njrat | 62adcba42e924882bbbc57aa1a7801e7000ba3366e055beeab5d935d9f7822fc

General

Target

2f27554c5fbeb881bfe32ea5475befb4.exe
Size

5KB
MD5

2f27554c5fbeb881bfe32ea5475befb4
SHA1

48eceac335a3129cbf2bc50b9026ba3a7d4b58de
SHA256

62adcba42e924882bbbc57aa1a7801e7000ba3366e055beeab5d935d9f7822fc
SHA512

5bed056bd6dd68c45837418b461b2e88bbf70466400c55b7228275cd9552a6b8cdd446b3f469d8844a6ff9c796b9fc054b27819a77f067bba27f502038248e99

Score

10^/10

njrat nyan cat trojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

grennoj.duckdns.org:8000

Mutex

f171208f74a9

Attributes

reg_key
f171208f74a9
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Downloads MZ/PE file
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

2f27554c5fbeb881bfe32ea5475befb4.exe

description pid process target process

PID 4008 set thread context of 3964 4008 2f27554c5fbeb881bfe32ea5475befb4.exe vbc.exe

description	pid	process	target process
PID 4008 set thread context of 3964	4008	2f27554c5fbeb881bfe32ea5475befb4.exe	vbc.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

2f27554c5fbeb881bfe32ea5475befb4.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	4008	2f27554c5fbeb881bfe32ea5475befb4.exe
Token: SeDebugPrivilege	3964	vbc.exe
Token: 33	3964	vbc.exe
Token: SeIncBasePriorityPrivilege	3964	vbc.exe
Token: 33	3964	vbc.exe
Token: SeIncBasePriorityPrivilege	3964	vbc.exe
Token: 33	3964	vbc.exe
Token: SeIncBasePriorityPrivilege	3964	vbc.exe
Token: 33	3964	vbc.exe
Token: SeIncBasePriorityPrivilege	3964	vbc.exe
Token: 33	3964	vbc.exe
Token: SeIncBasePriorityPrivilege	3964	vbc.exe
Token: 33	3964	vbc.exe
Token: SeIncBasePriorityPrivilege	3964	vbc.exe
Token: 33	3964	vbc.exe
Token: SeIncBasePriorityPrivilege	3964	vbc.exe
Token: 33	3964	vbc.exe
Token: SeIncBasePriorityPrivilege	3964	vbc.exe
Token: 33	3964	vbc.exe
Token: SeIncBasePriorityPrivilege	3964	vbc.exe
Token: 33	3964	vbc.exe
Token: SeIncBasePriorityPrivilege	3964	vbc.exe
Token: 33	3964	vbc.exe
Token: SeIncBasePriorityPrivilege	3964	vbc.exe
Token: 33	3964	vbc.exe
Token: SeIncBasePriorityPrivilege	3964	vbc.exe
Token: 33	3964	vbc.exe
Token: SeIncBasePriorityPrivilege	3964	vbc.exe
Token: 33	3964	vbc.exe
Token: SeIncBasePriorityPrivilege	3964	vbc.exe
Token: 33	3964	vbc.exe
Token: SeIncBasePriorityPrivilege	3964	vbc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2f27554c5fbeb881bfe32ea5475befb4.exe

description	pid	process	target process
PID 4008 wrote to memory of 3964	4008	2f27554c5fbeb881bfe32ea5475befb4.exe	vbc.exe
PID 4008 wrote to memory of 3964	4008	2f27554c5fbeb881bfe32ea5475befb4.exe	vbc.exe
PID 4008 wrote to memory of 3964	4008	2f27554c5fbeb881bfe32ea5475befb4.exe	vbc.exe
PID 4008 wrote to memory of 3964	4008	2f27554c5fbeb881bfe32ea5475befb4.exe	vbc.exe
PID 4008 wrote to memory of 3964	4008	2f27554c5fbeb881bfe32ea5475befb4.exe	vbc.exe
PID 4008 wrote to memory of 3964	4008	2f27554c5fbeb881bfe32ea5475befb4.exe	vbc.exe
PID 4008 wrote to memory of 3964	4008	2f27554c5fbeb881bfe32ea5475befb4.exe	vbc.exe
PID 4008 wrote to memory of 3964	4008	2f27554c5fbeb881bfe32ea5475befb4.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\2f27554c5fbeb881bfe32ea5475befb4.exe
"C:\Users\Admin\AppData\Local\Temp\2f27554c5fbeb881bfe32ea5475befb4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3964-121-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3964-122-0x000000000040676E-mapping.dmp

Download
memory/3964-131-0x0000000009960000-0x0000000009961000-memory.dmp

Filesize
4KB

Download
memory/3964-134-0x00000000097F0000-0x0000000009CEE000-memory.dmp

Filesize
5.0MB

Download
memory/3964-135-0x0000000009A20000-0x0000000009A21000-memory.dmp

Filesize
4KB

Download
memory/3964-136-0x0000000009AA0000-0x0000000009AA1000-memory.dmp

Filesize
4KB

Download
memory/4008-115-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/4008-117-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/4008-118-0x0000000005490000-0x00000000054EF000-memory.dmp

Filesize
380KB

Download
memory/4008-119-0x00000000059F0000-0x00000000059F1000-memory.dmp

Filesize
4KB

Download
memory/4008-120-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/4008-125-0x00000000054F0000-0x00000000059EE000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing