Overview

overview

10

Static

static

Receipt.js

windows7_x64

10

Receipt.js

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    27-06-2022 13:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Receipt.js

  • Size

    90KB

  • MD5

    e5b59195d361dcb825f4f8d37b2cb5ee

  • SHA1

    68457e878a1b2a3302c605282e3c69c6438d07f5

  • SHA256

    67b8f61733545f594194b178e41949e88ac493a5027eb9cd2b1000f5cba3922e

  • SHA512

    23220d9ad19f79f94106bf250f87bb2a9ef8e78fb695b63c19e7327c60ae0bea3202396433a0d249e5bb73455d434ff7870c70903a4d2dc848d4e0b49e40dd73

Score
10/10
njratvjw0rmhacked jfkhacked... w2bevasionpersistencespywarestealersuricatatrojanworm

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HACKED JFK

C2

103.149.13.61:4545

Mutex

782e4e93b9158d4d448232ed139fc0db

Attributes
  • reg_key

    782e4e93b9158d4d448232ed139fc0db

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

HACKED... W2B

C2

103.149.13.61:4545

Mutex

f33599fc8954f4bf201159e017f34658

Attributes
  • reg_key

    f33599fc8954f4bf201159e017f34658

  • splitter

    |'|'|

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata
  • suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA

    suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA

    suricata
  • suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1

    suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1

    suricata
  • suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)

    suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)

    suricata
  • suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)

    suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)

    suricata
  • Blocklisted process makes network request 64 IoCs
  • Executes dropped EXE 2 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Drops startup file 12 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 26 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Receipt.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\fUpoWkUvrS.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:1992
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\iFNNVMKeTo.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:2032
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Adds Run key to start application
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1100
      • C:\Windows\system32\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:1420
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmp9158.tmp.vbs"
        3⤵
        • Drops startup file
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1496
        • C:\Windows\System32\wscript.exe
          "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\tmp9158.tmp.vbs"
          4⤵
          • Blocklisted process makes network request
          • Drops startup file
          • Adds Run key to start application
          PID:860
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmpC757.tmp.vbs"
        3⤵
        • Drops startup file
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1920
        • C:\Windows\System32\wscript.exe
          "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\tmpC757.tmp.vbs"
          4⤵
          • Blocklisted process makes network request
          • Drops startup file
          • Adds Run key to start application
          PID:1396
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmp15F4.tmp.vbs"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        PID:1896
      • C:\Users\Admin\AppData\Local\Temp\tmp3DDF.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp3DDF.tmp.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: AddClipboardFormatListener
        PID:872

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    Filesize

    25KB

    MD5

    7398714aa7e951484c0230bd1919a4d7

    SHA1

    ba27dc586f7de6d5bc21e54a8ba7b02c980b23ac

    SHA256

    d6355ea09274149b47d0fab0edc18d2627a1866557ac3a4cce6f4f15b586b9c2

    SHA512

    391249bdee93f2d2bea6c2c46f791d9533de73c79804a11ac18959fbf3eaf87483988c4fd1310187bf6a8afe3757c302682025b6295380ea0dc6b383693719cf

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    Filesize

    25KB

    MD5

    7398714aa7e951484c0230bd1919a4d7

    SHA1

    ba27dc586f7de6d5bc21e54a8ba7b02c980b23ac

    SHA256

    d6355ea09274149b47d0fab0edc18d2627a1866557ac3a4cce6f4f15b586b9c2

    SHA512

    391249bdee93f2d2bea6c2c46f791d9533de73c79804a11ac18959fbf3eaf87483988c4fd1310187bf6a8afe3757c302682025b6295380ea0dc6b383693719cf

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp15F4.tmp.vbs
    Filesize

    24KB

    MD5

    e5c1dda5ea4a32f330a5c18582e151f9

    SHA1

    b1330ee206fc1eab7baf4002080f4b66ff047696

    SHA256

    3c6ed7bec65ed875a7c4df525b1bb9f4c7dd63727816c02ba41d0571fe48aad2

    SHA512

    0012d3189984839beba89b15460104462f62e1331181ddf05a6ad1cfb6593812bb497cca11eb539d13cd716028298236eb0eda9afa837a6b1a20b400822a4459

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp3DDF.tmp.exe
    Filesize

    25KB

    MD5

    13a393f4abc0575a0c3661a2058c6a92

    SHA1

    c35e88355d846094a9b9aeaef3822725cd65c898

    SHA256

    685deaa148f2ded23bfac7a5bced8399f438b6825c48fa3c4d302470d4c23ad4

    SHA512

    f33ef8ac7264a64982873a9dc7defff8c161376c59844047cf117b64d35c1d46c708e6fa03e7b2f999233816892ea6bad62f09a81112247502cf611904709ba6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp3DDF.tmp.exe
    Filesize

    25KB

    MD5

    13a393f4abc0575a0c3661a2058c6a92

    SHA1

    c35e88355d846094a9b9aeaef3822725cd65c898

    SHA256

    685deaa148f2ded23bfac7a5bced8399f438b6825c48fa3c4d302470d4c23ad4

    SHA512

    f33ef8ac7264a64982873a9dc7defff8c161376c59844047cf117b64d35c1d46c708e6fa03e7b2f999233816892ea6bad62f09a81112247502cf611904709ba6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp9158.tmp.vbs
    Filesize

    13KB

    MD5

    3c5846a19b95e2441a049c7c2e8eeb14

    SHA1

    9d30716b1eef3995228ac87cf800d2acdec9e0fc

    SHA256

    e72818e8c8076b6d0d4c10604f4c0681148c7e17ca0099fe5bf17c0dd27b7cd1

    SHA512

    32e8f1e0e45f5cfc733de865fdbc3b69d2e21183a67d06e270dbbeb2d701db10d62b4048f9ece0bbff95d96a517030f5a51d1883a32d189a6d9554f001f40476

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpC757.tmp.vbs
    Filesize

    13KB

    MD5

    3c5846a19b95e2441a049c7c2e8eeb14

    SHA1

    9d30716b1eef3995228ac87cf800d2acdec9e0fc

    SHA256

    e72818e8c8076b6d0d4c10604f4c0681148c7e17ca0099fe5bf17c0dd27b7cd1

    SHA512

    32e8f1e0e45f5cfc733de865fdbc3b69d2e21183a67d06e270dbbeb2d701db10d62b4048f9ece0bbff95d96a517030f5a51d1883a32d189a6d9554f001f40476

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp9158.tmp.vbs
    Filesize

    13KB

    MD5

    3c5846a19b95e2441a049c7c2e8eeb14

    SHA1

    9d30716b1eef3995228ac87cf800d2acdec9e0fc

    SHA256

    e72818e8c8076b6d0d4c10604f4c0681148c7e17ca0099fe5bf17c0dd27b7cd1

    SHA512

    32e8f1e0e45f5cfc733de865fdbc3b69d2e21183a67d06e270dbbeb2d701db10d62b4048f9ece0bbff95d96a517030f5a51d1883a32d189a6d9554f001f40476

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmpC757.tmp.vbs
    Filesize

    13KB

    MD5

    3c5846a19b95e2441a049c7c2e8eeb14

    SHA1

    9d30716b1eef3995228ac87cf800d2acdec9e0fc

    SHA256

    e72818e8c8076b6d0d4c10604f4c0681148c7e17ca0099fe5bf17c0dd27b7cd1

    SHA512

    32e8f1e0e45f5cfc733de865fdbc3b69d2e21183a67d06e270dbbeb2d701db10d62b4048f9ece0bbff95d96a517030f5a51d1883a32d189a6d9554f001f40476

    Download Submit
  • C:\Users\Admin\AppData\Roaming\fUpoWkUvrS.js
    Filesize

    5KB

    MD5

    52aad348d257b926fa2d4f1a82cf1b57

    SHA1

    e7abda58f3159c4fadff80d82134af85368657ad

    SHA256

    371579c4cd2bb1df7ffde8cf0ea994971abd4223136e2e298da1bac30f143fe1

    SHA512

    999c8b81462f0b4cb6d5ec379090fc45dd5403a9cdf3207e5eba1d415baf4872b7070ee44bb04cba3e87b93ef5f8613a4d479e82c5f2c2669200f618977edc49

    Download Submit
  • C:\Users\Admin\AppData\Roaming\iFNNVMKeTo.js
    Filesize

    5KB

    MD5

    57a4f324e829737f1e47259fa85f5c5d

    SHA1

    6815e1002cb458b2bfbd30e2f4b40a471fea70ab

    SHA256

    6f8fb242f23dd921cf19f13ea989ee438c573c6cefc56c59cbec7cfcc9a56393

    SHA512

    ddc62319afd4f7d03abc5c2a090468e3154f112b06e890aefcf1de8f6154e53d4cf71a895e40bbe805c893fd7f598108355106196fbb59c36e68ed52f4d847ed

    Download Submit
  • C:\Users\Admin\AppData\Roaming\tmp9158.tmp.vbs
    Filesize

    13KB

    MD5

    3c5846a19b95e2441a049c7c2e8eeb14

    SHA1

    9d30716b1eef3995228ac87cf800d2acdec9e0fc

    SHA256

    e72818e8c8076b6d0d4c10604f4c0681148c7e17ca0099fe5bf17c0dd27b7cd1

    SHA512

    32e8f1e0e45f5cfc733de865fdbc3b69d2e21183a67d06e270dbbeb2d701db10d62b4048f9ece0bbff95d96a517030f5a51d1883a32d189a6d9554f001f40476

    Download Submit
  • C:\Users\Admin\AppData\Roaming\tmpC757.tmp.vbs
    Filesize

    13KB

    MD5

    3c5846a19b95e2441a049c7c2e8eeb14

    SHA1

    9d30716b1eef3995228ac87cf800d2acdec9e0fc

    SHA256

    e72818e8c8076b6d0d4c10604f4c0681148c7e17ca0099fe5bf17c0dd27b7cd1

    SHA512

    32e8f1e0e45f5cfc733de865fdbc3b69d2e21183a67d06e270dbbeb2d701db10d62b4048f9ece0bbff95d96a517030f5a51d1883a32d189a6d9554f001f40476

    Download Submit
  • memory/860-71-0x0000000000000000-mapping.dmp
    Download
  • memory/872-91-0x0000000000FE0000-0x0000000000FEC000-memory.dmp
    Filesize

    48KB

    Download
  • memory/872-88-0x0000000000000000-mapping.dmp
    Download
  • memory/1100-82-0x000000001ABF0000-0x000000001AC54000-memory.dmp
    Filesize

    400KB

    Download
  • memory/1100-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1100-84-0x000000001BD70000-0x000000001BDCE000-memory.dmp
    Filesize

    376KB

    Download
  • memory/1100-87-0x000000001BF50000-0x000000001BFD0000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1100-64-0x0000000000330000-0x000000000033C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/1396-78-0x0000000000000000-mapping.dmp
    Download
  • memory/1420-66-0x0000000000000000-mapping.dmp
    Download
  • memory/1496-68-0x0000000000000000-mapping.dmp
    Download
  • memory/1896-83-0x0000000000000000-mapping.dmp
    Download
  • memory/1920-75-0x0000000000000000-mapping.dmp
    Download
  • memory/1932-54-0x000007FEFB751000-0x000007FEFB753000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1992-55-0x0000000000000000-mapping.dmp
    Download
  • memory/2032-56-0x0000000000000000-mapping.dmp
    Download