General
-
Target
Receipt.js
-
Size
90KB
-
Sample
220627-qmskdsdbc9
-
MD5
e5b59195d361dcb825f4f8d37b2cb5ee
-
SHA1
68457e878a1b2a3302c605282e3c69c6438d07f5
-
SHA256
67b8f61733545f594194b178e41949e88ac493a5027eb9cd2b1000f5cba3922e
-
SHA512
23220d9ad19f79f94106bf250f87bb2a9ef8e78fb695b63c19e7327c60ae0bea3202396433a0d249e5bb73455d434ff7870c70903a4d2dc848d4e0b49e40dd73
Static task
static1
Behavioral task
behavioral1
Sample
Receipt.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Receipt.js
Resource
win10v2004-20220414-en
Malware Config
Extracted
njrat
0.7d
HACKED JFK
103.149.13.61:4545
782e4e93b9158d4d448232ed139fc0db
-
reg_key
782e4e93b9158d4d448232ed139fc0db
-
splitter
|'|'|
Extracted
njrat
0.7d
HACKED... W2B
103.149.13.61:4545
f33599fc8954f4bf201159e017f34658
-
reg_key
f33599fc8954f4bf201159e017f34658
-
splitter
|'|'|
Targets
-
-
Target
Receipt.js
-
Size
90KB
-
MD5
e5b59195d361dcb825f4f8d37b2cb5ee
-
SHA1
68457e878a1b2a3302c605282e3c69c6438d07f5
-
SHA256
67b8f61733545f594194b178e41949e88ac493a5027eb9cd2b1000f5cba3922e
-
SHA512
23220d9ad19f79f94106bf250f87bb2a9ef8e78fb695b63c19e7327c60ae0bea3202396433a0d249e5bb73455d434ff7870c70903a4d2dc848d4e0b49e40dd73
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-