Analysis Overview
SHA256
6624c79c2c07fbcb8d4244fadd4e16ad4c536c187c25acaf3b831fff7cbda3c9
Threat Level: Known bad
The file yjnclient-v3.exe was found to be: Known bad.
Malicious Activity Summary
Discordrat family
Discord RAT
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-25 00:13
Signatures
Discordrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-25 00:13
Reported
2024-06-25 00:14
Platform
win10-20240404-en
Max time kernel
16s
Max time network
18s
Command Line
Signatures
Discord RAT
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\SCHTASKS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\yjnclient-v3.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1836 wrote to memory of 412 | N/A | C:\Users\Admin\AppData\Local\Temp\yjnclient-v3.exe | C:\Windows\SYSTEM32\SCHTASKS.exe |
| PID 1836 wrote to memory of 412 | N/A | C:\Users\Admin\AppData\Local\Temp\yjnclient-v3.exe | C:\Windows\SYSTEM32\SCHTASKS.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\yjnclient-v3.exe
"C:\Users\Admin\AppData\Local\Temp\yjnclient-v3.exe"
C:\Windows\SYSTEM32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77yjnclient-v3.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\yjnclient-v3.exe'" /sc onlogon /rl HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.130.234:443 | gateway.discord.gg | tcp |
| US | 8.8.8.8:53 | f.f.f.f.5.e.a.8.b.6.d.3.0.8.0.1.f.f.f.f.5.e.a.8.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.130.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | geolocation-db.com | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.102.89.159.in-addr.arpa | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
Files
memory/1836-0-0x0000018143180000-0x0000018143198000-memory.dmp
memory/1836-1-0x00007FF833F83000-0x00007FF833F84000-memory.dmp
memory/1836-2-0x000001815D8C0000-0x000001815DA82000-memory.dmp
memory/1836-3-0x00007FF833F80000-0x00007FF83496C000-memory.dmp
memory/1836-4-0x000001815E1B0000-0x000001815E6D6000-memory.dmp