njrat | aca870441f1fc5e5b54d151bdc762af81ef4ab21cf63845a29b205d57c99c533

General

Target

avellaneda.bin.exe
Size

420KB
MD5

0bb825d7755c400a76fd8512f6baab38
SHA1

278d3e2ca71d1b8f1e3b521e8885ae13e25d84da
SHA256

2543435084f6e995500f8e9f12312db2da5241029f78418a5308524e295443d9
SHA512

60bd692b834dd5280c93894adcfacde0d11cd0b7ae893a6b5a64cba704a13a0845f65bd322384d19e9eebf6a673a0565308f88769cc99eec4292c0ff2b980e34

Score

10^/10

njrat nyan cat trojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

reald27.duckdns.org:3525

Mutex

f45dd4eb26

Attributes

reg_key
f45dd4eb26
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Suspicious use of SetThreadContext 1 IoCs

Processes:

avellaneda.bin.exe

description pid process target process

PID 820 set thread context of 580 820 avellaneda.bin.exe avellaneda.bin.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

avellaneda.bin.exepowershell.exe

pid process

820 avellaneda.bin.exe
820 avellaneda.bin.exe
1516 powershell.exe

description	pid	process	target process
PID 820 set thread context of 580	820	avellaneda.bin.exe	avellaneda.bin.exe

pid	process
820	avellaneda.bin.exe
820	avellaneda.bin.exe
1516	powershell.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

Processes:

avellaneda.bin.exepowershell.exeavellaneda.bin.exe

description	pid	process
Token: SeDebugPrivilege	820	avellaneda.bin.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	580	avellaneda.bin.exe
Token: 33	580	avellaneda.bin.exe
Token: SeIncBasePriorityPrivilege	580	avellaneda.bin.exe
Token: 33	580	avellaneda.bin.exe
Token: SeIncBasePriorityPrivilege	580	avellaneda.bin.exe
Token: 33	580	avellaneda.bin.exe
Token: SeIncBasePriorityPrivilege	580	avellaneda.bin.exe
Token: 33	580	avellaneda.bin.exe
Token: SeIncBasePriorityPrivilege	580	avellaneda.bin.exe
Token: 33	580	avellaneda.bin.exe
Token: SeIncBasePriorityPrivilege	580	avellaneda.bin.exe
Token: 33	580	avellaneda.bin.exe
Token: SeIncBasePriorityPrivilege	580	avellaneda.bin.exe
Token: 33	580	avellaneda.bin.exe
Token: SeIncBasePriorityPrivilege	580	avellaneda.bin.exe
Token: 33	580	avellaneda.bin.exe
Token: SeIncBasePriorityPrivilege	580	avellaneda.bin.exe
Token: 33	580	avellaneda.bin.exe
Token: SeIncBasePriorityPrivilege	580	avellaneda.bin.exe
Token: 33	580	avellaneda.bin.exe
Token: SeIncBasePriorityPrivilege	580	avellaneda.bin.exe
Token: 33	580	avellaneda.bin.exe
Token: SeIncBasePriorityPrivilege	580	avellaneda.bin.exe
Token: 33	580	avellaneda.bin.exe
Token: SeIncBasePriorityPrivilege	580	avellaneda.bin.exe
Token: 33	580	avellaneda.bin.exe
Token: SeIncBasePriorityPrivilege	580	avellaneda.bin.exe
Token: 33	580	avellaneda.bin.exe
Token: SeIncBasePriorityPrivilege	580	avellaneda.bin.exe
Token: 33	580	avellaneda.bin.exe
Token: SeIncBasePriorityPrivilege	580	avellaneda.bin.exe
Token: 33	580	avellaneda.bin.exe
Token: SeIncBasePriorityPrivilege	580	avellaneda.bin.exe
Token: 33	580	avellaneda.bin.exe
Token: SeIncBasePriorityPrivilege	580	avellaneda.bin.exe
Token: 33	580	avellaneda.bin.exe
Token: SeIncBasePriorityPrivilege	580	avellaneda.bin.exe
Token: 33	580	avellaneda.bin.exe
Token: SeIncBasePriorityPrivilege	580	avellaneda.bin.exe
Token: 33	580	avellaneda.bin.exe
Token: SeIncBasePriorityPrivilege	580	avellaneda.bin.exe
Token: 33	580	avellaneda.bin.exe
Token: SeIncBasePriorityPrivilege	580	avellaneda.bin.exe
Token: 33	580	avellaneda.bin.exe
Token: SeIncBasePriorityPrivilege	580	avellaneda.bin.exe
Token: 33	580	avellaneda.bin.exe
Token: SeIncBasePriorityPrivilege	580	avellaneda.bin.exe
Token: 33	580	avellaneda.bin.exe
Token: SeIncBasePriorityPrivilege	580	avellaneda.bin.exe
Token: 33	580	avellaneda.bin.exe
Token: SeIncBasePriorityPrivilege	580	avellaneda.bin.exe
Token: 33	580	avellaneda.bin.exe
Token: SeIncBasePriorityPrivilege	580	avellaneda.bin.exe
Token: 33	580	avellaneda.bin.exe
Token: SeIncBasePriorityPrivilege	580	avellaneda.bin.exe
Token: 33	580	avellaneda.bin.exe
Token: SeIncBasePriorityPrivilege	580	avellaneda.bin.exe
Token: 33	580	avellaneda.bin.exe
Token: SeIncBasePriorityPrivilege	580	avellaneda.bin.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

avellaneda.bin.exe

description	pid	process	target process
PID 820 wrote to memory of 1516	820	avellaneda.bin.exe	powershell.exe
PID 820 wrote to memory of 1516	820	avellaneda.bin.exe	powershell.exe
PID 820 wrote to memory of 1516	820	avellaneda.bin.exe	powershell.exe
PID 820 wrote to memory of 1516	820	avellaneda.bin.exe	powershell.exe
PID 820 wrote to memory of 1004	820	avellaneda.bin.exe	avellaneda.bin.exe
PID 820 wrote to memory of 1004	820	avellaneda.bin.exe	avellaneda.bin.exe
PID 820 wrote to memory of 1004	820	avellaneda.bin.exe	avellaneda.bin.exe
PID 820 wrote to memory of 1004	820	avellaneda.bin.exe	avellaneda.bin.exe
PID 820 wrote to memory of 580	820	avellaneda.bin.exe	avellaneda.bin.exe
PID 820 wrote to memory of 580	820	avellaneda.bin.exe	avellaneda.bin.exe
PID 820 wrote to memory of 580	820	avellaneda.bin.exe	avellaneda.bin.exe
PID 820 wrote to memory of 580	820	avellaneda.bin.exe	avellaneda.bin.exe
PID 820 wrote to memory of 580	820	avellaneda.bin.exe	avellaneda.bin.exe
PID 820 wrote to memory of 580	820	avellaneda.bin.exe	avellaneda.bin.exe
PID 820 wrote to memory of 580	820	avellaneda.bin.exe	avellaneda.bin.exe
PID 820 wrote to memory of 580	820	avellaneda.bin.exe	avellaneda.bin.exe
PID 820 wrote to memory of 580	820	avellaneda.bin.exe	avellaneda.bin.exe

C:\Users\Admin\AppData\Local\Temp\avellaneda.bin.exe
"C:\Users\Admin\AppData\Local\Temp\avellaneda.bin.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\avellaneda.bin.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Users\Admin\AppData\Local\Temp\avellaneda.bin.exe
"C:\Users\Admin\AppData\Local\Temp\avellaneda.bin.exe"
2⤵
PID:1004

C:\Users\Admin\AppData\Local\Temp\avellaneda.bin.exe
"C:\Users\Admin\AppData\Local\Temp\avellaneda.bin.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/580-64-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/580-69-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/580-61-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/580-62-0x000000000040676E-mapping.dmp

Download
memory/820-55-0x0000000004460000-0x0000000004461000-memory.dmp

Filesize
4KB

Download
memory/820-57-0x0000000000430000-0x0000000000437000-memory.dmp

Filesize
28KB

Download
memory/820-58-0x0000000005D50000-0x0000000005DA7000-memory.dmp

Filesize
348KB

Download
memory/820-59-0x0000000001FC0000-0x0000000001FE2000-memory.dmp

Filesize
136KB

Download
memory/820-53-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1516-60-0x0000000000000000-mapping.dmp

Download
memory/1516-63-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/1516-67-0x0000000002541000-0x0000000002542000-memory.dmp

Filesize
4KB

Download
memory/1516-66-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/1516-68-0x0000000002542000-0x0000000002544000-memory.dmp

Filesize
8KB

Download
memory/1752-56-0x000007FEFB791000-0x000007FEFB793000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing