njrat | 15d5605f08420bd6b2ed02d9e08885e442c3f3e0bd4423b2ca7450f593799963

General

Target

xs6Wrp6hsMa5.exe
Size

32KB
MD5

9bb347432d6e8b9547423d3669480fea
SHA1

7fce085a31c86c3fadd50c4112de8a29ce6f56d3
SHA256

15d5605f08420bd6b2ed02d9e08885e442c3f3e0bd4423b2ca7450f593799963
SHA512

ba9bffb9b02941e464df8f4516067f18de769e56d1cfcce16e7c067b7bc07567a7e18ab3e22ebe5c3b662eeafbd71d2e9a01a17f2d6bb373a8a4b75842e88384
SSDEEP

384:I0bUe5XB4e0XmOntlXCpF7r/HWTztTUFQqzFfObbT:9T9Bu1tlQQ1bT

Score

10^/10

njrat nyan cat trojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

127.0.0.1:5552

Mutex

ea3787d063a

Attributes

reg_key
ea3787d063a
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 1 IoCs

pid	Process
1552	tmpAA83.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1968	xs6Wrp6hsMa5.exe
1968	xs6Wrp6hsMa5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1968	xs6Wrp6hsMa5.exe
Token: 33	1968	xs6Wrp6hsMa5.exe
Token: SeIncBasePriorityPrivilege	1968	xs6Wrp6hsMa5.exe
Token: 33	1968	xs6Wrp6hsMa5.exe
Token: SeIncBasePriorityPrivilege	1968	xs6Wrp6hsMa5.exe
Token: 33	1968	xs6Wrp6hsMa5.exe
Token: SeIncBasePriorityPrivilege	1968	xs6Wrp6hsMa5.exe
Token: 33	1968	xs6Wrp6hsMa5.exe
Token: SeIncBasePriorityPrivilege	1968	xs6Wrp6hsMa5.exe
Token: 33	1968	xs6Wrp6hsMa5.exe
Token: SeIncBasePriorityPrivilege	1968	xs6Wrp6hsMa5.exe
Token: 33	1968	xs6Wrp6hsMa5.exe
Token: SeIncBasePriorityPrivilege	1968	xs6Wrp6hsMa5.exe
Token: 33	1968	xs6Wrp6hsMa5.exe
Token: SeIncBasePriorityPrivilege	1968	xs6Wrp6hsMa5.exe
Token: SeDebugPrivilege	1552	tmpAA83.tmp.exe
Token: 33	1552	tmpAA83.tmp.exe
Token: SeIncBasePriorityPrivilege	1552	tmpAA83.tmp.exe
Token: 33	1552	tmpAA83.tmp.exe
Token: SeIncBasePriorityPrivilege	1552	tmpAA83.tmp.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 1552	1968	xs6Wrp6hsMa5.exe	28
PID 1968 wrote to memory of 1552	1968	xs6Wrp6hsMa5.exe	28
PID 1968 wrote to memory of 1552	1968	xs6Wrp6hsMa5.exe	28
PID 1968 wrote to memory of 1552	1968	xs6Wrp6hsMa5.exe	28
PID 1968 wrote to memory of 1716	1968	xs6Wrp6hsMa5.exe	29
PID 1968 wrote to memory of 1716	1968	xs6Wrp6hsMa5.exe	29
PID 1968 wrote to memory of 1716	1968	xs6Wrp6hsMa5.exe	29
PID 1968 wrote to memory of 1716	1968	xs6Wrp6hsMa5.exe	29

C:\Users\Admin\AppData\Local\Temp\xs6Wrp6hsMa5.exe
"C:\Users\Admin\AppData\Local\Temp\xs6Wrp6hsMa5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\Temp\tmpAA83.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpAA83.tmp.exe" ..
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Local\Temp\xs6Wrp6hsMa5.exe"
  2⤵
  PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAA83.tmp.exe

Filesize
32KB

MD5
4e201611cad91d124ca94677dbf1d326

SHA1
01931b16d63e08005ef8a51867365fd0ee0fa8a7

SHA256
0224a374969f35097463a3d3e5c6dc0c0989fd68c110487816adeacbece9ad9c

SHA512
934fe3f037389222485a9990dd0e971b1d3861e33e5d9eff87f07a1c5e955ebbdd0712a17ebcd2ccde38595638b68982e043e667534fa70a34efae3e2c6b52db

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAA83.tmp.exe

Filesize
32KB

MD5
4e201611cad91d124ca94677dbf1d326

SHA1
01931b16d63e08005ef8a51867365fd0ee0fa8a7

SHA256
0224a374969f35097463a3d3e5c6dc0c0989fd68c110487816adeacbece9ad9c

SHA512
934fe3f037389222485a9990dd0e971b1d3861e33e5d9eff87f07a1c5e955ebbdd0712a17ebcd2ccde38595638b68982e043e667534fa70a34efae3e2c6b52db

Download Submit
\Users\Admin\AppData\Local\Temp\tmpAA83.tmp.exe

Filesize
32KB

MD5
4e201611cad91d124ca94677dbf1d326

SHA1
01931b16d63e08005ef8a51867365fd0ee0fa8a7

SHA256
0224a374969f35097463a3d3e5c6dc0c0989fd68c110487816adeacbece9ad9c

SHA512
934fe3f037389222485a9990dd0e971b1d3861e33e5d9eff87f07a1c5e955ebbdd0712a17ebcd2ccde38595638b68982e043e667534fa70a34efae3e2c6b52db

Download Submit
\Users\Admin\AppData\Local\Temp\tmpAA83.tmp.exe

Filesize
32KB

MD5
4e201611cad91d124ca94677dbf1d326

SHA1
01931b16d63e08005ef8a51867365fd0ee0fa8a7

SHA256
0224a374969f35097463a3d3e5c6dc0c0989fd68c110487816adeacbece9ad9c

SHA512
934fe3f037389222485a9990dd0e971b1d3861e33e5d9eff87f07a1c5e955ebbdd0712a17ebcd2ccde38595638b68982e043e667534fa70a34efae3e2c6b52db

Download Submit
memory/1552-65-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1552-66-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1968-54-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/1968-55-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1968-56-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1968-64-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing