njrat | ae4fdb69e4ef555cb516a8052d715d741ae565c97cc595f3ea0dc3cd349c4b8d

General

Target

aa652fc67ec4c4353b9a5562c9ec0d21.exe
Size

816KB
MD5

aa652fc67ec4c4353b9a5562c9ec0d21
SHA1

1dea45515e03d1f561e5a31a1859aea7aa05bd62
SHA256

ae4fdb69e4ef555cb516a8052d715d741ae565c97cc595f3ea0dc3cd349c4b8d
SHA512

eddb0fa378f4d4f9aa1ab0eee44705024e89d6bd2c09a313f60b2203f7cf52c2e66909154c4a176bf865da1c211ddcbe1d9b12224125e44eb6ee70e0c61e4e09

Score

10^/10

njrat nyan cat evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

gbarpresencewriterprint.duckdns.org:8651

Mutex

682708ec68e74

Attributes

reg_key
682708ec68e74
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aa652fc67ec4c4353b9a5562c9ec0d21.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	aa652fc67ec4c4353b9a5562c9ec0d21.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	aa652fc67ec4c4353b9a5562c9ec0d21.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

aa652fc67ec4c4353b9a5562c9ec0d21.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	aa652fc67ec4c4353b9a5562c9ec0d21.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	aa652fc67ec4c4353b9a5562c9ec0d21.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

aa652fc67ec4c4353b9a5562c9ec0d21.exe

description pid process target process

PID 804 set thread context of 200 804 aa652fc67ec4c4353b9a5562c9ec0d21.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3980 schtasks.exe

description	pid	process	target process
PID 804 set thread context of 200	804	aa652fc67ec4c4353b9a5562c9ec0d21.exe	RegSvcs.exe

pid	process
3980	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

powershell.exepowershell.exeaa652fc67ec4c4353b9a5562c9ec0d21.exepowershell.exe

pid	process
3568	powershell.exe
3568	powershell.exe
3872	powershell.exe
3872	powershell.exe
804	aa652fc67ec4c4353b9a5562c9ec0d21.exe
804	aa652fc67ec4c4353b9a5562c9ec0d21.exe
804	aa652fc67ec4c4353b9a5562c9ec0d21.exe
804	aa652fc67ec4c4353b9a5562c9ec0d21.exe
804	aa652fc67ec4c4353b9a5562c9ec0d21.exe
3568	powershell.exe
3872	powershell.exe
964	powershell.exe
964	powershell.exe
964	powershell.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

powershell.exepowershell.exeaa652fc67ec4c4353b9a5562c9ec0d21.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	3568	powershell.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	804	aa652fc67ec4c4353b9a5562c9ec0d21.exe
Token: SeDebugPrivilege	964	powershell.exe
Token: SeDebugPrivilege	200	RegSvcs.exe
Token: 33	200	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	200	RegSvcs.exe
Token: 33	200	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	200	RegSvcs.exe
Token: 33	200	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	200	RegSvcs.exe
Token: 33	200	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	200	RegSvcs.exe
Token: 33	200	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	200	RegSvcs.exe
Token: 33	200	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	200	RegSvcs.exe
Token: 33	200	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	200	RegSvcs.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

