njrat | bf05a3947e7a4140b43547581564d04991f0c339a7ac35bcb2c7bb93f7b7ae1e

Analysis

max time kernel
145s
max time network
138s
platform
windows7_x64
resource
win7-en-20211014
submitted
04-12-2021 00:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a65eec0b9da0cc90e1254ba7594a6291.exe
Size

1012KB
MD5

a65eec0b9da0cc90e1254ba7594a6291
SHA1

0692268e96272c0b0e25eb6e337fc086c7f4bda2
SHA256

bf05a3947e7a4140b43547581564d04991f0c339a7ac35bcb2c7bb93f7b7ae1e
SHA512

48464c59a7eadffbedec8a95a1fc4a0f42d3f10928e8394abefa629bd70d0a41816f3850c8e14f9c3c870f0cc56dee1c319b0290f5a78c5e4791960946c939bd

Score

10^/10

njrat nyan cat trojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

milla.publicvm.com:5050

Mutex

c0dd26caedd

Attributes

reg_key
c0dd26caedd
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

a65eec0b9da0cc90e1254ba7594a6291.exe

description	pid	process
Token: SeDebugPrivilege	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	1656	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	1656	a65eec0b9da0cc90e1254ba7594a6291.exe

C:\Users\Admin\AppData\Local\Temp\a65eec0b9da0cc90e1254ba7594a6291.exe
"C:\Users\Admin\AppData\Local\Temp\a65eec0b9da0cc90e1254ba7594a6291.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1656-55-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/1656-57-0x0000000075B71000-0x0000000075B73000-memory.dmp

Filesize
8KB

Download
memory/1656-58-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/1656-59-0x0000000000340000-0x0000000000348000-memory.dmp

Filesize
32KB

Download