njrat | 182198163b1d17b3d5524bbe792b4546e404c00a5995e5f471371646a632bfe4

General

Target

xxxwsP9yoAsG.exe
Size

32KB
MD5

700f97d8d03c5f1990a890d2faa7ff2a
SHA1

85db6c14e25a3b114642a2f987fff46ed03fc39c
SHA256

182198163b1d17b3d5524bbe792b4546e404c00a5995e5f471371646a632bfe4
SHA512

6cfe8f3e4563d69af01095ba98c6199141b57f44841cc6c69d5278ebea3086ec054febdf9e29d866e0a1b3b560cb7b3091337ae7693804d89d1e8b67a7d03995
SSDEEP

384:70bUe5XB4e0XWOhIQq1pvmufCsIs0WTQtTUFQqz9BObbq:4T9BuFOQqvvmu6dnbq

Score

10^/10

njrat nyan cat trojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

127.0.0.1:5552

Mutex

ebf6d8bd176942

Attributes

reg_key
ebf6d8bd176942
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 1 IoCs

pid	Process
1188	tmp8F74.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1336	xxxwsP9yoAsG.exe
1336	xxxwsP9yoAsG.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1336	xxxwsP9yoAsG.exe
Token: 33	1336	xxxwsP9yoAsG.exe
Token: SeIncBasePriorityPrivilege	1336	xxxwsP9yoAsG.exe
Token: 33	1336	xxxwsP9yoAsG.exe
Token: SeIncBasePriorityPrivilege	1336	xxxwsP9yoAsG.exe
Token: SeDebugPrivilege	1188	tmp8F74.tmp.exe
Token: 33	1188	tmp8F74.tmp.exe
Token: SeIncBasePriorityPrivilege	1188	tmp8F74.tmp.exe
Token: 33	1188	tmp8F74.tmp.exe
Token: SeIncBasePriorityPrivilege	1188	tmp8F74.tmp.exe
Token: 33	1188	tmp8F74.tmp.exe
Token: SeIncBasePriorityPrivilege	1188	tmp8F74.tmp.exe
Token: 33	1188	tmp8F74.tmp.exe
Token: SeIncBasePriorityPrivilege	1188	tmp8F74.tmp.exe
Token: 33	1188	tmp8F74.tmp.exe
Token: SeIncBasePriorityPrivilege	1188	tmp8F74.tmp.exe
Token: 33	1188	tmp8F74.tmp.exe
Token: SeIncBasePriorityPrivilege	1188	tmp8F74.tmp.exe
Token: 33	1188	tmp8F74.tmp.exe
Token: SeIncBasePriorityPrivilege	1188	tmp8F74.tmp.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 1188	1336	xxxwsP9yoAsG.exe	28
PID 1336 wrote to memory of 1188	1336	xxxwsP9yoAsG.exe	28
PID 1336 wrote to memory of 1188	1336	xxxwsP9yoAsG.exe	28
PID 1336 wrote to memory of 1188	1336	xxxwsP9yoAsG.exe	28
PID 1336 wrote to memory of 680	1336	xxxwsP9yoAsG.exe	29
PID 1336 wrote to memory of 680	1336	xxxwsP9yoAsG.exe	29
PID 1336 wrote to memory of 680	1336	xxxwsP9yoAsG.exe	29
PID 1336 wrote to memory of 680	1336	xxxwsP9yoAsG.exe	29

C:\Users\Admin\AppData\Local\Temp\xxxwsP9yoAsG.exe
"C:\Users\Admin\AppData\Local\Temp\xxxwsP9yoAsG.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Users\Admin\AppData\Local\Temp\tmp8F74.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp8F74.tmp.exe" ..
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1188
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Local\Temp\xxxwsP9yoAsG.exe"
  2⤵
  PID:680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8F74.tmp.exe

Filesize
32KB

MD5
337634c5830a1a265818c55ee5e6423f

SHA1
00f9dd641fc8a067bc5c23644aab295fadca50f6

SHA256
f8a52f23415278ee2ecc05e2ca40e614fb4d405864222a906f10f73dba0faa75

SHA512
eae5070f2dda057c3a9c5f2f3a61bef8a1ccc0e30f1cbb54cf4b0d0d5195e7bcfb1f13829ec194e68f40fb6e3df628ab1db94e7ec822346fe2a9f6597fb60ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8F74.tmp.exe

Filesize
32KB

MD5
337634c5830a1a265818c55ee5e6423f

SHA1
00f9dd641fc8a067bc5c23644aab295fadca50f6

SHA256
f8a52f23415278ee2ecc05e2ca40e614fb4d405864222a906f10f73dba0faa75

SHA512
eae5070f2dda057c3a9c5f2f3a61bef8a1ccc0e30f1cbb54cf4b0d0d5195e7bcfb1f13829ec194e68f40fb6e3df628ab1db94e7ec822346fe2a9f6597fb60ab2

Download Submit
\Users\Admin\AppData\Local\Temp\tmp8F74.tmp.exe

Filesize
32KB

MD5
337634c5830a1a265818c55ee5e6423f

SHA1
00f9dd641fc8a067bc5c23644aab295fadca50f6

SHA256
f8a52f23415278ee2ecc05e2ca40e614fb4d405864222a906f10f73dba0faa75

SHA512
eae5070f2dda057c3a9c5f2f3a61bef8a1ccc0e30f1cbb54cf4b0d0d5195e7bcfb1f13829ec194e68f40fb6e3df628ab1db94e7ec822346fe2a9f6597fb60ab2

Download Submit
\Users\Admin\AppData\Local\Temp\tmp8F74.tmp.exe

Filesize
32KB

MD5
337634c5830a1a265818c55ee5e6423f

SHA1
00f9dd641fc8a067bc5c23644aab295fadca50f6

SHA256
f8a52f23415278ee2ecc05e2ca40e614fb4d405864222a906f10f73dba0faa75

SHA512
eae5070f2dda057c3a9c5f2f3a61bef8a1ccc0e30f1cbb54cf4b0d0d5195e7bcfb1f13829ec194e68f40fb6e3df628ab1db94e7ec822346fe2a9f6597fb60ab2

Download Submit
memory/1188-65-0x0000000074460000-0x0000000074A0B000-memory.dmp

Filesize
5.7MB

Download
memory/1188-66-0x0000000074460000-0x0000000074A0B000-memory.dmp

Filesize
5.7MB

Download
memory/1336-54-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download
memory/1336-55-0x0000000074460000-0x0000000074A0B000-memory.dmp

Filesize
5.7MB

Download
memory/1336-56-0x0000000074460000-0x0000000074A0B000-memory.dmp

Filesize
5.7MB

Download
memory/1336-64-0x0000000074460000-0x0000000074A0B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing