Analysis
-
max time kernel
66s -
max time network
96s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
28-10-2021 22:02
General
-
Target
7632JUST.js
-
Size
1019B
-
MD5
990c7925b1524993c8764a3959778d0d
-
SHA1
dbda43ac090d07afa75a2f6cae79be0371983d5a
-
SHA256
eae81605341641ad10c18ab60b79339617f0219abaa1ab5ee7883fc9d429b885
-
SHA512
9a31fa5f8eac4071a6752b25038d33d9137010115f77abcac1b80de59c20c346b3680c9dd619d516fd50f39b1777eaead1a599c9087bf7e60e6af9e9c7cbe19d
Malware Config
Extracted
nanocore
1.2.2.0
justinalwhitedd554.duckdns.org:7632
491b351b-e573-4508-bb4f-0fc9eb37df7b
-
activate_away_mode
true
-
backup_connection_host
justinalwhitedd554.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-07-21T05:46:17.377036536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
7632
-
default_group
7632Money
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
491b351b-e573-4508-bb4f-0fc9eb37df7b
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
justinalwhitedd554.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\7632JUST.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\7632JUST.exe"C:\Users\Admin\AppData\Roaming\7632JUST.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
00d8921a30d82b0b25d66fd146839f77
SHA1b6cf72aeb65430bc75cdabfb8798897462881d83
SHA2562605a1cb2b510612119fdb0e62b543d035ad4f3c873d0f5a7aa3291968c50bc8
SHA512812bc35c87a440645525e78ca27badd9c125b61548820c6a9d095fb4c3e9b26eea18edce6078e6c9d231ec360dde064d09fac78abeff4942399c27631cf22ef5
-
MD5
00d8921a30d82b0b25d66fd146839f77
SHA1b6cf72aeb65430bc75cdabfb8798897462881d83
SHA2562605a1cb2b510612119fdb0e62b543d035ad4f3c873d0f5a7aa3291968c50bc8
SHA512812bc35c87a440645525e78ca27badd9c125b61548820c6a9d095fb4c3e9b26eea18edce6078e6c9d231ec360dde064d09fac78abeff4942399c27631cf22ef5
-
-
Filesize
4KB