njrat | b73dc9d5947dd389cbae282955568d35ae3a38acd24983b116cdd8eb7ef67155

General

Target

857aff9992a47764185c61da2493c753.exe
Size

407KB
MD5

857aff9992a47764185c61da2493c753
SHA1

6efa34cd3fdb299fcd940c0719d3a172bac83164
SHA256

b73dc9d5947dd389cbae282955568d35ae3a38acd24983b116cdd8eb7ef67155
SHA512

fbb2a5bfb068d4f56e338dc67f4d1a171af3156de2b3d956a0a1bd9526706f370cdff16cfb136049468b3a71db4c7ce99349265d3841db7775d5389b7aab798a

Score

10^/10

njrat nyan cat trojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

pedrobedoya2021.duckdns.org:1980

Mutex

cf13c225ff474d45b

Attributes

reg_key
cf13c225ff474d45b
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Suspicious use of SetThreadContext 1 IoCs

Processes:

857aff9992a47764185c61da2493c753.exe

description pid process target process

PID 3996 set thread context of 3724 3996 857aff9992a47764185c61da2493c753.exe 857aff9992a47764185c61da2493c753.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

2888 powershell.exe
2888 powershell.exe
2888 powershell.exe

description	pid	process	target process
PID 3996 set thread context of 3724	3996	857aff9992a47764185c61da2493c753.exe	857aff9992a47764185c61da2493c753.exe

pid	process
2888	powershell.exe
2888	powershell.exe
2888	powershell.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

powershell.exe857aff9992a47764185c61da2493c753.exe

description	pid	process
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	3724	857aff9992a47764185c61da2493c753.exe
Token: 33	3724	857aff9992a47764185c61da2493c753.exe
Token: SeIncBasePriorityPrivilege	3724	857aff9992a47764185c61da2493c753.exe
Token: 33	3724	857aff9992a47764185c61da2493c753.exe
Token: SeIncBasePriorityPrivilege	3724	857aff9992a47764185c61da2493c753.exe
Token: 33	3724	857aff9992a47764185c61da2493c753.exe
Token: SeIncBasePriorityPrivilege	3724	857aff9992a47764185c61da2493c753.exe
Token: 33	3724	857aff9992a47764185c61da2493c753.exe
Token: SeIncBasePriorityPrivilege	3724	857aff9992a47764185c61da2493c753.exe
Token: 33	3724	857aff9992a47764185c61da2493c753.exe
Token: SeIncBasePriorityPrivilege	3724	857aff9992a47764185c61da2493c753.exe
Token: 33	3724	857aff9992a47764185c61da2493c753.exe
Token: SeIncBasePriorityPrivilege	3724	857aff9992a47764185c61da2493c753.exe
Token: 33	3724	857aff9992a47764185c61da2493c753.exe
Token: SeIncBasePriorityPrivilege	3724	857aff9992a47764185c61da2493c753.exe
Token: 33	3724	857aff9992a47764185c61da2493c753.exe
Token: SeIncBasePriorityPrivilege	3724	857aff9992a47764185c61da2493c753.exe
Token: 33	3724	857aff9992a47764185c61da2493c753.exe
Token: SeIncBasePriorityPrivilege	3724	857aff9992a47764185c61da2493c753.exe
Token: 33	3724	857aff9992a47764185c61da2493c753.exe
Token: SeIncBasePriorityPrivilege	3724	857aff9992a47764185c61da2493c753.exe
Token: 33	3724	857aff9992a47764185c61da2493c753.exe
Token: SeIncBasePriorityPrivilege	3724	857aff9992a47764185c61da2493c753.exe
Token: 33	3724	857aff9992a47764185c61da2493c753.exe
Token: SeIncBasePriorityPrivilege	3724	857aff9992a47764185c61da2493c753.exe
Token: 33	3724	857aff9992a47764185c61da2493c753.exe
Token: SeIncBasePriorityPrivilege	3724	857aff9992a47764185c61da2493c753.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

