Analysis
-
max time kernel
151s -
max time network
161s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-06-2022 02:10
Static task
static1
Behavioral task
behavioral1
Sample
Cheque.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Cheque.js
Resource
win10v2004-20220414-en
General
-
Target
Cheque.js
-
Size
70KB
-
MD5
014b70904cf3099e1437403387529b54
-
SHA1
930859383b24df5f0321096819f5eb96a97755e9
-
SHA256
bbea6ebf291353c5454e9d7890175e419d6daea230704d73e5feb29f0cb7fe71
-
SHA512
566b238574e35a65fa9ba86f5708e6847c5576ccee0a5b1dc47404fdb24c70bf8c87a159be5145d988195b518ca7b85dfd5464e779939b9901f5f02c46c1b689
Malware Config
Extracted
njrat
0.7d
HacKed By MustyMoney
104.168.7.110:5552
72f64d4ec723544c65ffca1cd7ba4ee6
-
reg_key
72f64d4ec723544c65ffca1cd7ba4ee6
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
Blocklisted process makes network request 16 IoCs
Processes:
wscript.exeflow pid process 4 1552 wscript.exe 6 1552 wscript.exe 7 1552 wscript.exe 10 1552 wscript.exe 11 1552 wscript.exe 13 1552 wscript.exe 15 1552 wscript.exe 16 1552 wscript.exe 17 1552 wscript.exe 19 1552 wscript.exe 20 1552 wscript.exe 21 1552 wscript.exe 23 1552 wscript.exe 24 1552 wscript.exe 25 1552 wscript.exe 27 1552 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
Server.exepid process 592 Server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\erOsYaZFkd.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\erOsYaZFkd.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wscript.exeServer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\erOsYaZFkd.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\72f64d4ec723544c65ffca1cd7ba4ee6 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Server.exe\" .." Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\72f64d4ec723544c65ffca1cd7ba4ee6 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Server.exe\" .." Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Server.exepid process 592 Server.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
Server.exedescription pid process Token: SeDebugPrivilege 592 Server.exe Token: 33 592 Server.exe Token: SeIncBasePriorityPrivilege 592 Server.exe Token: 33 592 Server.exe Token: SeIncBasePriorityPrivilege 592 Server.exe Token: 33 592 Server.exe Token: SeIncBasePriorityPrivilege 592 Server.exe Token: 33 592 Server.exe Token: SeIncBasePriorityPrivilege 592 Server.exe Token: 33 592 Server.exe Token: SeIncBasePriorityPrivilege 592 Server.exe Token: 33 592 Server.exe Token: SeIncBasePriorityPrivilege 592 Server.exe Token: 33 592 Server.exe Token: SeIncBasePriorityPrivilege 592 Server.exe Token: 33 592 Server.exe Token: SeIncBasePriorityPrivilege 592 Server.exe Token: 33 592 Server.exe Token: SeIncBasePriorityPrivilege 592 Server.exe Token: 33 592 Server.exe Token: SeIncBasePriorityPrivilege 592 Server.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exeServer.exedescription pid process target process PID 1764 wrote to memory of 1552 1764 wscript.exe wscript.exe PID 1764 wrote to memory of 1552 1764 wscript.exe wscript.exe PID 1764 wrote to memory of 1552 1764 wscript.exe wscript.exe PID 1764 wrote to memory of 592 1764 wscript.exe Server.exe PID 1764 wrote to memory of 592 1764 wscript.exe Server.exe PID 1764 wrote to memory of 592 1764 wscript.exe Server.exe PID 592 wrote to memory of 1892 592 Server.exe netsh.exe PID 592 wrote to memory of 1892 592 Server.exe netsh.exe PID 592 wrote to memory of 1892 592 Server.exe netsh.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Cheque.js1⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\erOsYaZFkd.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1552 -
C:\Users\Admin\AppData\Roaming\Server.exe"C:\Users\Admin\AppData\Roaming\Server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Server.exe" "Server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1892
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Server.exeFilesize
24KB
MD5c2f4ae9580de684b7651bade5022107a
SHA11e3cbb87a009c26d25469b006713a73d20dc2da7
SHA2569b86135d4413f51f91c65879d2c3377eba9ccfa348f6d882f471f929ca133bb3
SHA5128af8df4b6a79bf4a02437f40f37d5c830fc4a92d282616e49f942d0440c6151c9ffac3ed8c3a4f64e152589a960c02dc3c2726550673c5a143625bf0116b3579
-
C:\Users\Admin\AppData\Roaming\Server.exeFilesize
24KB
MD5c2f4ae9580de684b7651bade5022107a
SHA11e3cbb87a009c26d25469b006713a73d20dc2da7
SHA2569b86135d4413f51f91c65879d2c3377eba9ccfa348f6d882f471f929ca133bb3
SHA5128af8df4b6a79bf4a02437f40f37d5c830fc4a92d282616e49f942d0440c6151c9ffac3ed8c3a4f64e152589a960c02dc3c2726550673c5a143625bf0116b3579
-
C:\Users\Admin\AppData\Roaming\erOsYaZFkd.jsFilesize
10KB
MD5ca226b3fdeada41e1f2743e12442cbae
SHA1454a44a1884153832370dfa7f3f35f784ed405af
SHA256d89c5e9d3a60907af391cf5b10840ba2646251f12342e7e9e80d2a1e0acc9845
SHA5127036ec02decd3ed65d14b8a3f771c492aa67ae59e454d5e24f1dd2c394e6372bc4333966840b629d1f6968c77e7e2186992ff77e3c6dd911ddad9125fe121dcb
-
memory/592-57-0x0000000000000000-mapping.dmp
-
memory/592-61-0x00000000002A0000-0x00000000002AC000-memory.dmpFilesize
48KB
-
memory/1552-55-0x0000000000000000-mapping.dmp
-
memory/1764-54-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmpFilesize
8KB
-
memory/1892-63-0x0000000000000000-mapping.dmp