SKM-21022100.js

General
Target

SKM-21022100.js

Size

213KB

Sample

220107-jj9k6sbhh8

Score
10 /10
MD5

0618efa95ebe9c933466fdf795961c43

SHA1

6e93f7b03f1149f821b57176a4b838c7365572ac

SHA256

7f5baba61bce87f124d7c559767fb067e00743141554fcc76b87d1e39ee4e074

SHA512

e59cf7c7323ebbbb0542ff8a62fb988dfac9f590987dce3b4efce79e0609a654a92622b7dc605f6894801db105183540dfae6f3e876026398d938505fb262d42

Malware Config

Extracted

Family revengerat
Botnet NyanCatRevenge
C2

macjoe597.duia.ro:3175

Extracted

Family bitrat
Version 1.38
C2

severdops.ddns.net:3071

Attributes
communication_password
29ef52e7563626a96cea7f4b4085c124
tor_process
tor
Targets
Target

SKM-21022100.js

MD5

0618efa95ebe9c933466fdf795961c43

Filesize

213KB

Score
10/10
SHA1

6e93f7b03f1149f821b57176a4b838c7365572ac

SHA256

7f5baba61bce87f124d7c559767fb067e00743141554fcc76b87d1e39ee4e074

SHA512

e59cf7c7323ebbbb0542ff8a62fb988dfac9f590987dce3b4efce79e0609a654a92622b7dc605f6894801db105183540dfae6f3e876026398d938505fb262d42

Tags

Signatures

  • BitRAT

    Description

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    Tags

  • RevengeRAT

    Description

    Remote-access trojan with a wide range of capabilities.

    Tags

  • Windows security bypass

    Tags

    TTPs

    Disabling Security ToolsModify Registry
  • Looks for VirtualBox Guest Additions in registry

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Looks for VMWare Tools registry key

    Tags

    TTPs

    Query RegistryVirtualization/Sandbox Evasion
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery
  • Deletes itself

  • Windows security modification

    Tags

    TTPs

    Disabling Security ToolsModify Registry
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Maps connected drives based on registry

    Description

    Disk information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation