Analysis
-
max time kernel
154s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-06-2022 12:03
Static task
static1
Behavioral task
behavioral1
Sample
sYCuOOjDOlvjstub.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
sYCuOOjDOlvjstub.js
Resource
win10v2004-20220414-en
General
-
Target
sYCuOOjDOlvjstub.js
-
Size
29KB
-
MD5
dac9ed798f79a40ef59756c710f61593
-
SHA1
199bfa38a09181e9396cef4d3b29b0762c5ba987
-
SHA256
94036cd95dde4d8ec66e76a24755a15ac474c64b12e74ec87d29ff9b8a889160
-
SHA512
ec5119052e545e0246234b51777bc3a1a3a64ea0c9a3eab98b948896235bd5a49eca1616788636dc09ddd8328382f00b03e5c39139972cff2198667baf5bbcef
Malware Config
Extracted
njrat
0.7d
HacKed By MustyMoney
104.168.7.110:5552
72f64d4ec723544c65ffca1cd7ba4ee6
-
reg_key
72f64d4ec723544c65ffca1cd7ba4ee6
-
splitter
|'|'|
Extracted
njrat
0.7d
HacKed By MusteMonee
104.168.7.110:5552
eca56299e0fd252052e571b07f78b218
-
reg_key
eca56299e0fd252052e571b07f78b218
-
splitter
|'|'|
Extracted
vjw0rm
http://104.168.7.110:7974
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
-
Blocklisted process makes network request 22 IoCs
Processes:
wscript.exewscript.exewscript.exeflow pid process 6 4428 wscript.exe 14 3740 wscript.exe 18 3764 wscript.exe 22 3740 wscript.exe 43 3764 wscript.exe 44 3740 wscript.exe 53 3764 wscript.exe 54 3740 wscript.exe 58 3764 wscript.exe 59 3740 wscript.exe 66 3764 wscript.exe 75 3740 wscript.exe 85 3764 wscript.exe 86 3740 wscript.exe 91 3764 wscript.exe 92 3740 wscript.exe 93 3764 wscript.exe 95 3740 wscript.exe 96 3764 wscript.exe 97 3740 wscript.exe 98 3764 wscript.exe 99 3740 wscript.exe -
Executes dropped EXE 2 IoCs
Processes:
Server.exetmp7CE1.tmp.exepid process 4528 Server.exe 3152 tmp7CE1.tmp.exe -
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exeServer.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation Server.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NYWMTCgCLF.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\egqENcOXOr.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\egqENcOXOr.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NYWMTCgCLF.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
Server.exetmp7CE1.tmp.exewscript.exewscript.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\72f64d4ec723544c65ffca1cd7ba4ee6 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Server.exe\" .." Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eca56299e0fd252052e571b07f78b218 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp7CE1.tmp.exe\" .." tmp7CE1.tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eca56299e0fd252052e571b07f78b218 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp7CE1.tmp.exe\" .." tmp7CE1.tmp.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\egqENcOXOr.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\NYWMTCgCLF.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\72f64d4ec723544c65ffca1cd7ba4ee6 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Server.exe\" .." Server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings wscript.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
Server.exetmp7CE1.tmp.exepid process 4528 Server.exe 3152 tmp7CE1.tmp.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
Server.exetmp7CE1.tmp.exedescription pid process Token: SeDebugPrivilege 4528 Server.exe Token: 33 4528 Server.exe Token: SeIncBasePriorityPrivilege 4528 Server.exe Token: 33 4528 Server.exe Token: SeIncBasePriorityPrivilege 4528 Server.exe Token: 33 4528 Server.exe Token: SeIncBasePriorityPrivilege 4528 Server.exe Token: 33 4528 Server.exe Token: SeIncBasePriorityPrivilege 4528 Server.exe Token: 33 4528 Server.exe Token: SeIncBasePriorityPrivilege 4528 Server.exe Token: SeDebugPrivilege 3152 tmp7CE1.tmp.exe Token: 33 3152 tmp7CE1.tmp.exe Token: SeIncBasePriorityPrivilege 3152 tmp7CE1.tmp.exe Token: 33 4528 Server.exe Token: SeIncBasePriorityPrivilege 4528 Server.exe Token: 33 3152 tmp7CE1.tmp.exe Token: SeIncBasePriorityPrivilege 3152 tmp7CE1.tmp.exe Token: 33 4528 Server.exe Token: SeIncBasePriorityPrivilege 4528 Server.exe Token: 33 3152 tmp7CE1.tmp.exe Token: SeIncBasePriorityPrivilege 3152 tmp7CE1.tmp.exe Token: 33 4528 Server.exe Token: SeIncBasePriorityPrivilege 4528 Server.exe Token: 33 3152 tmp7CE1.tmp.exe Token: SeIncBasePriorityPrivilege 3152 tmp7CE1.tmp.exe Token: 33 4528 Server.exe Token: SeIncBasePriorityPrivilege 4528 Server.exe Token: 33 3152 tmp7CE1.tmp.exe Token: SeIncBasePriorityPrivilege 3152 tmp7CE1.tmp.exe Token: 33 4528 Server.exe Token: SeIncBasePriorityPrivilege 4528 Server.exe Token: 33 3152 tmp7CE1.tmp.exe Token: SeIncBasePriorityPrivilege 3152 tmp7CE1.tmp.exe Token: 33 4528 Server.exe Token: SeIncBasePriorityPrivilege 4528 Server.exe Token: 33 3152 tmp7CE1.tmp.exe Token: SeIncBasePriorityPrivilege 3152 tmp7CE1.tmp.exe Token: 33 4528 Server.exe Token: SeIncBasePriorityPrivilege 4528 Server.exe Token: 33 3152 tmp7CE1.tmp.exe Token: SeIncBasePriorityPrivilege 3152 tmp7CE1.tmp.exe Token: 33 4528 Server.exe Token: SeIncBasePriorityPrivilege 4528 Server.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
wscript.exeWScript.exeServer.exetmp7CE1.tmp.exedescription pid process target process PID 4428 wrote to memory of 3764 4428 wscript.exe wscript.exe PID 4428 wrote to memory of 3764 4428 wscript.exe wscript.exe PID 4428 wrote to memory of 2532 4428 wscript.exe WScript.exe PID 4428 wrote to memory of 2532 4428 wscript.exe WScript.exe PID 2532 wrote to memory of 3740 2532 WScript.exe wscript.exe PID 2532 wrote to memory of 3740 2532 WScript.exe wscript.exe PID 2532 wrote to memory of 4528 2532 WScript.exe Server.exe PID 2532 wrote to memory of 4528 2532 WScript.exe Server.exe PID 4528 wrote to memory of 3284 4528 Server.exe netsh.exe PID 4528 wrote to memory of 3284 4528 Server.exe netsh.exe PID 4528 wrote to memory of 3152 4528 Server.exe tmp7CE1.tmp.exe PID 4528 wrote to memory of 3152 4528 Server.exe tmp7CE1.tmp.exe PID 3152 wrote to memory of 2084 3152 tmp7CE1.tmp.exe netsh.exe PID 3152 wrote to memory of 2084 3152 tmp7CE1.tmp.exe netsh.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\sYCuOOjDOlvjstub.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\egqENcOXOr.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44L6NW8IFT.js"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NYWMTCgCLF.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Server.exe"C:\Users\Admin\AppData\Roaming\Server.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Server.exe" "Server.exe" ENABLE4⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\tmp7CE1.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7CE1.tmp.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\tmp7CE1.tmp.exe" "tmp7CE1.tmp.exe" ENABLE5⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\44L6NW8IFT.jsFilesize
