Overview

overview

10

Static

static

bJHtVihBXXacserver.js

windows7_x64

10

bJHtVihBXXacserver.js

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bJHtVihBXXacserver.js

  • Size

    70KB

  • Sample

    220616-nxvrdsefar

  • MD5

    3fb233467088b6906ae7ea8002352e86

  • SHA1

    7f318b6db9a28e39bd0162945295f787956eba61

  • SHA256

    db2525eb120cddd924084eb2d3adada700a65066f46f6c3675e47377ef09ee20

  • SHA512

    e36763c44d0c1e46a986299e3499d476e6e920e8c6d8e704c832457d0ff7725dfa3f29944025a3c9b4205234e285bfdbb69c281f22e1945bcda6094488824cd2

Score
10/10
njratvjw0rmhacked by mustemoneehacked by mustymoneyevasionpersistencespywarestealersuricatatrojanworm

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed By MustyMoney

C2

104.168.7.110:5552

Mutex

72f64d4ec723544c65ffca1cd7ba4ee6

Attributes
  • reg_key

    72f64d4ec723544c65ffca1cd7ba4ee6

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed By MusteMonee

C2

104.168.7.110:5553

Mutex

d60c61d273d37cbe8a96dbc7212c0bd5

Attributes
  • reg_key

    d60c61d273d37cbe8a96dbc7212c0bd5

  • splitter

    |'|'|

Targets

    • Target

      bJHtVihBXXacserver.js

    • Size

      70KB

    • MD5

      3fb233467088b6906ae7ea8002352e86

    • SHA1

      7f318b6db9a28e39bd0162945295f787956eba61

    • SHA256

      db2525eb120cddd924084eb2d3adada700a65066f46f6c3675e47377ef09ee20

    • SHA512

      e36763c44d0c1e46a986299e3499d476e6e920e8c6d8e704c832457d0ff7725dfa3f29944025a3c9b4205234e285bfdbb69c281f22e1945bcda6094488824cd2

    Score
    10/10
    njratvjw0rmhacked by mustemoneehacked by mustymoneyevasionpersistencespywarestealersuricatatrojanworm

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

      trojanwormvjw0rm

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

      suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

      suricata

    • suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)

      suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)

      suricata

    • suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)

      suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)

      suricata

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks