General
-
Target
06122024_1551_04122024_Historial-Declcaraciones-vencidas-2022-2023.js.xz
-
Size
4KB
-
Sample
241206-taf8davnay
-
MD5
7e9c67f2546cf7786527b9faef7581da
-
SHA1
62f4d38b8c8b3c743154c1b854aa134f30069b76
-
SHA256
b91fd2517dd1aa0a3f6ed4c37e62794279da383ee8f3d3724818253efadbcdd8
-
SHA512
8c0b870f08d08c8e6488318e6024709f19fdb84083819ebbefd3b70e72bc53d83a70c13025b2b73849042a82637ed63ebfa0dc30e39e0834bf38e9e10d1da920
-
SSDEEP
96:NGkJu2uW91NMUXa0N7Qlvlcq2ehIYWAyu1U8ERx7OwiXJZXSEtThvrp3g7:ItWvAaMjcqzhIYWA1ED7OweCOvrp0
Static task
static1
Behavioral task
behavioral1
Sample
06122024_1551_04122024_Historial-Declcaraciones-vencidas-2022-2023.js
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
06122024_1551_04122024_Historial-Declcaraciones-vencidas-2022-2023.js
Resource
win10v2004-20241007-en
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=
Extracted
Protocol: ftp- Host:
ftp.desckvbrat.com.br - Port:
21 - Username:
desckvbrat1 - Password:
fYudY1578@@@@@@
Extracted
njrat
0.7NC
NYAN CAT
hugolganador.duckdns.org:5250
f07d2cf4921a47eb98
-
reg_key
f07d2cf4921a47eb98
-
splitter
@!#&^%$
Targets
-
-
Target
06122024_1551_04122024_Historial-Declcaraciones-vencidas-2022-2023.js
-
Size
195KB
-
MD5
6675b77a4e527883e0cd36a107269299
-
SHA1
48b54aab7672ff52328632c110c7b14207f91832
-
SHA256
cb8afa9d1cab7e87066a992f5954e223720e39064d6d9f425a5e85a13e6a9b3a
-
SHA512
b4182d413aa3b8133c72a61a3b2136f6a61a4ce0a6f054d40329a00c897140003046ec34fce3dea5de6c88a491b3a920744cb48fb69b6c4f0c70f5bbc6f79046
-
SSDEEP
3072:lW1tKbWXt+NWXt+NWXt+NWXt+NWXt+NWXt+CWXt+NWXt+NWXt+NWXt+NWXt+NWXC:G
-
Njrat family
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Hide Artifacts: Hidden Window
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Window
1Indicator Removal
1File Deletion
1Modify Registry
1