Overview

overview

10

Static

static

Receipt.js

windows7_x64

10

Receipt.js

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    27-06-2022 13:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Receipt.js

  • Size

    90KB

  • MD5

    e5b59195d361dcb825f4f8d37b2cb5ee

  • SHA1

    68457e878a1b2a3302c605282e3c69c6438d07f5

  • SHA256

    67b8f61733545f594194b178e41949e88ac493a5027eb9cd2b1000f5cba3922e

  • SHA512

    23220d9ad19f79f94106bf250f87bb2a9ef8e78fb695b63c19e7327c60ae0bea3202396433a0d249e5bb73455d434ff7870c70903a4d2dc848d4e0b49e40dd73

Score
10/10
njratvjw0rmhacked jfkhacked... w2bevasionpersistencesuricatatrojanworm

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HACKED JFK

C2

103.149.13.61:4545

Mutex

782e4e93b9158d4d448232ed139fc0db

Attributes
  • reg_key

    782e4e93b9158d4d448232ed139fc0db

  • splitter

    |'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

HACKED... W2B

C2

103.149.13.61:4545

Mutex

f33599fc8954f4bf201159e017f34658

Attributes
  • reg_key

    f33599fc8954f4bf201159e017f34658

  • splitter

    |'|'|

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata
  • suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA

    suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA

    suricata
  • suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1

    suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1

    suricata
  • suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)

    suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)

    suricata
  • Blocklisted process makes network request 44 IoCs
  • Executes dropped EXE 3 IoCs
  • Modifies Windows Firewall 1 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 10 IoCs
  • Adds Run key to start application 2 TTPs 16 IoCs
    persistence
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 38 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Receipt.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3272
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\fUpoWkUvrS.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:3756
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\iFNNVMKeTo.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      PID:488
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4372
      • C:\Windows\SYSTEM32\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:4252
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmp4391.tmp.vbs"
        3⤵
        • Checks computer location settings
        • Drops startup file
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4532
        • C:\Windows\System32\wscript.exe
          "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\tmp4391.tmp.vbs"
          4⤵
          • Blocklisted process makes network request
          • Drops startup file
          • Adds Run key to start application
          PID:4416
      • C:\Users\Admin\AppData\Local\Temp\tmp5010.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp5010.tmp.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Drops file in Windows directory
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of WriteProcessMemory
        PID:4808
        • C:\Windows\Server.exe
          "C:\Windows\Server.exe"
          4⤵
          • Executes dropped EXE
          • Drops startup file
          • Adds Run key to start application
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1644
          • C:\Windows\SYSTEM32\netsh.exe
            netsh firewall add allowedprogram "C:\Windows\Server.exe" "Server.exe" ENABLE
            5⤵
            • Modifies Windows Firewall
            PID:3612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    Filesize

    25KB

    MD5

    7398714aa7e951484c0230bd1919a4d7

    SHA1

    ba27dc586f7de6d5bc21e54a8ba7b02c980b23ac

    SHA256

    d6355ea09274149b47d0fab0edc18d2627a1866557ac3a4cce6f4f15b586b9c2

    SHA512

    391249bdee93f2d2bea6c2c46f791d9533de73c79804a11ac18959fbf3eaf87483988c4fd1310187bf6a8afe3757c302682025b6295380ea0dc6b383693719cf

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    Filesize

    25KB

    MD5

    7398714aa7e951484c0230bd1919a4d7

    SHA1

    ba27dc586f7de6d5bc21e54a8ba7b02c980b23ac

    SHA256

    d6355ea09274149b47d0fab0edc18d2627a1866557ac3a4cce6f4f15b586b9c2

    SHA512

    391249bdee93f2d2bea6c2c46f791d9533de73c79804a11ac18959fbf3eaf87483988c4fd1310187bf6a8afe3757c302682025b6295380ea0dc6b383693719cf

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp4391.tmp.vbs
    Filesize

    13KB

    MD5

    3c5846a19b95e2441a049c7c2e8eeb14

    SHA1

    9d30716b1eef3995228ac87cf800d2acdec9e0fc

    SHA256

    e72818e8c8076b6d0d4c10604f4c0681148c7e17ca0099fe5bf17c0dd27b7cd1

    SHA512

    32e8f1e0e45f5cfc733de865fdbc3b69d2e21183a67d06e270dbbeb2d701db10d62b4048f9ece0bbff95d96a517030f5a51d1883a32d189a6d9554f001f40476

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp5010.tmp.exe
    Filesize

    25KB

    MD5

    13a393f4abc0575a0c3661a2058c6a92

    SHA1

    c35e88355d846094a9b9aeaef3822725cd65c898

    SHA256

    685deaa148f2ded23bfac7a5bced8399f438b6825c48fa3c4d302470d4c23ad4

    SHA512

    f33ef8ac7264a64982873a9dc7defff8c161376c59844047cf117b64d35c1d46c708e6fa03e7b2f999233816892ea6bad62f09a81112247502cf611904709ba6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp5010.tmp.exe
    Filesize

    25KB

    MD5

    13a393f4abc0575a0c3661a2058c6a92

    SHA1

    c35e88355d846094a9b9aeaef3822725cd65c898

    SHA256

    685deaa148f2ded23bfac7a5bced8399f438b6825c48fa3c4d302470d4c23ad4

    SHA512

    f33ef8ac7264a64982873a9dc7defff8c161376c59844047cf117b64d35c1d46c708e6fa03e7b2f999233816892ea6bad62f09a81112247502cf611904709ba6

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp4391.tmp.vbs
    Filesize

    13KB

    MD5

    3c5846a19b95e2441a049c7c2e8eeb14

    SHA1

    9d30716b1eef3995228ac87cf800d2acdec9e0fc

    SHA256

    e72818e8c8076b6d0d4c10604f4c0681148c7e17ca0099fe5bf17c0dd27b7cd1

    SHA512

    32e8f1e0e45f5cfc733de865fdbc3b69d2e21183a67d06e270dbbeb2d701db10d62b4048f9ece0bbff95d96a517030f5a51d1883a32d189a6d9554f001f40476

    Download Submit
  • C:\Users\Admin\AppData\Roaming\fUpoWkUvrS.js
    Filesize

    5KB

    MD5

    52aad348d257b926fa2d4f1a82cf1b57

    SHA1

    e7abda58f3159c4fadff80d82134af85368657ad

    SHA256

    371579c4cd2bb1df7ffde8cf0ea994971abd4223136e2e298da1bac30f143fe1

    SHA512

    999c8b81462f0b4cb6d5ec379090fc45dd5403a9cdf3207e5eba1d415baf4872b7070ee44bb04cba3e87b93ef5f8613a4d479e82c5f2c2669200f618977edc49

    Download Submit
  • C:\Users\Admin\AppData\Roaming\iFNNVMKeTo.js
    Filesize

    5KB

    MD5

    57a4f324e829737f1e47259fa85f5c5d

    SHA1

    6815e1002cb458b2bfbd30e2f4b40a471fea70ab

    SHA256

    6f8fb242f23dd921cf19f13ea989ee438c573c6cefc56c59cbec7cfcc9a56393

    SHA512

    ddc62319afd4f7d03abc5c2a090468e3154f112b06e890aefcf1de8f6154e53d4cf71a895e40bbe805c893fd7f598108355106196fbb59c36e68ed52f4d847ed

    Download Submit
  • C:\Users\Admin\AppData\Roaming\tmp4391.tmp.vbs
    Filesize

    13KB

    MD5

    3c5846a19b95e2441a049c7c2e8eeb14

    SHA1

    9d30716b1eef3995228ac87cf800d2acdec9e0fc

    SHA256

    e72818e8c8076b6d0d4c10604f4c0681148c7e17ca0099fe5bf17c0dd27b7cd1

    SHA512

    32e8f1e0e45f5cfc733de865fdbc3b69d2e21183a67d06e270dbbeb2d701db10d62b4048f9ece0bbff95d96a517030f5a51d1883a32d189a6d9554f001f40476

    Download Submit
  • C:\Windows\Server.exe
    Filesize

    25KB

    MD5

    13a393f4abc0575a0c3661a2058c6a92

    SHA1

    c35e88355d846094a9b9aeaef3822725cd65c898

    SHA256

    685deaa148f2ded23bfac7a5bced8399f438b6825c48fa3c4d302470d4c23ad4

    SHA512

    f33ef8ac7264a64982873a9dc7defff8c161376c59844047cf117b64d35c1d46c708e6fa03e7b2f999233816892ea6bad62f09a81112247502cf611904709ba6

    Download Submit
  • C:\Windows\Server.exe
    Filesize

    25KB

    MD5

    13a393f4abc0575a0c3661a2058c6a92

    SHA1

    c35e88355d846094a9b9aeaef3822725cd65c898

    SHA256

    685deaa148f2ded23bfac7a5bced8399f438b6825c48fa3c4d302470d4c23ad4

    SHA512

    f33ef8ac7264a64982873a9dc7defff8c161376c59844047cf117b64d35c1d46c708e6fa03e7b2f999233816892ea6bad62f09a81112247502cf611904709ba6

    Download Submit
  • memory/488-131-0x0000000000000000-mapping.dmp
    Download
  • memory/1644-151-0x0000000000000000-mapping.dmp
    Download
  • memory/1644-155-0x00007FFB12A40000-0x00007FFB13501000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/1644-157-0x00007FFB12A40000-0x00007FFB13501000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3612-156-0x0000000000000000-mapping.dmp
    Download
  • memory/3756-130-0x0000000000000000-mapping.dmp
    Download
  • memory/4252-139-0x0000000000000000-mapping.dmp
    Download
  • memory/4372-140-0x00007FFB12A40000-0x00007FFB13501000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4372-138-0x00007FFB12A40000-0x00007FFB13501000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4372-137-0x00000000006D0000-0x00000000006DC000-memory.dmp
    Filesize

    48KB

    Download
  • memory/4372-134-0x0000000000000000-mapping.dmp
    Download
  • memory/4416-143-0x0000000000000000-mapping.dmp
    Download
  • memory/4532-141-0x0000000000000000-mapping.dmp
    Download
  • memory/4808-146-0x0000000000000000-mapping.dmp
    Download
  • memory/4808-154-0x00007FFB12A40000-0x00007FFB13501000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4808-150-0x00007FFB12A40000-0x00007FFB13501000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4808-149-0x0000000000DA0000-0x0000000000DAC000-memory.dmp
    Filesize

    48KB

    Download