aa652fc67ec4c4353b9a5562c9ec0d21.exe

description	pid	process	target process
PID 804 wrote to memory of 3568	804	aa652fc67ec4c4353b9a5562c9ec0d21.exe	powershell.exe
PID 804 wrote to memory of 3568	804	aa652fc67ec4c4353b9a5562c9ec0d21.exe	powershell.exe
PID 804 wrote to memory of 3568	804	aa652fc67ec4c4353b9a5562c9ec0d21.exe	powershell.exe
PID 804 wrote to memory of 3872	804	aa652fc67ec4c4353b9a5562c9ec0d21.exe	powershell.exe
PID 804 wrote to memory of 3872	804	aa652fc67ec4c4353b9a5562c9ec0d21.exe	powershell.exe
PID 804 wrote to memory of 3872	804	aa652fc67ec4c4353b9a5562c9ec0d21.exe	powershell.exe
PID 804 wrote to memory of 3980	804	aa652fc67ec4c4353b9a5562c9ec0d21.exe	schtasks.exe
PID 804 wrote to memory of 3980	804	aa652fc67ec4c4353b9a5562c9ec0d21.exe	schtasks.exe
PID 804 wrote to memory of 3980	804	aa652fc67ec4c4353b9a5562c9ec0d21.exe	schtasks.exe
PID 804 wrote to memory of 964	804	aa652fc67ec4c4353b9a5562c9ec0d21.exe	powershell.exe
PID 804 wrote to memory of 964	804	aa652fc67ec4c4353b9a5562c9ec0d21.exe	powershell.exe
PID 804 wrote to memory of 964	804	aa652fc67ec4c4353b9a5562c9ec0d21.exe	powershell.exe
PID 804 wrote to memory of 368	804	aa652fc67ec4c4353b9a5562c9ec0d21.exe	RegSvcs.exe
PID 804 wrote to memory of 368	804	aa652fc67ec4c4353b9a5562c9ec0d21.exe	RegSvcs.exe
PID 804 wrote to memory of 368	804	aa652fc67ec4c4353b9a5562c9ec0d21.exe	RegSvcs.exe
PID 804 wrote to memory of 212	804	aa652fc67ec4c4353b9a5562c9ec0d21.exe	RegSvcs.exe
PID 804 wrote to memory of 212	804	aa652fc67ec4c4353b9a5562c9ec0d21.exe	RegSvcs.exe
PID 804 wrote to memory of 212	804	aa652fc67ec4c4353b9a5562c9ec0d21.exe	RegSvcs.exe
PID 804 wrote to memory of 200	804	aa652fc67ec4c4353b9a5562c9ec0d21.exe	RegSvcs.exe
PID 804 wrote to memory of 200	804	aa652fc67ec4c4353b9a5562c9ec0d21.exe	RegSvcs.exe
PID 804 wrote to memory of 200	804	aa652fc67ec4c4353b9a5562c9ec0d21.exe	RegSvcs.exe
PID 804 wrote to memory of 200	804	aa652fc67ec4c4353b9a5562c9ec0d21.exe	RegSvcs.exe
PID 804 wrote to memory of 200	804	aa652fc67ec4c4353b9a5562c9ec0d21.exe	RegSvcs.exe
PID 804 wrote to memory of 200	804	aa652fc67ec4c4353b9a5562c9ec0d21.exe	RegSvcs.exe
PID 804 wrote to memory of 200	804	aa652fc67ec4c4353b9a5562c9ec0d21.exe	RegSvcs.exe
PID 804 wrote to memory of 200	804	aa652fc67ec4c4353b9a5562c9ec0d21.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\aa652fc67ec4c4353b9a5562c9ec0d21.exe
"C:\Users\Admin\AppData\Local\Temp\aa652fc67ec4c4353b9a5562c9ec0d21.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\aa652fc67ec4c4353b9a5562c9ec0d21.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BkueKqkOElUWV.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BkueKqkOElUWV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB324.tmp"
2⤵
- Creates scheduled task(s)
PID:3980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BkueKqkOElUWV.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:200

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
55a08aaa0332dd4c0131af98d27c5c6f

SHA1
5161767dbadcd76e77a2d31e76f428d6f3c55911

SHA256
9eb1e68c2f94c41628ac7469d59d88a9b3ba0e6d9818be39aa2e18f7b7986b3f

SHA512
b20b5a021ef1aa8134c6c911341872bc5647e05276187f19fa4d3317821ba7fb41bd9f70a274ea974b3ab91535bc7b3738afb9956c47d2293f910c911b07b109

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
cdd75a1b758e2054e0e0c45843d46dcd

SHA1
24747acbf4736298c38a3aa349dbae6bbb219cc4

SHA256
968411f6a2b15b61686690107985bf5a1237bdea7bbd583a0d1dd7632854d71a

SHA512
f2b266a794700d7636b4121ad867e8b5a3c92ed8cca991bfcc4255a36203b8c29409ccb227a9f26a815b01d3f4eafd5b9c696cb1184e394b822414fcfd5d5a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB324.tmp
MD5
fc4573ce606b063da594053f959323c9

SHA1
ef223ce0ab757e70d820292dfa8a1a68d560a629

SHA256
5c09e5b7dfe5f529dbcd41783166eee85c1641e79231bbf819d553e876f621d4

SHA512
fc1ed013b391558dea773f59cc5b945e9f031a2bf80e5012e0fd382fcf79b56e8e7fe48f8203d4398115aa21f31a4754575bd6873fc00be84054197e6c97d17d

Download Submit
memory/200-152-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/200-153-0x00000000004067AE-mapping.dmp

Download
memory/200-292-0x0000000005570000-0x000000000560C000-memory.dmp

Filesize
624KB

Download
memory/804-125-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download
memory/804-118-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/804-114-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/804-122-0x0000000007920000-0x0000000007998000-memory.dmp

Filesize
480KB

Download
memory/804-121-0x0000000005720000-0x0000000005731000-memory.dmp

Filesize
68KB

Download
memory/804-120-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/804-119-0x00000000052F0000-0x00000000057EE000-memory.dmp

Filesize
5.0MB

Download
memory/804-123-0x00000000072D0000-0x00000000072D9000-memory.dmp

Filesize
36KB

Download
memory/804-116-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/804-117-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/964-289-0x00000000032D3000-0x00000000032D4000-memory.dmp

Filesize
4KB

Download
memory/964-170-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/964-171-0x00000000032D2000-0x00000000032D3000-memory.dmp

Filesize
4KB

Download
memory/964-245-0x000000007F030000-0x000000007F031000-memory.dmp

Filesize
4KB

Download
memory/964-149-0x0000000000000000-mapping.dmp

Download
memory/3568-148-0x0000000007F80000-0x0000000007F81000-memory.dmp

Filesize
4KB

Download
memory/3568-133-0x00000000077F0000-0x00000000077F1000-memory.dmp

Filesize
4KB

Download
memory/3568-139-0x0000000006742000-0x0000000006743000-memory.dmp

Filesize
4KB

Download
memory/3568-124-0x0000000000000000-mapping.dmp

Download
memory/3568-128-0x0000000006790000-0x0000000006791000-memory.dmp

Filesize
4KB

Download
memory/3568-157-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

Filesize
4KB

Download
memory/3568-137-0x0000000006740000-0x0000000006741000-memory.dmp

Filesize
4KB

Download
memory/3568-129-0x0000000006E00000-0x0000000006E01000-memory.dmp

Filesize
4KB

Download
memory/3568-189-0x0000000008ED0000-0x0000000008F03000-memory.dmp

Filesize
204KB

Download
memory/3568-205-0x0000000008080000-0x0000000008081000-memory.dmp

Filesize
4KB

Download
memory/3568-209-0x000000007EF90000-0x000000007EF91000-memory.dmp

Filesize
4KB

Download
memory/3568-130-0x0000000006C60000-0x0000000006C61000-memory.dmp

Filesize
4KB

Download
memory/3568-131-0x0000000007530000-0x0000000007531000-memory.dmp

Filesize
4KB

Download
memory/3568-221-0x0000000009230000-0x0000000009231000-memory.dmp

Filesize
4KB

Download
memory/3568-147-0x0000000007C00000-0x0000000007C01000-memory.dmp

Filesize
4KB

Download
memory/3568-243-0x0000000006743000-0x0000000006744000-memory.dmp

Filesize
4KB

Download
memory/3872-241-0x00000000074E3000-0x00000000074E4000-memory.dmp

Filesize
4KB

Download
memory/3872-134-0x0000000000000000-mapping.dmp

Download
memory/3872-217-0x0000000009B90000-0x0000000009B91000-memory.dmp

Filesize
4KB

Download
memory/3872-212-0x000000007ED40000-0x000000007ED41000-memory.dmp

Filesize
4KB

Download
memory/3872-155-0x00000000074E2000-0x00000000074E3000-memory.dmp

Filesize
4KB

Download
memory/3872-154-0x00000000074E0000-0x00000000074E1000-memory.dmp

Filesize
4KB

Download
memory/3980-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads