Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
27-06-2022 13:27
Static task
static1
Behavioral task
behavioral1
Sample
Payloads.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Payloads.js
Resource
win10v2004-20220414-en
General
-
Target
Payloads.js
-
Size
58KB
-
MD5
94c08ba8dc8fa3697207c53665c1ddb3
-
SHA1
1af6156240c60e2b39269e3649b2a30f981e75b9
-
SHA256
40de3b364abfeae905e92cd564381d46a80c386c6011e37ce95df860abb572eb
-
SHA512
11e1a9c810ed146a09aa79ee3d500af4a24d1c2432d5e3b62e125738bf0737dcc110c6926224850e5436b6af6a95ce25b4f8b4de4070f1e53d12a0fbc616dedf
Malware Config
Extracted
njrat
0.7d
HACKED JFK
103.149.13.61:4545
782e4e93b9158d4d448232ed139fc0db
-
reg_key
782e4e93b9158d4d448232ed139fc0db
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
-
Blocklisted process makes network request 14 IoCs
Processes:
wscript.exeflow pid process 4 388 wscript.exe 17 388 wscript.exe 24 388 wscript.exe 26 388 wscript.exe 32 388 wscript.exe 33 388 wscript.exe 40 388 wscript.exe 44 388 wscript.exe 48 388 wscript.exe 49 388 wscript.exe 52 388 wscript.exe 53 388 wscript.exe 54 388 wscript.exe 56 388 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
Server.exepid process 4252 Server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 4 IoCs
Processes:
Server.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\782e4e93b9158d4d448232ed139fc0db.exe Server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\782e4e93b9158d4d448232ed139fc0db.exe Server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PoqvcWJwJA.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PoqvcWJwJA.js wscript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
Server.exewscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\782e4e93b9158d4d448232ed139fc0db = "\"C:\\Users\\Admin\\AppData\\Roaming\\Server.exe\" .." Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\782e4e93b9158d4d448232ed139fc0db = "\"C:\\Users\\Admin\\AppData\\Roaming\\Server.exe\" .." Server.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\PoqvcWJwJA.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Server.exepid process 4252 Server.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
Server.exedescription pid process Token: SeDebugPrivilege 4252 Server.exe Token: 33 4252 Server.exe Token: SeIncBasePriorityPrivilege 4252 Server.exe Token: 33 4252 Server.exe Token: SeIncBasePriorityPrivilege 4252 Server.exe Token: 33 4252 Server.exe Token: SeIncBasePriorityPrivilege 4252 Server.exe Token: 33 4252 Server.exe Token: SeIncBasePriorityPrivilege 4252 Server.exe Token: 33 4252 Server.exe Token: SeIncBasePriorityPrivilege 4252 Server.exe Token: 33 4252 Server.exe Token: SeIncBasePriorityPrivilege 4252 Server.exe Token: 33 4252 Server.exe Token: SeIncBasePriorityPrivilege 4252 Server.exe Token: 33 4252 Server.exe Token: SeIncBasePriorityPrivilege 4252 Server.exe Token: 33 4252 Server.exe Token: SeIncBasePriorityPrivilege 4252 Server.exe Token: 33 4252 Server.exe Token: SeIncBasePriorityPrivilege 4252 Server.exe Token: 33 4252 Server.exe Token: SeIncBasePriorityPrivilege 4252 Server.exe Token: 33 4252 Server.exe Token: SeIncBasePriorityPrivilege 4252 Server.exe Token: 33 4252 Server.exe Token: SeIncBasePriorityPrivilege 4252 Server.exe Token: 33 4252 Server.exe Token: SeIncBasePriorityPrivilege 4252 Server.exe Token: 33 4252 Server.exe Token: SeIncBasePriorityPrivilege 4252 Server.exe Token: 33 4252 Server.exe Token: SeIncBasePriorityPrivilege 4252 Server.exe Token: 33 4252 Server.exe Token: SeIncBasePriorityPrivilege 4252 Server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
wscript.exeServer.exedescription pid process target process PID 4048 wrote to memory of 388 4048 wscript.exe wscript.exe PID 4048 wrote to memory of 388 4048 wscript.exe wscript.exe PID 4048 wrote to memory of 4252 4048 wscript.exe Server.exe PID 4048 wrote to memory of 4252 4048 wscript.exe Server.exe PID 4252 wrote to memory of 4144 4252 Server.exe netsh.exe PID 4252 wrote to memory of 4144 4252 Server.exe netsh.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Payloads.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PoqvcWJwJA.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:388
-
-
C:\Users\Admin\AppData\Roaming\Server.exe"C:\Users\Admin\AppData\Roaming\Server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Server.exe" "Server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:4144
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD538b9e490740629a6dd24eec991ddbd10
SHA1dbf4d6c461b7f74a30533834d13b02da01e2e42f
SHA256f17073bfd898f4b6442198f04be36ab8b821b7771b2e152213dba0b53571177c
SHA512211d3a4cc32be4f6f38aa37cb9e1c3ed5cc18b8f43e8face02656e0e60c6ab666fbaba5dfec2b294d986f49fa9580822d056a6565d1a0aaa1ae5a415216578c8
-
Filesize
25KB
MD57398714aa7e951484c0230bd1919a4d7
SHA1ba27dc586f7de6d5bc21e54a8ba7b02c980b23ac
SHA256d6355ea09274149b47d0fab0edc18d2627a1866557ac3a4cce6f4f15b586b9c2
SHA512391249bdee93f2d2bea6c2c46f791d9533de73c79804a11ac18959fbf3eaf87483988c4fd1310187bf6a8afe3757c302682025b6295380ea0dc6b383693719cf
-
Filesize
25KB
MD57398714aa7e951484c0230bd1919a4d7
SHA1ba27dc586f7de6d5bc21e54a8ba7b02c980b23ac
SHA256d6355ea09274149b47d0fab0edc18d2627a1866557ac3a4cce6f4f15b586b9c2
SHA512391249bdee93f2d2bea6c2c46f791d9533de73c79804a11ac18959fbf3eaf87483988c4fd1310187bf6a8afe3757c302682025b6295380ea0dc6b383693719cf