Overview

overview

10

Static

static

Receipt.js

windows7_x64

10

Receipt.js

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Receipt.js

  • Size

    90KB

  • Sample

    220627-qmskdsdbc9

  • MD5

    e5b59195d361dcb825f4f8d37b2cb5ee

  • SHA1

    68457e878a1b2a3302c605282e3c69c6438d07f5

  • SHA256

    67b8f61733545f594194b178e41949e88ac493a5027eb9cd2b1000f5cba3922e

  • SHA512

    23220d9ad19f79f94106bf250f87bb2a9ef8e78fb695b63c19e7327c60ae0bea3202396433a0d249e5bb73455d434ff7870c70903a4d2dc848d4e0b49e40dd73

Score
10/10
njratvjw0rmhacked jfkhacked... w2bevasionpersistencespywarestealersuricatatrojanworm

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HACKED JFK

C2

103.149.13.61:4545

Mutex

782e4e93b9158d4d448232ed139fc0db

Attributes
  • reg_key

    782e4e93b9158d4d448232ed139fc0db

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

HACKED... W2B

C2

103.149.13.61:4545

Mutex

f33599fc8954f4bf201159e017f34658

Attributes
  • reg_key

    f33599fc8954f4bf201159e017f34658

  • splitter

    |'|'|

Targets

    • Target

      Receipt.js

    • Size

      90KB

    • MD5

      e5b59195d361dcb825f4f8d37b2cb5ee

    • SHA1

      68457e878a1b2a3302c605282e3c69c6438d07f5

    • SHA256

      67b8f61733545f594194b178e41949e88ac493a5027eb9cd2b1000f5cba3922e

    • SHA512

      23220d9ad19f79f94106bf250f87bb2a9ef8e78fb695b63c19e7327c60ae0bea3202396433a0d249e5bb73455d434ff7870c70903a4d2dc848d4e0b49e40dd73

    Score
    10/10
    njratvjw0rmhacked jfkhacked... w2bevasionpersistencespywarestealersuricatatrojanworm

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

      trojanwormvjw0rm

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

      suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

      suricata

    • suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA

      suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA

      suricata

    • suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1

      suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1

      suricata

    • suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)

      suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)

      suricata

    • suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)

      suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)

      suricata

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks