Overview

overview

10

Static

static

SKM-21022100.js

windows7_x64

10

SKM-21022100.js

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    07-01-2022 07:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SKM-21022100.js

  • Size

    213KB

  • MD5

    0618efa95ebe9c933466fdf795961c43

  • SHA1

    6e93f7b03f1149f821b57176a4b838c7365572ac

  • SHA256

    7f5baba61bce87f124d7c559767fb067e00743141554fcc76b87d1e39ee4e074

  • SHA512

    e59cf7c7323ebbbb0542ff8a62fb988dfac9f590987dce3b4efce79e0609a654a92622b7dc605f6894801db105183540dfae6f3e876026398d938505fb262d42

Score
10/10
bitratrevengeratnyancatrevengeevasionpersistencetrojanupx

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

macjoe597.duia.ro:3175

Mutex

1e858dc786914c61

Extracted

Family

bitrat

Version

1.38

C2

severdops.ddns.net:3071

Attributes
  • communication_password

    29ef52e7563626a96cea7f4b4085c124

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\SKM-21022100.js
    1⤵
    • Blocklisted process makes network request
    • Deletes itself
    • Suspicious use of WriteProcessMemory
    PID:1588
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\AGAzSHOPvp.js"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:564
      • C:\Users\Admin\AppData\Roaming\macjoe597.exe
        "C:\Users\Admin\AppData\Roaming\macjoe597.exe"
        3⤵
        • Executes dropped EXE
        PID:568
    • C:\Users\Admin\AppData\Local\Temp\dt.exe
      "C:\Users\Admin\AppData\Local\Temp\dt.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Windows security modification
      • Adds Run key to start application
      • Maps connected drives based on registry
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\TATTOOISTSEAB\svchost.exe" -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:612
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\TATTOOISTSEAB\svchost.exe" -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:532
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\dt.exe" -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1728
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe"
        3⤵
          PID:960
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:808

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Disabling Security Tools

    2
    T1089

    Modify Registry

    3
    T1112

    Virtualization/Sandbox Evasion

    2
    T1497

    Credential Access

    Discovery

    Query Registry

    4
    T1012

    Virtualization/Sandbox Evasion

    2
    T1497

    System Information Discovery

    3
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\dt.exe
      MD5

      9401cf9f73dfb187bf4cef05d8cfe72b

      SHA1

      4af6544d8c94bb673f826a0ba4d24698150b1089

      SHA256

      bb8298b28cd913814c41d7b6a878b8e2a2da7eb34083c901a5408413fed93b45

      SHA512

      8438c79aa1ac9779bdab11a3f46f174aad97a7bc2fd1f571d42ef8817dc8477b68468be7445c789d125c1b8749338e047e20301d0a11b9e52dacf947abb65dd4

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\dt.exe
      MD5

      9401cf9f73dfb187bf4cef05d8cfe72b

      SHA1

      4af6544d8c94bb673f826a0ba4d24698150b1089

      SHA256

      bb8298b28cd913814c41d7b6a878b8e2a2da7eb34083c901a5408413fed93b45

      SHA512

      8438c79aa1ac9779bdab11a3f46f174aad97a7bc2fd1f571d42ef8817dc8477b68468be7445c789d125c1b8749338e047e20301d0a11b9e52dacf947abb65dd4

      Download Submit
    • C:\Users\Admin\AppData\Roaming\AGAzSHOPvp.js
      MD5

      a4488cacb74d99f2405ca976cd453f93

      SHA1

      05ccc361149ff5d3d1cf21c77aa43e9d10bc78bf

      SHA256

      58ed5a2f5df34e6652863ea2a44a4bf2e1f05cd1e771b74893fddeaa51d6fe19

      SHA512

      df9728cc9aa5a129b416936e94d3e599df8d64e34375677c8f2100bdac772c1728b886b22c83b5f453dd993880db104ecabe9d2ae0c4b426f8ddfe6a05c1c8de

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      MD5

      41a4df4af2ff97e734341712c17eb74d

      SHA1

      9bb29ee31ce650864dec138002ebb167d0ae7dde

      SHA256

      9ea6c610b91615f16bc092e16e69188cf93341a66774edc2d4715651f353c1a2

      SHA512

      dbdeb18ad43d017434ae8f34840e2ae22a461badcd77864d509368fcc961e5648b0f596a8e1b3db6e27654ebca7f1a9e2ce97e70f8e9513edcb879e719360e65

      Download Submit
    • C:\Users\Admin\AppData\Roaming\macjoe597.exe
      MD5

      6f2422ca1b1665f0c181784b3738e100

      SHA1

      0ec0385993acd6fd49a13e670bc62904e7067e02

      SHA256

      977a9dfd479194994fd11df6274412bcb10f511a510890e9d267893886833b85

      SHA512

      e9068bda0707179afd39a0419578da8ec2414cd5175b1e41a6595c08b0379f9c6cf88ae7a1b82f3df91f247f877c94f71d34a5740f2b48b3290ce56794674d34

      Download Submit
    • C:\Users\Admin\AppData\Roaming\macjoe597.exe
      MD5

      6f2422ca1b1665f0c181784b3738e100

      SHA1

      0ec0385993acd6fd49a13e670bc62904e7067e02

      SHA256

      977a9dfd479194994fd11df6274412bcb10f511a510890e9d267893886833b85

      SHA512

      e9068bda0707179afd39a0419578da8ec2414cd5175b1e41a6595c08b0379f9c6cf88ae7a1b82f3df91f247f877c94f71d34a5740f2b48b3290ce56794674d34

      Download Submit
    • memory/532-81-0x0000000002390000-0x0000000002FDA000-memory.dmp
      Filesize

      12.3MB

      Download
    • memory/532-74-0x0000000000000000-mapping.dmp
      Download
    • memory/532-88-0x0000000002390000-0x0000000002FDA000-memory.dmp
      Filesize

      12.3MB

      Download
    • memory/532-83-0x0000000002390000-0x0000000002FDA000-memory.dmp
      Filesize

      12.3MB

      Download
    • memory/564-57-0x000007FEFB531000-0x000007FEFB533000-memory.dmp
      Filesize

      8KB

      Download
    • memory/564-55-0x0000000000000000-mapping.dmp
      Download
    • memory/568-58-0x0000000000000000-mapping.dmp
      Download
    • memory/568-62-0x0000000000B00000-0x0000000000B01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/568-61-0x0000000075191000-0x0000000075193000-memory.dmp
      Filesize

      8KB

      Download
    • memory/612-73-0x0000000000000000-mapping.dmp
      Download
    • memory/612-80-0x0000000001BF0000-0x0000000001BF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/612-87-0x0000000001BF2000-0x0000000001BF4000-memory.dmp
      Filesize

      8KB

      Download
    • memory/612-85-0x0000000001BF1000-0x0000000001BF2000-memory.dmp
      Filesize

      4KB

      Download
    • memory/808-92-0x0000000000400000-0x00000000007E5000-memory.dmp
      Filesize

      3.9MB

      Download
    • memory/808-93-0x0000000000400000-0x00000000007E5000-memory.dmp
      Filesize

      3.9MB

      Download
    • memory/808-89-0x0000000000400000-0x00000000007E5000-memory.dmp
      Filesize

      3.9MB

      Download
    • memory/808-94-0x00000000007E2730-mapping.dmp
      Download
    • memory/808-91-0x0000000000400000-0x00000000007E5000-memory.dmp
      Filesize

      3.9MB

      Download
    • memory/808-95-0x0000000000400000-0x00000000007E5000-memory.dmp
      Filesize

      3.9MB

      Download
    • memory/808-97-0x0000000000400000-0x00000000007E5000-memory.dmp
      Filesize

      3.9MB

      Download
    • memory/808-90-0x0000000000400000-0x00000000007E5000-memory.dmp
      Filesize

      3.9MB

      Download
    • memory/1728-75-0x0000000000000000-mapping.dmp
      Download
    • memory/1728-82-0x00000000024F0000-0x00000000024F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1728-84-0x00000000024F1000-0x00000000024F2000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1728-86-0x00000000024F2000-0x00000000024F4000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2000-68-0x0000000000A00000-0x0000000000A01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2000-63-0x0000000000000000-mapping.dmp
      Download
    • memory/2000-66-0x0000000001020000-0x000000000125C000-memory.dmp
      Filesize

      2.2MB

      Download
    • memory/2000-67-0x0000000000580000-0x0000000000588000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2000-71-0x0000000006000000-0x000000000620C000-memory.dmp
      Filesize

      2.0MB

      Download
    • memory/2000-69-0x0000000000610000-0x0000000000618000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2000-70-0x0000000000620000-0x0000000000628000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2000-72-0x0000000000A40000-0x0000000000AD4000-memory.dmp
      Filesize

      592KB

      Download