Overview

overview

10

Static

static

456-Invoice.js

windows7_x64

10

456-Invoice.js

windows10_x64

10

Analysis

  • max time kernel
    299s
  • max time network
    350s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    31-08-2021 02:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    456-Invoice.js

  • Size

    166KB

  • MD5

    c000b245272ad81b74958689e4b3352e

  • SHA1

    ce74042c88b852c6a5b00186096f0ce42afc38b6

  • SHA256

    f19462db16c63e8c26095f8ee024340649e0b2cb26a9ba9d08691b6d01e4f2be

  • SHA512

    f9b3f811a4be2bee356d9265d15a20a00d41b4a5933d8ab5adcf683ce23cab0ac0b6a7cbdbc97abb509385082aa038d11f1b4f8e502f61e6a42535bbd4df155c

Score
10/10
njratvjw0rmsucceedpersistencesuricatatrojanworm

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

SUCCEED

C2

194.5.97.156:7654

Mutex

Client.exe

Attributes
  • reg_key

    Client.exe

  • splitter

    0149266241@@@

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata
  • Blocklisted process makes network request 36 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\456-Invoice.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\YgrKtkfSUZ.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:1244
    • C:\Users\Admin\AppData\Local\Temp\New Client.exe
      "C:\Users\Admin\AppData\Local\Temp\New Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1576
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Delete /tn NYAN /F
        3⤵
          PID:364
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\New Client.exe" /sc minute /mo 1
          3⤵
          • Creates scheduled task(s)
          PID:1952
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {E26D955A-383B-4BBD-9FFE-010DEF0C7E78} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
      1⤵
        PID:1320

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\New Client.exe
        MD5

        4c1c9fdf28215ae2f0f681349b66bbff

        SHA1

        8ab23d0ee7a361c8f29622fa9ba05f6644e24e9a

        SHA256

        50842fb63d2308152a3d6c25bf5c45b2a71906193e299975401e8cc5189abd7a

        SHA512

        f0415187e7f7dc15546ea4bc8e6c53281aa407df064a2d73e0360e796caf807430d7ab565ba842e8d1c58c1bc35eefffcd868042c65357906a625b92064e96c5

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\New Client.exe
        MD5

        4c1c9fdf28215ae2f0f681349b66bbff

        SHA1

        8ab23d0ee7a361c8f29622fa9ba05f6644e24e9a

        SHA256

        50842fb63d2308152a3d6c25bf5c45b2a71906193e299975401e8cc5189abd7a

        SHA512

        f0415187e7f7dc15546ea4bc8e6c53281aa407df064a2d73e0360e796caf807430d7ab565ba842e8d1c58c1bc35eefffcd868042c65357906a625b92064e96c5

        Download Submit
      • C:\Users\Admin\AppData\Roaming\YgrKtkfSUZ.js
        MD5

        4e1188211bc0a1f728e5a97cf47a7105

        SHA1

        740914054d0824fbacf494855eb9121355a49740

        SHA256

        ada3ac15b6fd893f1f8b1a4ad1f6d4cbc86c566c0d5a639c4dda15f4727f2cee

        SHA512

        b37d9c26c44b45e89a4732439480bf6d09e292fb85ef054a4a591cb7228eeef0f8595aeaf12824771c033297ea218996d6e4c9006972c15a58d02b89365b2a14

        Download Submit
      • memory/364-66-0x0000000000000000-mapping.dmp
        Download
      • memory/1244-59-0x0000000000000000-mapping.dmp
        Download
      • memory/1576-61-0x0000000000000000-mapping.dmp
        Download
      • memory/1576-64-0x0000000075C31000-0x0000000075C33000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1576-65-0x0000000002160000-0x0000000002161000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1576-68-0x0000000002161000-0x0000000002162000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1952-67-0x0000000000000000-mapping.dmp
        Download