetID:	0
Current Path:	C:\Users\user\Desktop\jpGSWjSTSw.exe
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false
Domain:	0.tcp.eu.ngrok.io

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

3.125.102.39

unknown

United States

Details

IP:	3.125.102.39
TargetID:	0
Current Path:	C:\Users\user\Desktop\jpGSWjSTSw.exe
Country:	United States
Countrycode:	USA
ASN number:	16509
ASN name:	AMAZON-02US
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Registry

Path

Value

Malicious

HKEY_CURRENT_USER

Memdumps

Base Address

Regiontype

Protect

Malicious

7E2000

unkown

page readonly

2E61000

trusted library allocation

page read and write

D53000

stack

page read and write

DFA000

trusted library allocation

page execute and read and write

312D000

trusted library allocation

page read and write

5459000

heap

page read and write

5430000

heap

page read and write

DED000

heap

page read and write

E39000

heap

page read and write

50CB000

stack

page read and write

DD4000

heap

page read and write

DF6000

heap

page read and write

5A3C000

heap

page read and write

E96000

heap

page read and write

E32000

heap

page read and write

E44000

heap

page read and write

E3E000

heap

page read and write

DC0000

heap

page read and write

E0C000

heap

page read and write

E10000

heap

page read and write

5400000

unclassified section

page read and write

E4A000

heap

page read and write

E30000

heap

page read and write

4C10000

heap

page read and write

E99000

heap

page read and write

BF0000

heap

page read and write

DEA000

heap

page read and write

E71000

heap

page read and write

D4E000

stack

page read and write

E0C000

heap

page read and write

31F4000

trusted library allocation

page read and write

DEA000

heap

page read and write

E92000

heap

page read and write

E4E000

heap

page read and write

E2C000

heap

page read and write

DF6000

heap

page read and write

5460000

heap

page read and write

CA0000

heap

page read and write

BE0000

heap

page read and write

3154000

trusted library allocation

page read and write

DF6000

heap

page read and write

4E68000

trusted library allocation

page read and write

E4C000

heap

page read and write

E44000

heap

page read and write

E4B000

heap

page read and write

E39000

heap

page read and write

E2F000

heap

page read and write

E4E000

heap

page read and write

E4A000

heap

page read and write

7F610000

trusted library allocation

page execute and read and write

5450000

heap

page read and write

DFA000

heap

page read and write

5453000

heap

page read and write

E0D000

heap

page read and write

3152000

trusted library allocation

page read and write

EF0000

heap

page read and write

545C000

heap

page read and write

E44000

heap

page read and write

DEF000

heap

page read and write

1330000

trusted library allocation

page read and write

310E000

trusted library allocation

page read and write

E0A000

heap

page read and write

E4A000

heap

page read and write

508C000

stack

page read and write

E3D000

heap

page read and write

1376000

heap

page read and write

5960000

heap

page read and write

E10000

heap

page read and write

E0E000

heap

page read and write

DEE000

heap

page read and write

E9E000

heap

page read and write

E3F000

heap

page read and write

E2F000

heap

page read and write

E10000

heap

page read and write

DF6000

heap

page read and write

E2F000

heap

page read and write

E0D000

heap

page read and write

E9E000

heap

page read and write

52FD000

stack

page read and write

E40000

heap

page read and write

E2B000

heap

page read and write

E97000

heap

page read and write

FE0000

trusted library allocation

page read and write

4E60000

trusted library allocation

page read and write

C3E000

stack

page read and write

E44000

heap

page read and write

DC0000

trusted library allocation

page read and write

F07000

trusted library allocation

page execute and read and write

E36000

heap

page read and write

30BF000

trusted library allocation

page read and write

545A000

heap

page read and write

3EE8000

trusted library allocation

page read and write

E95000

heap

page read and write

E89000

heap

page read and write

E99000

heap

page read and write

51F3000

heap

page read and write

33E0000

heap

page read and write

DA0000

trusted library allocation

page read and write

E0F000

heap

page read and write

DA0000

heap

page read and write

E4B000

heap

page read and write

534D000

heap

page read and write

E3D000

heap

page read and write

DE6000

heap

page read and write

E41000

heap

page read and write

309E000

trusted library allocation

page read and write

E4E000

heap

page read and write

2ED3000

trusted library allocation

page read and write

E3D000

heap

page read and write

DB1000

heap

page read and write

DEF000

heap

page read and write

EB0000

heap

page read and write

532F000

stack

page read and write

DC2000

trusted library allocation

page execute and read and write

DFC000

trusted library allocation

page execute and read and write

E4B000

heap

page read and write

DEE000

heap

page read and write

E47000

heap

page read and write

5451000

heap

page read and write

E3A000

heap

page read and write

5459000

heap

page read and write

D5B000

stack

page read and write

DEA000

heap

page read and write

5A26000

heap

page read and write

E44000

heap

page read and write

7EC000

unkown

page readonly

E30000

heap

page read and write

4FFE000

stack

page read and write

DE0000

heap

page read and write

D5E000

stack

page read and write

E46000

heap

page read and write

DE6000

heap

page read and write

E47000

heap

page read and write

DDA000

trusted library allocation

page execute and read and write

C5B000

stack

page read and write

DD7000

heap

page read and write

DCA000

trusted library allocation

page execute and read and write

5467000

heap

page read and write

E4E000

heap

page read and write

E10000

heap

page read and write

33E6000

heap

page read and write

DFA000

heap

page read and write

1020000

heap

page read and write

DFB000

heap

page read and write

DBA000

trusted library allocation

page execute and read and write

510C000

stack

page read and write

DF9000

heap

page read and write

3E61000

trusted library allocation

page read and write

E93000

heap

page read and write

10FE000

stack

page read and write

5970000

heap

page read and write

E4D000

heap

page read and write

1350000

trusted library allocation

page execute and read and write

FBC000

stack

page read and write

DB4000

heap

page read and write

DF7000

heap

page read and write

5950000

heap

page read and write

E0F000

heap

page read and write

51F0000

heap

page read and write

E35000

heap

page read and write

E44000

heap

page read and write

E3D000

heap

page read and write

E2F000

heap

page read and write

3330000

heap

page read and write

FF0000

heap

page read and write

5431000

heap

page read and write

F60000

heap

page read and write

5453000

heap

page read and write

E6F000

heap

page read and write

F05000

heap

page read and write

DED000

heap

page read and write

E6F000

heap

page read and write

E93000

heap

page read and write

DF4000

heap

page read and write

DF0000

trusted library allocation

page read and write

5459000

heap

page read and write

4C5E000

stack

page read and write

E3A000

heap

page read and write

518C000

stack

page read and write

DE6000

heap

page read and write

E36000

heap

page read and write

E50000

heap

page read and write

E42000

heap

page read and write

5452000

heap

page read and write

E0F000

heap

page read and write

F02000

trusted library allocation

page read and write

CA5000

heap

page read and write

E39000

heap

page read and write

5466000

heap

page read and write

F4E000

stack

page read and write

5465000

heap

page read and write

E4A000

heap

page read and write

E9E000

heap

page read and write

5A20000

heap

page read and write

DDF000

heap

page read and write

E4E000

heap

page read and write

E0F000

heap

page read and write

E47000

heap

page read and write

E95000

heap

page read and write

DD7000

trusted library allocation

page execute and read and write

3EC7000

trusted library allocation

page read and write

ED1000

heap

page read and write

B76000

stack

page read and write

E9E000

heap

page read and write

DEB000

heap

page read and write

E40000

heap

page read and write

545E000

heap

page read and write

E3B000

heap

page read and write

E37000

heap

page read and write

5460000

heap

page read and write

1300000

trusted library allocation

page execute and read and write

57E0000

trusted library allocation

page execute and read and write

DB2000

trusted library allocation

page execute and read and write

30A4000

trusted library allocation

page read and write

E95000

heap

page read and write

5459000

heap

page read and write

E10000

heap

page read and write

E4D000

heap

page read and write

E3F000

heap

page read and write

DF7000

heap

page read and write

1340000

heap

page execute and read and write

E42000

heap

page read and write

12FF000

stack

page read and write

5459000

heap

page read and write

319E000

unkown

page read and write

5464000

heap

page read and write

A79000

stack

page read and write

E2F000

heap

page read and write

E43000

heap

page read and write

E46000

heap

page read and write

E3B000

heap

page read and write

DC0000

heap

page read and write

F00000

heap

page read and write

DFA000

heap

page read and write

DA7000

heap

page read and write

4CE0000

heap

page read and write

E4D000

heap

page read and write

1030000

heap

page read and write

E47000

heap

page read and write

E2F000

heap

page read and write

E4D000

heap

page read and write

5149000

stack

page read and write

5300000

heap

page read and write

E2B000

heap

page read and write

5456000

heap

page read and write

E2F000

heap

page read and write

3EBE000

trusted library allocation

page read and write

DDE000

heap

page read and write

E4D000

heap

page read and write

5466000

heap

page read and write

EFE000

unkown

page read and write

E3F000

heap

page read and write

3E86000

trusted library allocation

page read and write

329E000

stack

page read and write

DF2000

trusted library allocation

page execute and read and write

E3E000

heap

page read and write

E44000

heap

page read and write

E00000

heap

page read and write

1370000

heap

page read and write

DC0000

heap

page read and write

1310000

trusted library allocation

page read and write

101D000

stack

page read and write

E50000

heap

page read and write

E9E000

heap

page read and write

E39000

heap

page read and write

EA8000

heap

page read and write

E2F000

heap

page read and write

5330000

heap

page read and write

7E0000

unkown

page readonly

E2B000

heap

page read and write

DF8000

heap

page read and write

30FE000

trusted library allocation

page read and write

E2F000

heap

page read and write

F0B000

trusted library allocation

page execute and read and write

There are 264 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
jpGSWjSTSw.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportjpGSWjSTSw.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
jpGSWjSTSw.exe