Lotus Blossom Malspam

VTI SCORE: 100/100

Target:

win7_64_sp1-mso2016 | ms_office

Classification:

Trojan, Dropper, Downloader

d3fc69a9f2ae2c446434abbfbe1693ef0f81a5da0a7f39d27c80d85f4a49c411 (SHA256)

DoNotOpen2.doc

Word Document

Created at 2018-02-02 16:47:00

Notifications (2/2)

Some memory dumps may be missing in the reports since the total dump size limit was reached during the analysis. You can increase the limit in the configuration settings.

The operating system was rebooted during the analysis.

Severity	Category	Operation	Classification
5/5	Injection	Writes into the memory of another running process	-
"c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\equation\eqnedt32.exe" modifies memory of "c:\program files (x86)\internet explorer\iexplore.exe" ... VTI Actions Go to Function Call
5/5	Injection	Modifies control flow of another process	-
"c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\equation\eqnedt32.exe" creates thread in "c:\program files (x86)\internet explorer\iexplore.exe" ... VTI Actions Go to Function Call
4/5	Process	Creates process	-
Creates process "C:\Program Files (x86)\Internet Explorer\iexplore.exe". ... VTI Actions Go to Function Call
4/5	File System	Associated with malicious files	Trojan
File "c:\users\aetadzjz\desktop\DoNotOpen2.doc" is a known malicious file. ... VTI Actions Go to File Details
File "c:\users\aetadzjz\appdata\roaming\microsoft\windows\caches\navshext.dll" is a known malicious file. ... VTI Actions Go to File Details Go to Function Call
4/5	Network	Downloads data	Downloader
URL "api.ipaddress.com/myip?format=txt". ... VTI Actions Go to Function Call
URL "103.236.150.14/getn/mpj.gif?y=cz3kz92r". ... VTI Actions Go to Function Call
URL "103.236.150.14/bubafni/wllqc.asp". ... VTI Actions Go to Function Call
3/5	Persistence	Installs system startup script or application	-
Adds "C:\Windows\system32\rundll32.exe C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Caches\NavShExt.dll,Setting" to Windows startup via registry. ... VTI Actions Go to Function Call
Adds "C:\Windows\system32\rundll32.exe C:\Users\aETAdzjz\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting" to Windows startup via registry. ... VTI Actions Go to Function Call
3/5	Network	Performs DNS request	-
Resolves host name "YKyd69q". ... VTI Actions Go to Function Call
2/5	Network	Connects to HTTP server	-
URL "api.ipaddress.com/myip?format=txt". ... VTI Actions Go to Function Call
URL "103.236.150.14/getn/mpj.gif?y=cz3kz92r". ... VTI Actions Go to Function Call
URL "103.236.150.14/bubafni/wllqc.asp". ... VTI Actions Go to Function Call
2/5	PE	Drops PE file	Dropper
Drops file "c:\users\aetadzjz\appdata\roaming\microsoft\windows\caches\navshext.dll". ... VTI Actions Go to File Details Go to Function Call
1/5	Anti Analysis	Tries to detect debugger	-
Check via API "IsDebuggerPresent". ... VTI Actions Go to Function Call
1/5	Process	Creates system object	-
Creates mutex with name "donotbotherme". ... VTI Actions Go to Function Call

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".

Notifications (2/2)

Before

After