857aff9992a47764185c61da2493c753.exe

description	pid	process	target process
PID 3996 wrote to memory of 2888	3996	857aff9992a47764185c61da2493c753.exe	powershell.exe
PID 3996 wrote to memory of 2888	3996	857aff9992a47764185c61da2493c753.exe	powershell.exe
PID 3996 wrote to memory of 2888	3996	857aff9992a47764185c61da2493c753.exe	powershell.exe
PID 3996 wrote to memory of 3724	3996	857aff9992a47764185c61da2493c753.exe	857aff9992a47764185c61da2493c753.exe
PID 3996 wrote to memory of 3724	3996	857aff9992a47764185c61da2493c753.exe	857aff9992a47764185c61da2493c753.exe
PID 3996 wrote to memory of 3724	3996	857aff9992a47764185c61da2493c753.exe	857aff9992a47764185c61da2493c753.exe
PID 3996 wrote to memory of 3724	3996	857aff9992a47764185c61da2493c753.exe	857aff9992a47764185c61da2493c753.exe
PID 3996 wrote to memory of 3724	3996	857aff9992a47764185c61da2493c753.exe	857aff9992a47764185c61da2493c753.exe
PID 3996 wrote to memory of 3724	3996	857aff9992a47764185c61da2493c753.exe	857aff9992a47764185c61da2493c753.exe
PID 3996 wrote to memory of 3724	3996	857aff9992a47764185c61da2493c753.exe	857aff9992a47764185c61da2493c753.exe
PID 3996 wrote to memory of 3724	3996	857aff9992a47764185c61da2493c753.exe	857aff9992a47764185c61da2493c753.exe

C:\Users\Admin\AppData\Local\Temp\857aff9992a47764185c61da2493c753.exe
"C:\Users\Admin\AppData\Local\Temp\857aff9992a47764185c61da2493c753.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\857aff9992a47764185c61da2493c753.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Users\Admin\AppData\Local\Temp\857aff9992a47764185c61da2493c753.exe
"C:\Users\Admin\AppData\Local\Temp\857aff9992a47764185c61da2493c753.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\857aff9992a47764185c61da2493c753.exe.log
MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
memory/2888-153-0x0000000008B20000-0x0000000008B53000-memory.dmp

Filesize
204KB

Download
memory/2888-361-0x0000000008DE0000-0x0000000008DE1000-memory.dmp

Filesize
4KB

Download
memory/2888-137-0x0000000006B00000-0x0000000006B01000-memory.dmp

Filesize
4KB

Download
memory/2888-367-0x0000000008DD0000-0x0000000008DD1000-memory.dmp

Filesize
4KB

Download
memory/2888-138-0x0000000006BA0000-0x0000000006BA1000-memory.dmp

Filesize
4KB

Download
memory/2888-168-0x0000000000EF3000-0x0000000000EF4000-memory.dmp

Filesize
4KB

Download
memory/2888-139-0x00000000074D0000-0x00000000074D1000-memory.dmp

Filesize
4KB

Download
memory/2888-167-0x000000007F470000-0x000000007F471000-memory.dmp

Filesize
4KB

Download
memory/2888-125-0x0000000000000000-mapping.dmp

Download
memory/2888-166-0x0000000008E50000-0x0000000008E51000-memory.dmp

Filesize
4KB

Download
memory/2888-165-0x0000000008C70000-0x0000000008C71000-memory.dmp

Filesize
4KB

Download
memory/2888-160-0x0000000008B00000-0x0000000008B01000-memory.dmp

Filesize
4KB

Download
memory/2888-135-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/2888-136-0x0000000006E30000-0x0000000006E31000-memory.dmp

Filesize
4KB

Download
memory/2888-145-0x0000000007B70000-0x0000000007B71000-memory.dmp

Filesize
4KB

Download
memory/2888-144-0x0000000007DA0000-0x0000000007DA1000-memory.dmp

Filesize
4KB

Download
memory/2888-143-0x0000000006C60000-0x0000000006C61000-memory.dmp

Filesize
4KB

Download
memory/2888-140-0x0000000007540000-0x0000000007541000-memory.dmp

Filesize
4KB

Download
memory/2888-141-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/2888-142-0x0000000000EF2000-0x0000000000EF3000-memory.dmp

Filesize
4KB

Download
memory/3724-383-0x00000000054E0000-0x000000000557C000-memory.dmp

Filesize
624KB

Download
memory/3724-127-0x000000000040677E-mapping.dmp

Download
memory/3724-126-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3996-123-0x00000000083E0000-0x0000000008434000-memory.dmp

Filesize
336KB

Download
memory/3996-118-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/3996-115-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/3996-117-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/3996-124-0x0000000008450000-0x000000000846F000-memory.dmp

Filesize
124KB

Download
memory/3996-122-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/3996-121-0x0000000008480000-0x0000000008481000-memory.dmp

Filesize
4KB

Download
memory/3996-120-0x0000000005280000-0x0000000005287000-memory.dmp

Filesize
28KB

Download
memory/3996-119-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing