Http Www.jmp.com Software Trial Reply Download.shtml Snum Ql4r5600jr&os Mac Updated

Minnie Hatesel April 21, 2022

Http Www.jmp.com Software Trial Reply Download.shtml Snum Ql4r5600jr&os Mac

Incident Response

MITRE ATT&CK™ Techniques Detection

This report has three indicators that were mapped to 4 attack techniques and 4 tactics. View all details

Indicators

Not all malicious and suspicious indicators are displayed. Become your own cloud service or the full version to view all details.

  • Installation/Persistance
    • Constitute an indicator for a scheduled task trigger
      details
      "on_Script-Run_Once - Run and Delete itself on first Internet Contact</Description>
      <URI>\Online_KMS_Activation_Script-Run_Once</URI>
      <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FRFX;;;LS)(A;;FRFW;;;S-1-v-eighty-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;Due south-i-5-4)</SecurityDescriptor>
      </RegistrationInfo>
      <Triggers>
      <LogonTrigger>
      <Enabled>true</Enabled>
      </LogonTrigger>
      </Triggers>
      <Principals>
      <Master id="LocalSystem">
      <UserId>S-1-5-eighteen</UserId>
      <RunLevel>HighestAvailable</RunLevel>
      </Master>
      </Principals>
      <Settings>
      <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
      <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
      <StopIfGoingOnBatteries>simulated</StopIfGoingOnBatteries>
      <AllowHardTerminate>true</AllowHardTerminate>
      <StartWhenAvailable>true</StartWhenAvailable>
      <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable>
      <IdleSettings>
      <StopOnIdleEnd>fal" (Indicator: "LogonTrigger"; File: "19091c019430222185384a4eb4aa1299d5ee775e174facbd80d62827040959e9.cmd.bin")
      "<LogonTrigger>" (Indicator: "LogonTrigger"; File: "19091c019430222185384a4eb4aa1299d5ee775e174facbd80d62827040959e9.cmd.bin")
      "</LogonTrigger>" (Indicator: "LogonTrigger"; File: "19091c019430222185384a4eb4aa1299d5ee775e174facbd80d62827040959e9.cmd.bin")
      source
      String
      relevance
      5/10
      ATT&CK ID
      T1168 (Show technique in the MITRE ATT&CK™ matrix)
  • External Systems
  • General
    • Found a potential Eastward-Post accost in binary/memory
      details
      Blueprint friction match: "t6s@westward.6ygm"
      Design match: "e@j3krzc8tx.u96ck"
      Pattern friction match: "azslqj@_rkm9.i"
      Design lucifer: "i30@i4i.mead8"
      Blueprint match: "zmpjv@v2srbu3fg.e4g"
      Blueprint match: "9lr@.bojpe0apfn9.srsfw0ad"
      Blueprint friction match: "two@b.3ci"
      Pattern match: "jec@ug1lu..vztbkiaypu"
      Pattern match: "south@qlsm.hrod1"
      Pattern match: "or@8.fr"
      Design friction match: "1000-rf7n@qdv.pwey"
      Pattern match: "thousand@tu.3p1"
      Pattern match: "kag6z@lu02kokh.4j"
      Pattern lucifer: "v@se._c"
      Blueprint match: "5b@ddcspsw.0"
      Pattern friction match: "7aordyk@u8k.omd2"
      Pattern match: "xz_l@t.i6"
      Design lucifer: "pl_@df.pwv"
      Pattern match: "l3@zqoa.6eh"
      Pattern match: "u1u@j.wy"
      source
      String
      relevance
      3/ten
      ATT&CK ID
      T1114 (Bear witness technique in the MITRE ATT&CK™ matrix)
  • Network Related
    • Constitute potential IP address in binary/memory
      details
      Heuristic match: "::set KMS_IP=172.16.0.2"
      Heuristic match: "wmic path %spp% where ID='%1' call SetKeyManagementServiceMachine MachineName="127.0.0.2" %_Nul_1_2%"
      source
      String
      relevance
      3/10
  • Remote Admission Related
    • Contains indicators of bot advice commands
      details
      "if defined Run_Once Exit 1651565635 & Rem Dummy Numbers To Testify Error In Job
      repeat.
      pause
      goto:EOF
      )
      echo Waiting 30 s&timeout /t 30>nul
      set up /a loop=%loop%+1
      goto repeat
      )
      echo Net is connected.
      repeat.

      :: ----------------------------------------------
      :: Multi KMS servers integration and ping test
      :: Written by @RPO (MDL)
      :: ----------------------------------------------

      ::========================================================================================================================================
      REM - Servers_List - Yous can edit the Online KMS Servers in beneath line, Make certain to leave a infinite between the servers proper name.

      set "servers=kms.digiboy.ir kms.mrxn.net kms8.MSGuides.com kms9.MSGuides.com kms.chinancce.com kms.library.hk kms.03k.org kms.digiboy.ir"

      ::========================================================================================================================================

      set due north=1&for %%a in (%servers%) do" (Indicator: "servers=")
      "(fix server[!n!]=%%a&gear up /A n+=1)&gear up /a max_servers=!n!-1
      prepare server_num=1
      :server
      fix /a activation_ok=ane
      if %server_num% gtr !max_servers! (
      if defined Renewal_Task (echo No KMS server available. Exiting...&leave 1651565635 rem Dummy Numbers To Bear witness Error In Task)
      if defined Run_Once (echo No KMS server available. Exiting...&go out 1651565635 rem Dummy Numbers To Bear witness Fault In Task)
      repeat No KMS server bachelor, & break & goto:EOF)

      set KMS_IP=!server[%server_num%]!

      echo Trying with KMS server: %KMS_IP%
      ping %KMS_IP% -n one -w 20000 > nul || (
      echo Ping exam is unsuccessful.
      set /a server_num+=1
      goto :server
      )
      repeat Ping test is successful.

      ::========================================================

      cd /d "%~dp0"
      IF /I "%PROCESSOR_ARCHITECTURE%" EQU "AMD64" (set xOS=x64) else (set xOS=Win32)
      for /f "tokens=half-dozen delims=[]. " %%G in ('ver') do set winbuild=%%G
      if %winbuild% GEQ 9600 (
      reg add together "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Plat" (Indicator: "servers="), "fix "servers=kms.digiboy.ir kms.mrxn.net kms8.MSGuides.com kms9.MSGuides.com kms.chinancce.com kms.library.hk kms.03k.org kms.digiboy.ir"" (Indicator: "servers="), "prepare n=one&for %%a in (%servers%) practise (ready server[!north!]=%%a&prepare /A due north+=1)&set /a max_servers=!n!-1" (Indicator: "servers=")

      source
      String
      relevance
      ten/10
      ATT&CK ID
      T1094 (Show technique in the MITRE ATT&CK™ matrix)
  • External Systems
  • Installation/Persistance
    • Opens the MountPointManager (often used to notice additional infection locations)
      details
      "wscript.exe" opened "\Device\MountPointManager"
      source
      API Call
      relevance
      5/10
    • Touches files in the Windows directory
      details
      "wscript.exe" touched file "%WINDIR%\System32\en-United states\wscript.exe.mui"
      "wscript.exe" touched file "%WINDIR%\System32\wscript.exe"
      "wscript.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
      "wscript.exe" touched file "%WINDIR%\System32\rsaenh.dll"
      "wscript.exe" touched file "%WINDIR%\System32\en-US\jscript.dll.mui"
      "wscript.exe" touched file "%WINDIR%\Fonts\StaticCache.dat"
      "wscript.exe" touched file "%WINDIR%\System32\en-Us\msctf.dll.mui"
      source
      API Telephone call
      relevance
      7/x
  • Network Related
    • Plant potential URL in binary/retention
      details
      Blueprint match: "https://www.crackshash.com/"
      Blueprint lucifer: "https://forums.mydigitallife.net/posts/1479105"
      Pattern match: "https://www.nsaneforums.com/topic/312871--/"
      Design friction match: "https://southward.put.re/9j71eomM.7z"
      Design friction match: "https://github.com/AveYo/Compressed2TXT"
      Design match: "https://gitlab.com/angelkyo/w10-digitallicense"
      Blueprint match: "https://s.put.re/aiYbFHiP.7z"
      Blueprint match: "https://stackoverflow.com/a/12264592/1016343"
      Pattern match: "www.crackshash.com"
      Blueprint match: "https://forums.mydigitallife.net/posts/1150042"
      Design match: "https://forums.mydigitallife.net/posts/838808"
      Design match: "https://forums.mydigitallife.net/posts/1479890"
      Pattern match: "https://tb.rg-adguard.net"
      Blueprint friction match: "https://world wide web.softpedia.com/get/System/Back-up-and-Recovery/SVF-eXtractor.shtml"
      Pattern lucifer: "https://genuineisoverifier.weebly.com/"
      Pattern match: "https://androidhost.org/become/E5jX7Pv"
      Blueprint match: "https://forums.mydigitallife.net/posts/1466365"
      Pattern friction match: "https://tinyurl.com/ydedarpl"
      Pattern lucifer: "https://github.com/abbodi1406/WHD/raw/principal/scripts/Articulate-KMS-Cache.zip"
      Blueprint friction match: "https://world wide web.nsaneforums.com/topic/316668--/"
      Pattern match: "world wide web.google.com"
      Design match: "https://forums.mydigitallife.net/posts/1221231"
      Blueprint match: "http://schemas.microsoft.com/windows/2004/02/mit/chore"
      Design match: "P6Y004jh00000000000000000000000000E.7a..Ktt/s5{u000000H-3ky7JZmfFu9^fB,mh000000000000000000000000000000000010M]z30NmCA"
      Blueprint match: "https://github.com/vyvojar/slshim/releases"
      Design match: "https://tinyurl.com/y928qd8p"
      Blueprint lucifer: "https://tinyurl.com/y86za5zq"
      Pattern match: "0x0.st/s9j"
      Design lucifer: "https://s.put.re/WFuXpyWA.zip"
      Pattern lucifer: "https://stackoverflow.com/users/1016343/matt"
      Blueprint match: "https://pastebin.com/raw/Hk2RgYzF"
      Pattern match: "https://forums.mydigitallife.cyberspace/threads/77028"
      Design match: "https://rutracker.org/forum/viewtopic.php?t=5489573"
      Pattern match: "https://msdn.rg-adguard.net/"
      Blueprint match: "https://vlsc.rg-adguard.net/"
      Pattern friction match: "https://sha1.rg-adguard.internet/"
      Pattern match: "https://forums.mydigitallife.cyberspace/threads/78070/"
      Pattern lucifer: "http://www.heidoc.cyberspace/php/myvsdump.php"
      Pattern match: "https://github.com/gurnec/HashCheck/releases/latest"
      Design match: "https://southward.put.re/ah9FW2gh.7z"
      Heuristic friction match: "kms.digiboy.ir"
      Heuristic lucifer: "kms.mrxn.net"
      Heuristic match: "kms8.MSGuides.com"
      Heuristic match: "kms9.MSGuides.com"
      Heuristic lucifer: "kms.chinancce.com"
      Heuristic match: "kms.library.hk"
      Heuristic friction match: "kms.03k.org"
      Pattern friction match: "e.hyf/(^Tf3xK_#Rg|ok)R{87y@wD|[/I@Ity&Y/n0phA#/?p]2FXH=Itg^bB_nNf56J_F}&two+Cz"
      Design match: "b.VdT/?sfB1"
      Pattern match: "Pop.XY/Tu4w?I*!_BHigy5CoztLQkSu.8iv6LDmu,KBgg4a"
      Heuristic match: "::+JP?z.&9k3(Sq_p)@;Y@PR.#CVMm8enVq]|(@!gbO=WZ#dZ!/sEs9hjznRHXAy8(d;WfaauCCa1_B@5}mnw~uJsaDpi8^V(su34TOem(,R;##i&4ZjdRr}iOYe.dO"
      Pattern match: "m.CvRK/@vXrSxO"
      Heuristic match: "::rFDB8eoAA@@tdJCCveNL7]O/kHyLF@5vSfc{half-dozen?D(Y1]S*qwl/=8a3&#r8f9I6@mtI&Dvd.xJr28z@AXQ0^A-Y6Gy.n4hHT[Px3Bfogl#JaH_WyRCm3/ophPnF_.MG"
      Blueprint match: "jb11JfX.XnuX/aF=da&K_7R88H/[a^b7/A7"
      Pattern match: "WiO7yU.Kxc/7HFamej[B"
      Pattern match: "-.jB/,|d.1000"
      Heuristic match: "::Au?r*Un~-8uBwRyVv!Uv3q6A#QEh6r&_vYK6jfS7YQD[R4d)X6+?DpNLnd[JB[bP2hHKv39k4+AWcnp=7}U[vii/2pc]7Dvvb20X/SzZm0K)TEGWma~d;st{~Tw).MC"
      Blueprint match: "f7.z0x1C.NWy/c~Due west,O6xxC*}Ej#2M?u@dq|B+vRN[Thou.N{2TgMmlOI3s0GgArEJ.sYS"
      Pattern match: "M..CQ/1091c2.27kY56@tGbf"
      Pattern match: "73g3.Kxi//AKK}p}dTSWnMLxO&"
      Pattern friction match: "EvRWDr.EM/kLoe?kuJEW"
      source
      String
      relevance
      x/10
  • Unusual Characteristics
    • Found reference to Diagnosis CAB file
      details
      "r. You tin can find it here https://s.put.re/aiYbFHiP.7z

      Information technology contains following files, which are extracted to %temp% folder in 'Catechumen Retail Office to
      VL' selection.

      C2R-R2V/
      checksums.sha1 297 bytes 65ce5885e59677aa3372ee3786ca6572100b39af VT = 0/54
      x64/
      cleanospp.exe 19.5 KB d30a0e4e5911d3ca705617d17225372731c770e2 VT = 0/70
      msvcr100.dll 809 KB b7b9349b33230c5b80886f5c1f0a42848661c883 VT = 0/69
      x86/
      cleanospp.exe 17.0 KB 39ed8659e7ca16aaccb86def94ce6cec4c847dd6 VT = 0/70
      key.vbs iii.62 KB 0d526d8cf9f4c3b5fdbcc7cdf7707eedc9b7aff8 VT = 1/56
      msvcr100.dll 755 KB 0b51fb415ec89848f339f8989d323bea722bfd70 VT = 0/69

      Total size = 1.56 MB
      Total size in compressed text = 810 KB

      File sources -
      cleanospp.exe and msvcr100.dll come up from the 'old' version of Microsoft Tool O15CTRRemove.diagcab
      You tin get the original file here https://southward.put.re/WFuXpyWA.zip

      ----------------------------------" (Indicator: ".diagcab")
      "cleanospp.exe and msvcr100.dll come from the 'old' version of Microsoft Tool O15CTRRemove.diagcab" (Indicator: ".diagcab")

      source
      String
      relevance
      vii/x

File Details

All Details:

MAS_0.6_CRC32_656492C8 {CracksHash}.cmd

Filename
MAS_0.6_CRC32_656492C8 {CracksHash}.cmd
Size
1.9MiB (2037820 bytes)
Type
script javascript
Clarification
DOS batch file, ASCII text, with CRLF line terminators
Architecture
WINDOWS
SHA256
19091c019430222185384a4eb4aa1299d5ee775e174facbd80d62827040959e9 Copy SHA256 to clipboard

Classification (TrID)

  • 100.0% (.BIB/BIBTEX/TXT) BibTeX references

Screenshots

Loading content, please wait...

Hybrid Analysis

Tip: Click an analysed process beneath to view more than details.

Analysed 1 process in total.

  • wscript.exe "C:\MAS_0.6_CRC32_656492C8_CracksHash_.cmd.js" (PID: 3352)

Network Analysis

DNS Requests

No relevant DNS requests were made.

HTTP Traffic

No relevant HTTP requests were made.

Extracted Files

No significant files were extracted.

Notifications

  • Network whitenoise filtering (Procedure) was applied
  • No static analysis parsing on sample was performed
  • Not all IP/URL cord resources were checked online
  • Not all sources for indicator ID "cord-63" are available in the report
  • Not all strings are visible in the report, because the maximum number of strings was reached (5000)

Http Www.jmp.com Software Trial Reply Download.shtml Snum Ql4r5600jr&os Mac

Posted by: randolphlopurter1968.blogspot.com

Post a Comment

0 Comments