Malware Analysis Report

2024-10-23 19:39

Sample ID 240811-jmjtxs1crm
Target Ref_87021929821US20240709031221656.js
SHA256 356e87a4ef1469bba5cfc99c19161b37f0fdaa766043705a4d51b4bae8b134d3
Tags
nanocore discovery evasion execution keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

356e87a4ef1469bba5cfc99c19161b37f0fdaa766043705a4d51b4bae8b134d3

Threat Level: Known bad

The file Ref_87021929821US20240709031221656.js was found to be: Known bad.

Malicious Activity Summary

nanocore discovery evasion execution keylogger persistence spyware stealer trojan

NanoCore

Blocklisted process makes network request

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Checks whether UAC is enabled

Drops file in Program Files directory

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-11 07:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-11 07:47

Reported

2024-08-11 07:49

Platform

win7-20240705-en

Max time kernel

141s

Max time network

145s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\Ref_87021929821US20240709031221656.js

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mYIv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DSL Service = "C:\\Program Files (x86)\\DSL Service\\dslsv.exe" C:\Users\Admin\AppData\Local\Temp\mYIv.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\mYIv.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DSL Service\dslsv.exe C:\Users\Admin\AppData\Local\Temp\mYIv.exe N/A
File opened for modification C:\Program Files (x86)\DSL Service\dslsv.exe C:\Users\Admin\AppData\Local\Temp\mYIv.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mYIv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mYIv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mYIv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mYIv.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mYIv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mYIv.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Ref_87021929821US20240709031221656.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TEZDIY.js"

C:\Users\Admin\AppData\Local\Temp\mYIv.exe

"C:\Users\Admin\AppData\Local\Temp\mYIv.exe"

Network

Country Destination Domain Proto
US 192.210.215.11:80 192.210.215.11 tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SE 46.246.14.67:5569 chongmei33.publicvm.com tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SE 46.246.14.67:5569 chongmei33.publicvm.com tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SE 46.246.14.67:5569 chongmei33.publicvm.com tcp
US 8.8.8.8:53 jinvestments.duckdns.org udp
SE 46.246.14.67:5569 jinvestments.duckdns.org tcp
US 8.8.8.8:53 jinvestments.duckdns.org udp
SE 46.246.14.67:5569 jinvestments.duckdns.org tcp
US 8.8.8.8:53 jinvestments.duckdns.org udp
SE 46.246.14.67:5569 jinvestments.duckdns.org tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SE 46.246.14.67:5569 chongmei33.publicvm.com tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SE 46.246.14.67:5569 chongmei33.publicvm.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\TEZDIY.js

MD5 dc0bce4906594a89e2707870b3455a71
SHA1 693e646c87bcc184658c53e191196bb9243c3242
SHA256 9332806b808c9d72d0366841aa990fe5dbde39f88eccd73962adc6a91da0548d
SHA512 8c7aa5673700eb5989f8a60750689b87685e1a6ddc0a2e7f3c9fb288b8376c685a90639fc7745ff4757b18125373c240383e2475c3425628581cee8f40030f83

C:\Users\Admin\AppData\Local\Temp\mYIv.exe

MD5 842793f4ae0abae1c4e0d1d00c3b1b36
SHA1 45cc5efe42d8ff19e8f4eafdcfe9e2cc0c62bb76
SHA256 f87b7426970122ba506c6dc25e7877f93af482db93df438bd613cea22b06a3b2
SHA512 681dcfe8fa0c401e234064b9ecfbe5eef5f84e3fba9c09c0a1355d0221288e97d94ab8e42c7b96d39318c71cdab18a7d563e636b5d3e5638d7d959fe812eef1d

memory/2812-13-0x0000000000790000-0x00000000007D0000-memory.dmp

memory/2812-16-0x0000000000790000-0x00000000007D0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-11 07:47

Reported

2024-08-11 07:49

Platform

win10v2004-20240802-en

Max time kernel

139s

Max time network

142s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\Ref_87021929821US20240709031221656.js

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mYIv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NAS Monitor = "C:\\Program Files (x86)\\NAS Monitor\\nasmon.exe" C:\Users\Admin\AppData\Local\Temp\mYIv.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\mYIv.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\NAS Monitor\nasmon.exe C:\Users\Admin\AppData\Local\Temp\mYIv.exe N/A
File opened for modification C:\Program Files (x86)\NAS Monitor\nasmon.exe C:\Users\Admin\AppData\Local\Temp\mYIv.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mYIv.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings C:\Windows\system32\wscript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mYIv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mYIv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mYIv.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mYIv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mYIv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 2544 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1928 wrote to memory of 2544 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2544 wrote to memory of 3856 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\mYIv.exe
PID 2544 wrote to memory of 3856 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\mYIv.exe
PID 2544 wrote to memory of 3856 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\mYIv.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Ref_87021929821US20240709031221656.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TEZDIY.js"

C:\Users\Admin\AppData\Local\Temp\mYIv.exe

"C:\Users\Admin\AppData\Local\Temp\mYIv.exe"

Network

Country Destination Domain Proto
US 192.210.215.11:80 192.210.215.11 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 11.215.210.192.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SE 46.246.14.67:5569 chongmei33.publicvm.com tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SE 46.246.14.67:5569 chongmei33.publicvm.com tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SE 46.246.14.67:5569 chongmei33.publicvm.com tcp
US 8.8.8.8:53 jinvestments.duckdns.org udp
SE 46.246.14.67:5569 jinvestments.duckdns.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 jinvestments.duckdns.org udp
SE 46.246.14.67:5569 jinvestments.duckdns.org tcp
US 8.8.8.8:53 jinvestments.duckdns.org udp
SE 46.246.14.67:5569 jinvestments.duckdns.org tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SE 46.246.14.67:5569 chongmei33.publicvm.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\TEZDIY.js

MD5 dc0bce4906594a89e2707870b3455a71
SHA1 693e646c87bcc184658c53e191196bb9243c3242
SHA256 9332806b808c9d72d0366841aa990fe5dbde39f88eccd73962adc6a91da0548d
SHA512 8c7aa5673700eb5989f8a60750689b87685e1a6ddc0a2e7f3c9fb288b8376c685a90639fc7745ff4757b18125373c240383e2475c3425628581cee8f40030f83

C:\Users\Admin\AppData\Local\Temp\mYIv.exe

MD5 842793f4ae0abae1c4e0d1d00c3b1b36
SHA1 45cc5efe42d8ff19e8f4eafdcfe9e2cc0c62bb76
SHA256 f87b7426970122ba506c6dc25e7877f93af482db93df438bd613cea22b06a3b2
SHA512 681dcfe8fa0c401e234064b9ecfbe5eef5f84e3fba9c09c0a1355d0221288e97d94ab8e42c7b96d39318c71cdab18a7d563e636b5d3e5638d7d959fe812eef1d