Malware Analysis Report

2025-06-16 06:50

Sample ID 220930-aewn3sdbar
Target bF16.exe
SHA256 459339ad24f46b7d4d28e0badbc1eac08f16af67c88ccde5cbd9b4fd99ee46ab
Tags
nyan cat njrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

459339ad24f46b7d4d28e0badbc1eac08f16af67c88ccde5cbd9b4fd99ee46ab

Threat Level: Known bad

The file bF16.exe was found to be: Known bad.

Malicious Activity Summary

nyan cat njrat

Njrat family

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-09-30 00:08

Signatures

Njrat family

njrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-30 00:08

Reported

2022-09-30 00:10

Platform

win7-20220812-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bF16.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bF16.exe

"C:\Users\Admin\AppData\Local\Temp\bF16.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 winry7.duckdns.org udp
CO 177.255.84.82:8787 winry7.duckdns.org tcp
CO 177.255.84.82:8787 winry7.duckdns.org tcp
CO 177.255.84.82:8787 winry7.duckdns.org tcp
US 8.8.8.8:53 winry7.duckdns.org udp
CO 177.255.84.82:8787 winry7.duckdns.org tcp
CO 177.255.84.82:8787 winry7.duckdns.org tcp
CO 177.255.84.82:8787 winry7.duckdns.org tcp

Files

memory/1456-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

memory/1456-55-0x0000000074C70000-0x000000007521B000-memory.dmp

memory/1456-56-0x0000000074C70000-0x000000007521B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-30 00:08

Reported

2022-09-30 00:10

Platform

win10v2004-20220812-en

Max time kernel

84s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bF16.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bF16.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bF16.exe

"C:\Users\Admin\AppData\Local\Temp\bF16.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 winry7.duckdns.org udp
CO 177.255.84.82:8787 winry7.duckdns.org tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 52.242.101.226:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 udp
N/A 52.242.97.97:443 tcp
US 8.8.8.8:53 udp
N/A 52.242.101.226:443 tcp
CO 177.255.84.82:8787 tcp
N/A 52.168.117.170:443 tcp
US 8.8.8.8:53 udp
N/A 52.109.8.45:443 tcp
CO 177.255.84.82:8787 winry7.duckdns.org tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 winry7.duckdns.org udp
CO 177.255.84.82:8787 winry7.duckdns.org tcp

Files

memory/4656-132-0x0000000075580000-0x0000000075B31000-memory.dmp

memory/4656-133-0x0000000075580000-0x0000000075B31000-memory.dmp