69KB
MD51e7844cfd3891b2b8ccc1ff0c4f005f7
SHA18d2c5ed0869da9b4146605a9b01bc9e65ff89970
SHA256feb5d1bed4c5358d93a65af508a67c777761405f5491426ee3a80b2b1d21d8b0
SHA512e826c9c8db9471afc4cbad7437ec59bae342a5107fb8e0f46a34d82440e7d2623ca9950cab872ead2a098c69b2fc0b7e7d0f9925b07927bdc0193c49bab22d9e
-
C:\Users\Admin\AppData\Local\Temp\tmp7CE1.tmp.exeFilesize
25KB
MD57b306a90f5fa8c9e37d12da97901ab91
SHA15495f79e2716cc87fb5c97bcd66c4b9da0c65723
SHA2561e650f32a1ff24effa0ca2ab8d694b085d79a28e44bf930ac484864d3fc33016
SHA512e912af8d124476c948e8397c86710b2fbdb2e6bf1b516e9d7d21436a4e2f56bcf16baa388b857da49a1d612426502d1bb994472e8d66806e782da1e0cf5fba45
-
C:\Users\Admin\AppData\Local\Temp\tmp7CE1.tmp.exeFilesize
25KB
MD57b306a90f5fa8c9e37d12da97901ab91
SHA15495f79e2716cc87fb5c97bcd66c4b9da0c65723
SHA2561e650f32a1ff24effa0ca2ab8d694b085d79a28e44bf930ac484864d3fc33016
SHA512e912af8d124476c948e8397c86710b2fbdb2e6bf1b516e9d7d21436a4e2f56bcf16baa388b857da49a1d612426502d1bb994472e8d66806e782da1e0cf5fba45
-
C:\Users\Admin\AppData\Roaming\NYWMTCgCLF.jsFilesize
10KB
MD5fd447e6df0608645bb7c39365c6df8ce
SHA113a8b0a5ab75f3552188aa409ed072d3ca800fa2
SHA256c72a3508ab2c2f766178f28b2f69130ac67219210537a7bef3db71f4a8fdbda8
SHA5125bcc990d0c7c10ae97d6a5067c3cee7473f248e844acd44e0c86c43ad41aa79f446cd7ccbd9b8dea4fd415fceb76bb48e86cb4138045b81c5a4506703c8201ed
-
C:\Users\Admin\AppData\Roaming\Server.exeFilesize
24KB
MD5c2f4ae9580de684b7651bade5022107a
SHA11e3cbb87a009c26d25469b006713a73d20dc2da7
SHA2569b86135d4413f51f91c65879d2c3377eba9ccfa348f6d882f471f929ca133bb3
SHA5128af8df4b6a79bf4a02437f40f37d5c830fc4a92d282616e49f942d0440c6151c9ffac3ed8c3a4f64e152589a960c02dc3c2726550673c5a143625bf0116b3579
-
C:\Users\Admin\AppData\Roaming\Server.exeFilesize
24KB
MD5c2f4ae9580de684b7651bade5022107a
SHA11e3cbb87a009c26d25469b006713a73d20dc2da7
SHA2569b86135d4413f51f91c65879d2c3377eba9ccfa348f6d882f471f929ca133bb3
SHA5128af8df4b6a79bf4a02437f40f37d5c830fc4a92d282616e49f942d0440c6151c9ffac3ed8c3a4f64e152589a960c02dc3c2726550673c5a143625bf0116b3579
-
C:\Users\Admin\AppData\Roaming\egqENcOXOr.jsFilesize
10KB
MD5dffdb0fc6b534c658575b72bfd4826ae
SHA1d6cc3039c628b6d9e8a137933fa953e785a9ef0b
SHA2567e4297ebdde73b716fafb213529d79007e6825b786a471ca7e5a52024fddb939
SHA512c9f4be68cc09ad027a65745233363940ed7ee7b82ecf919096336ddfec90932ad707ec30089e40f8e2918df2b14f400c96d3d854c0d89ae56897e06e849637ae
-
memory/2084-149-0x0000000000000000-mapping.dmp
-
memory/2532-132-0x0000000000000000-mapping.dmp
-
memory/3152-146-0x0000000000660000-0x000000000066C000-memory.dmpFilesize
48KB
-
memory/3152-143-0x0000000000000000-mapping.dmp
-
memory/3152-147-0x00007FF980B00000-0x00007FF9815C1000-memory.dmpFilesize
10.8MB
-
memory/3152-148-0x00007FF980B00000-0x00007FF9815C1000-memory.dmpFilesize
10.8MB
-
memory/3284-140-0x0000000000000000-mapping.dmp
-
memory/3740-134-0x0000000000000000-mapping.dmp
-
memory/3764-130-0x0000000000000000-mapping.dmp
-
memory/4528-141-0x00007FF980B00000-0x00007FF9815C1000-memory.dmpFilesize
10.8MB
-
memory/4528-142-0x00007FF980B00000-0x00007FF9815C1000-memory.dmpFilesize
10.8MB
-
memory/4528-139-0x0000000000E10000-0x0000000000E1C000-memory.dmpFilesize
48KB
-
memory/4528-136-0x0000000000000000-mapping.dmp