General

  • Target

    Topaz Gigapixel AI.exe

  • Size

    1.2MB

  • Sample

    211107-b8yafageg4

  • MD5

    d6d229869a80b1c75a9f8c0a5032a6f7

  • SHA1

    770319ca825946e3030b6f547542e5b736b6731a

  • SHA256

    08fe05207856de4aea291a2cc45ef04059a15f859deb4d4de69220162e2c056d

  • SHA512

    4ce78cec0670d30882edbef6f0173f891e451902b4cdd7f47f0b18db9e1b2ccf447c453d7f16f1722f59b8bb28b93ac51d404691df26cb24dfcb3ac979220911

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

alice2019.myftp.biz:5552

Mutex

28ac71370f2e4

Attributes
  • reg_key

    28ac71370f2e4

  • splitter

    @!#&^%$

Targets

    • Target

      D3A9543FAE305405220AC1F627327074DC1BDE573789452A2F0E62429DB87987

    • Size

      1.3MB

    • MD5

      ec7f6620c82becd13651a358f408bf72

    • SHA1

      d66e726b99a648f705a8ab82308c52cad9ca275d

    • SHA256

      d3a9543fae305405220ac1f627327074dc1bde573789452a2f0e62429db87987

    • SHA512

      1efc9ab3bf16f434c67d6904ecae70ec3d9811958d758401672a6c062f3f4fc8627049cb884cee0e5b8dd40946d14e96716f4bd8c1210373df49a4533e1f5d4d

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

    • autoit_exe

      AutoIT scripts compiled to PE executables.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Tasks