njrat | bf05a3947e7a4140b43547581564d04991f0c339a7ac35bcb2c7bb93f7b7ae1e

General

Target

a65eec0b9da0cc90e1254ba7594a6291.exe
Size

1012KB
MD5

a65eec0b9da0cc90e1254ba7594a6291
SHA1

0692268e96272c0b0e25eb6e337fc086c7f4bda2
SHA256

bf05a3947e7a4140b43547581564d04991f0c339a7ac35bcb2c7bb93f7b7ae1e
SHA512

48464c59a7eadffbedec8a95a1fc4a0f42d3f10928e8394abefa629bd70d0a41816f3850c8e14f9c3c870f0cc56dee1c319b0290f5a78c5e4791960946c939bd

Score

10^/10

njrat nyan cat trojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

milla.publicvm.com:5050

Mutex

c0dd26caedd

Attributes

reg_key
c0dd26caedd
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

a65eec0b9da0cc90e1254ba7594a6291.exe

description	pid	process
Token: SeDebugPrivilege	3508	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	3508	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	3508	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	3508	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	3508	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	3508	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	3508	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	3508	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	3508	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	3508	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	3508	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	3508	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	3508	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	3508	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	3508	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	3508	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	3508	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	3508	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	3508	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	3508	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	3508	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	3508	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	3508	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	3508	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	3508	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	3508	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	3508	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: 33	3508	a65eec0b9da0cc90e1254ba7594a6291.exe
Token: SeIncBasePriorityPrivilege	3508	a65eec0b9da0cc90e1254ba7594a6291.exe

C:\Users\Admin\AppData\Local\Temp\a65eec0b9da0cc90e1254ba7594a6291.exe
"C:\Users\Admin\AppData\Local\Temp\a65eec0b9da0cc90e1254ba7594a6291.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3508-118-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/3508-120-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/3508-121-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/3508-122-0x00000000025C0000-0x00000000025C8000-memory.dmp

Filesize
32KB

Download
memory/3508-123-0x00000000059D0000-0x00000000059D1000-memory.dmp

Filesize
4KB

Download
memory/3508-124-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/3508-125-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/3508-126-0x0000000005960000-0x0000000005961000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing