njrat | ae4fdb69e4ef555cb516a8052d715d741ae565c97cc595f3ea0dc3cd349c4b8d

General

Target

aa652fc67ec4c4353b9a5562c9ec0d21.exe
Size

816KB
MD5

aa652fc67ec4c4353b9a5562c9ec0d21
SHA1

1dea45515e03d1f561e5a31a1859aea7aa05bd62
SHA256

ae4fdb69e4ef555cb516a8052d715d741ae565c97cc595f3ea0dc3cd349c4b8d
SHA512

eddb0fa378f4d4f9aa1ab0eee44705024e89d6bd2c09a313f60b2203f7cf52c2e66909154c4a176bf865da1c211ddcbe1d9b12224125e44eb6ee70e0c61e4e09

Score

10^/10

njrat nyan cat evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

gbarpresencewriterprint.duckdns.org:8651

Mutex

682708ec68e74

Attributes

reg_key
682708ec68e74
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aa652fc67ec4c4353b9a5562c9ec0d21.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	aa652fc67ec4c4353b9a5562c9ec0d21.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	aa652fc67ec4c4353b9a5562c9ec0d21.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

aa652fc67ec4c4353b9a5562c9ec0d21.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	aa652fc67ec4c4353b9a5562c9ec0d21.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	aa652fc67ec4c4353b9a5562c9ec0d21.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

aa652fc67ec4c4353b9a5562c9ec0d21.exe

description pid process target process

PID 1664 set thread context of 1412 1664 aa652fc67ec4c4353b9a5562c9ec0d21.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1336 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1680 powershell.exe
548 powershell.exe
1740 powershell.exe

description	pid	process	target process
PID 1664 set thread context of 1412	1664	aa652fc67ec4c4353b9a5562c9ec0d21.exe	RegSvcs.exe

pid	process
1336	schtasks.exe

pid	process
1680	powershell.exe
548	powershell.exe
1740	powershell.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	1412	RegSvcs.exe
Token: 33	1412	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1412	RegSvcs.exe
Token: 33	1412	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1412	RegSvcs.exe
Token: 33	1412	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1412	RegSvcs.exe
Token: 33	1412	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1412	RegSvcs.exe
Token: 33	1412	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1412	RegSvcs.exe
Token: 33	1412	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1412	RegSvcs.exe
Token: 33	1412	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1412	RegSvcs.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

aa652fc67ec4c4353b9a5562c9ec0d21.exe

description	pid	process	target process
PID 1664 wrote to memory of 1680	1664	aa652fc67ec4c4353b9a5562c9ec0d21.exe	powershell.exe
PID 1664 wrote to memory of 1680	1664	aa652fc67ec4c4353b9a5562c9ec0d21.exe	powershell.exe
PID 1664 wrote to memory of 1680	1664	aa652fc67ec4c4353b9a5562c9ec0d21.exe	powershell.exe
PID 1664 wrote to memory of 1680	1664	aa652fc67ec4c4353b9a5562c9ec0d21.exe	powershell.exe
PID 1664 wrote to memory of 548	1664	aa652fc67ec4c4353b9a5562c9ec0d21.exe	powershell.exe
PID 1664 wrote to memory of 548	1664	aa652fc67ec4c4353b9a5562c9ec0d21.exe	powershell.exe
PID 1664 wrote to memory of 548	1664	aa652fc67ec4c4353b9a5562c9ec0d21.exe	powershell.exe
PID 1664 wrote to memory of 548	1664	aa652fc67ec4c4353b9a5562c9ec0d21.exe	powershell.exe
PID 1664 wrote to memory of 1336	1664	aa652fc67ec4c4353b9a5562c9ec0d21.exe	schtasks.exe
PID 1664 wrote to memory of 1336	1664	aa652fc67ec4c4353b9a5562c9ec0d21.exe	schtasks.exe
PID 1664 wrote to memory of 1336	1664	aa652fc67ec4c4353b9a5562c9ec0d21.exe	schtasks.exe
PID 1664 wrote to memory of 1336	1664	aa652fc67ec4c4353b9a5562c9ec0d21.exe	schtasks.exe
PID 1664 wrote to memory of 1740	1664	aa652fc67ec4c4353b9a5562c9ec0d21.exe	powershell.exe
PID 1664 wrote to memory of 1740	1664	aa652fc67ec4c4353b9a5562c9ec0d21.exe	powershell.exe
PID 1664 wrote to memory of 1740	1664	aa652fc67ec4c4353b9a5562c9ec0d21.exe	powershell.exe
PID 1664 wrote to memory of 1740	1664	aa652fc67ec4c4353b9a5562c9ec0d21.exe	powershell.exe
PID 1664 wrote to memory of 1412	1664	aa652fc67ec4c4353b9a5562c9ec0d21.exe	RegSvcs.exe
PID 1664 wrote to memory of 1412	1664	aa652fc67ec4c4353b9a5562c9ec0d21.exe	RegSvcs.exe
PID 1664 wrote to memory of 1412	1664	aa652fc67ec4c4353b9a5562c9ec0d21.exe	RegSvcs.exe
PID 1664 wrote to memory of 1412	1664	aa652fc67ec4c4353b9a5562c9ec0d21.exe	RegSvcs.exe
PID 1664 wrote to memory of 1412	1664	aa652fc67ec4c4353b9a5562c9ec0d21.exe	RegSvcs.exe
PID 1664 wrote to memory of 1412	1664	aa652fc67ec4c4353b9a5562c9ec0d21.exe	RegSvcs.exe
PID 1664 wrote to memory of 1412	1664	aa652fc67ec4c4353b9a5562c9ec0d21.exe	RegSvcs.exe
PID 1664 wrote to memory of 1412	1664	aa652fc67ec4c4353b9a5562c9ec0d21.exe	RegSvcs.exe
PID 1664 wrote to memory of 1412	1664	aa652fc67ec4c4353b9a5562c9ec0d21.exe	RegSvcs.exe
PID 1664 wrote to memory of 1412	1664	aa652fc67ec4c4353b9a5562c9ec0d21.exe	RegSvcs.exe
PID 1664 wrote to memory of 1412	1664	aa652fc67ec4c4353b9a5562c9ec0d21.exe	RegSvcs.exe
PID 1664 wrote to memory of 1412	1664	aa652fc67ec4c4353b9a5562c9ec0d21.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\aa652fc67ec4c4353b9a5562c9ec0d21.exe
"C:\Users\Admin\AppData\Local\Temp\aa652fc67ec4c4353b9a5562c9ec0d21.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\aa652fc67ec4c4353b9a5562c9ec0d21.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BkueKqkOElUWV.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BkueKqkOElUWV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2896.tmp"
2⤵
- Creates scheduled task(s)
PID:1336

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BkueKqkOElUWV.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2896.tmp
MD5
c84441b9b283f651bd456039ac24bb0e

SHA1
fb4f30d009ce333d1221b058fd094bb3e8bad0fb

SHA256
40847b5b59cd96e5cc9c90351c011352f0ba69b9947af8fde01c99cfe4d937dc

SHA512
3e83e827012d2cba79058c585532329fdcc1ca0eed61a8c1d2dfebaa01c0ced69153846558316bb939fc79e7b0ee2b208bd8153287e09c4ee161e119d0c8c25f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
3e10f6cd29fcdfad371c84e08e82ab22

SHA1
2f356152877c56e6d3559859c688ed6b53eef7e2

SHA256
1fef46b5b9e16820435ffc021833018038662bc13f577503fd2494b1521c5364

SHA512
72c4b68c3abe257a485973ee7ea9f0f76504d1a14de39568c84bccb709ec900e7594e1844083e9bff404b6f320a4156d5a924c4eaa82e3e3cb9c28491e703772

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
3e10f6cd29fcdfad371c84e08e82ab22

SHA1
2f356152877c56e6d3559859c688ed6b53eef7e2

SHA256
1fef46b5b9e16820435ffc021833018038662bc13f577503fd2494b1521c5364

SHA512
72c4b68c3abe257a485973ee7ea9f0f76504d1a14de39568c84bccb709ec900e7594e1844083e9bff404b6f320a4156d5a924c4eaa82e3e3cb9c28491e703772

Download Submit
memory/548-67-0x0000000001E01000-0x0000000001E02000-memory.dmp

Filesize
4KB

Download
memory/548-72-0x0000000001E02000-0x0000000001E04000-memory.dmp

Filesize
8KB

Download
memory/548-66-0x0000000001E00000-0x0000000001E01000-memory.dmp

Filesize
4KB

Download
memory/548-60-0x0000000000000000-mapping.dmp

Download
memory/1336-61-0x0000000000000000-mapping.dmp

Download
memory/1412-79-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1412-81-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1412-78-0x00000000004067AE-mapping.dmp

Download
memory/1412-77-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1664-52-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1664-57-0x0000000001ED0000-0x0000000001ED9000-memory.dmp

Filesize
36KB

Download
memory/1664-56-0x0000000004FB0000-0x0000000005028000-memory.dmp

Filesize
480KB

Download
memory/1664-55-0x00000000006C0000-0x00000000006D1000-memory.dmp

Filesize
68KB

Download
memory/1664-54-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/1680-59-0x0000000075231000-0x0000000075233000-memory.dmp

Filesize
8KB

Download
memory/1680-73-0x00000000021E0000-0x0000000002E2A000-memory.dmp

Filesize
12.3MB

Download
memory/1680-68-0x00000000021E0000-0x0000000002E2A000-memory.dmp

Filesize
12.3MB

Download
memory/1680-65-0x00000000021E0000-0x0000000002E2A000-memory.dmp

Filesize
12.3MB

Download
memory/1680-58-0x0000000000000000-mapping.dmp

Download
memory/1740-74-0x00000000023D0000-0x000000000301A000-memory.dmp

Filesize
12.3MB

Download
memory/1740-76-0x00000000023D0000-0x000000000301A000-memory.dmp

Filesize
12.3MB

Download
memory/1740-75-0x00000000023D0000-0x000000000301A000-memory.dmp

Filesize
12.3MB

Download
memory/1740-69-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads