njrat | a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b

General

Target

4a9efd5ecea388e5ce1d20b75060874b.exe
Size

2.0MB
MD5

4a9efd5ecea388e5ce1d20b75060874b
SHA1

5cd3796b22f4c126df395f4fbb4285a3997ec345
SHA256

a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b
SHA512

08186d35b539c1984384de0bcf36faf510b997a39f06661c9de573843357dcffbb6c7f750e578f30570dadc3fde2166ee0f1b11e1bcf883d4bef197409c6c006
SSDEEP

3072:OgdUd3vlTmL/A5nzbYHnzVO9qtD2jW+/5LUa:adfiAxbYHnz5ay+/5L

Score

10^/10

njrat nyan cat trojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

juancaf4000.duckdns.org:5050

Mutex

2925ee0393c24d569

Attributes

reg_key
2925ee0393c24d569
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

monost.exemonost.exe

pid process

1612 monost.exe
2024 monost.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1612	monost.exe
2024	monost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

4a9efd5ecea388e5ce1d20b75060874b.exemonost.exemonost.exe

description	pid	process	target process
PID 1324 set thread context of 2036	1324	4a9efd5ecea388e5ce1d20b75060874b.exe	vbc.exe
PID 1612 set thread context of 1096	1612	monost.exe	vbc.exe
PID 2024 set thread context of 1368	2024	monost.exe	vbc.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1580 schtasks.exe
1840 schtasks.exe
1296 schtasks.exe

pid	process
1580	schtasks.exe
1840	schtasks.exe
1296	schtasks.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

vbc.exe

description	pid	process
Token: SeDebugPrivilege	2036	vbc.exe
Token: 33	2036	vbc.exe
Token: SeIncBasePriorityPrivilege	2036	vbc.exe
Token: 33	2036	vbc.exe
Token: SeIncBasePriorityPrivilege	2036	vbc.exe
Token: 33	2036	vbc.exe
Token: SeIncBasePriorityPrivilege	2036	vbc.exe
Token: 33	2036	vbc.exe
Token: SeIncBasePriorityPrivilege	2036	vbc.exe
Token: 33	2036	vbc.exe
Token: SeIncBasePriorityPrivilege	2036	vbc.exe
Token: 33	2036	vbc.exe
Token: SeIncBasePriorityPrivilege	2036	vbc.exe
Token: 33	2036	vbc.exe
Token: SeIncBasePriorityPrivilege	2036	vbc.exe
Token: 33	2036	vbc.exe
Token: SeIncBasePriorityPrivilege	2036	vbc.exe
Token: 33	2036	vbc.exe
Token: SeIncBasePriorityPrivilege	2036	vbc.exe
Token: 33	2036	vbc.exe
Token: SeIncBasePriorityPrivilege	2036	vbc.exe
Token: 33	2036	vbc.exe
Token: SeIncBasePriorityPrivilege	2036	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4a9efd5ecea388e5ce1d20b75060874b.execmd.exetaskeng.exemonost.execmd.exemonost.exe

description	pid	process	target process
PID 1324 wrote to memory of 2036	1324	4a9efd5ecea388e5ce1d20b75060874b.exe	vbc.exe
PID 1324 wrote to memory of 2036	1324	4a9efd5ecea388e5ce1d20b75060874b.exe	vbc.exe
PID 1324 wrote to memory of 2036	1324	4a9efd5ecea388e5ce1d20b75060874b.exe	vbc.exe
PID 1324 wrote to memory of 2036	1324	4a9efd5ecea388e5ce1d20b75060874b.exe	vbc.exe
PID 1324 wrote to memory of 2036	1324	4a9efd5ecea388e5ce1d20b75060874b.exe	vbc.exe
PID 1324 wrote to memory of 2036	1324	4a9efd5ecea388e5ce1d20b75060874b.exe	vbc.exe
PID 1324 wrote to memory of 2036	1324	4a9efd5ecea388e5ce1d20b75060874b.exe	vbc.exe
PID 1324 wrote to memory of 2036	1324	4a9efd5ecea388e5ce1d20b75060874b.exe	vbc.exe
PID 1324 wrote to memory of 2036	1324	4a9efd5ecea388e5ce1d20b75060874b.exe	vbc.exe
PID 1324 wrote to memory of 592	1324	4a9efd5ecea388e5ce1d20b75060874b.exe	cmd.exe
PID 1324 wrote to memory of 592	1324	4a9efd5ecea388e5ce1d20b75060874b.exe	cmd.exe
PID 1324 wrote to memory of 592	1324	4a9efd5ecea388e5ce1d20b75060874b.exe	cmd.exe
PID 1324 wrote to memory of 592	1324	4a9efd5ecea388e5ce1d20b75060874b.exe	cmd.exe
PID 1324 wrote to memory of 588	1324	4a9efd5ecea388e5ce1d20b75060874b.exe	cmd.exe
PID 1324 wrote to memory of 588	1324	4a9efd5ecea388e5ce1d20b75060874b.exe	cmd.exe
PID 1324 wrote to memory of 588	1324	4a9efd5ecea388e5ce1d20b75060874b.exe	cmd.exe
PID 1324 wrote to memory of 588	1324	4a9efd5ecea388e5ce1d20b75060874b.exe	cmd.exe
PID 588 wrote to memory of 1840	588	cmd.exe	schtasks.exe
PID 588 wrote to memory of 1840	588	cmd.exe	schtasks.exe
PID 588 wrote to memory of 1840	588	cmd.exe	schtasks.exe
PID 588 wrote to memory of 1840	588	cmd.exe	schtasks.exe
PID 1324 wrote to memory of 1960	1324	4a9efd5ecea388e5ce1d20b75060874b.exe	cmd.exe
PID 1324 wrote to memory of 1960	1324	4a9efd5ecea388e5ce1d20b75060874b.exe	cmd.exe
PID 1324 wrote to memory of 1960	1324	4a9efd5ecea388e5ce1d20b75060874b.exe	cmd.exe
PID 1324 wrote to memory of 1960	1324	4a9efd5ecea388e5ce1d20b75060874b.exe	cmd.exe
PID 1864 wrote to memory of 1612	1864	taskeng.exe	monost.exe
PID 1864 wrote to memory of 1612	1864	taskeng.exe	monost.exe
PID 1864 wrote to memory of 1612	1864	taskeng.exe	monost.exe
PID 1864 wrote to memory of 1612	1864	taskeng.exe	monost.exe
PID 1612 wrote to memory of 1096	1612	monost.exe	vbc.exe
PID 1612 wrote to memory of 1096	1612	monost.exe	vbc.exe
PID 1612 wrote to memory of 1096	1612	monost.exe	vbc.exe
PID 1612 wrote to memory of 1096	1612	monost.exe	vbc.exe
PID 1612 wrote to memory of 1096	1612	monost.exe	vbc.exe
PID 1612 wrote to memory of 1096	1612	monost.exe	vbc.exe
PID 1612 wrote to memory of 1096	1612	monost.exe	vbc.exe
PID 1612 wrote to memory of 1096	1612	monost.exe	vbc.exe
PID 1612 wrote to memory of 1096	1612	monost.exe	vbc.exe
PID 1612 wrote to memory of 1936	1612	monost.exe	cmd.exe
PID 1612 wrote to memory of 1936	1612	monost.exe	cmd.exe
PID 1612 wrote to memory of 1936	1612	monost.exe	cmd.exe
PID 1612 wrote to memory of 1936	1612	monost.exe	cmd.exe
PID 1612 wrote to memory of 764	1612	monost.exe	cmd.exe
PID 1612 wrote to memory of 764	1612	monost.exe	cmd.exe
PID 1612 wrote to memory of 764	1612	monost.exe	cmd.exe
PID 1612 wrote to memory of 764	1612	monost.exe	cmd.exe
PID 764 wrote to memory of 1296	764	cmd.exe	schtasks.exe
PID 764 wrote to memory of 1296	764	cmd.exe	schtasks.exe
PID 764 wrote to memory of 1296	764	cmd.exe	schtasks.exe
PID 764 wrote to memory of 1296	764	cmd.exe	schtasks.exe
PID 1612 wrote to memory of 316	1612	monost.exe	cmd.exe
PID 1612 wrote to memory of 316	1612	monost.exe	cmd.exe
PID 1612 wrote to memory of 316	1612	monost.exe	cmd.exe
PID 1612 wrote to memory of 316	1612	monost.exe	cmd.exe
PID 1864 wrote to memory of 2024	1864	taskeng.exe	monost.exe
PID 1864 wrote to memory of 2024	1864	taskeng.exe	monost.exe
PID 1864 wrote to memory of 2024	1864	taskeng.exe	monost.exe
PID 1864 wrote to memory of 2024	1864	taskeng.exe	monost.exe
PID 2024 wrote to memory of 1368	2024	monost.exe	vbc.exe
PID 2024 wrote to memory of 1368	2024	monost.exe	vbc.exe
PID 2024 wrote to memory of 1368	2024	monost.exe	vbc.exe
PID 2024 wrote to memory of 1368	2024	monost.exe	vbc.exe
PID 2024 wrote to memory of 1368	2024	monost.exe	vbc.exe
PID 2024 wrote to memory of 1368	2024	monost.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\4a9efd5ecea388e5ce1d20b75060874b.exe
"C:\Users\Admin\AppData\Local\Temp\4a9efd5ecea388e5ce1d20b75060874b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\monost"
2⤵
PID:592

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\monost\monost.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\monost\monost.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1840

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\4a9efd5ecea388e5ce1d20b75060874b.exe" "C:\Users\Admin\AppData\Roaming\monost\monost.exe"
2⤵
PID:1960

C:\Windows\system32\taskeng.exe
taskeng.exe {1183079C-423C-4AA2-A086-C9FD736E4713} S-1-5-21-1563773381-2037468142-1146002597-1000:YBHADZIG\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1864

C:\Users\Admin\AppData\Roaming\monost\monost.exe
C:\Users\Admin\AppData\Roaming\monost\monost.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1096

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\monost"
3⤵
PID:1936

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\monost\monost.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\monost\monost.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1296

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\monost\monost.exe" "C:\Users\Admin\AppData\Roaming\monost\monost.exe"
3⤵
PID:316

C:\Users\Admin\AppData\Roaming\monost\monost.exe
C:\Users\Admin\AppData\Roaming\monost\monost.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1368

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\monost"
3⤵
PID:1036

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\monost\monost.exe'" /f
3⤵
PID:1480

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\monost\monost.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1580

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\monost\monost.exe" "C:\Users\Admin\AppData\Roaming\monost\monost.exe"
3⤵
PID:568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\monost\monost.exe
Filesize
2.0MB

MD5
4a9efd5ecea388e5ce1d20b75060874b

SHA1
5cd3796b22f4c126df395f4fbb4285a3997ec345

SHA256
a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b

SHA512
08186d35b539c1984384de0bcf36faf510b997a39f06661c9de573843357dcffbb6c7f750e578f30570dadc3fde2166ee0f1b11e1bcf883d4bef197409c6c006

Download Submit
C:\Users\Admin\AppData\Roaming\monost\monost.exe
Filesize
2.0MB

MD5
4a9efd5ecea388e5ce1d20b75060874b

SHA1
5cd3796b22f4c126df395f4fbb4285a3997ec345

SHA256
a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b

SHA512
08186d35b539c1984384de0bcf36faf510b997a39f06661c9de573843357dcffbb6c7f750e578f30570dadc3fde2166ee0f1b11e1bcf883d4bef197409c6c006

Download Submit
C:\Users\Admin\AppData\Roaming\monost\monost.exe
Filesize
2.0MB

MD5
4a9efd5ecea388e5ce1d20b75060874b

SHA1
5cd3796b22f4c126df395f4fbb4285a3997ec345

SHA256
a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b

SHA512
08186d35b539c1984384de0bcf36faf510b997a39f06661c9de573843357dcffbb6c7f750e578f30570dadc3fde2166ee0f1b11e1bcf883d4bef197409c6c006

Download Submit
memory/1096-79-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1324-55-0x0000000000340000-0x000000000034E000-memory.dmp

Filesize
56KB

Download
memory/1324-56-0x0000000004B70000-0x0000000004BB0000-memory.dmp

Filesize
256KB

Download
memory/1324-54-0x00000000012C0000-0x00000000012DE000-memory.dmp

Filesize
120KB

Download
memory/1612-74-0x00000000044C0000-0x0000000004500000-memory.dmp

Filesize
256KB

Download
memory/1612-73-0x0000000000B40000-0x0000000000B5E000-memory.dmp

Filesize
120KB

Download
memory/2024-97-0x00000000020A0000-0x00000000020E0000-memory.dmp

Filesize
256KB

Download
memory/2024-86-0x0000000000BE0000-0x0000000000BFE000-memory.dmp

Filesize
120KB

Download
memory/2036-59-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2036-70-0x0000000004BD0000-0x0000000004C10000-memory.dmp

Filesize
256KB

Download
memory/2036-69-0x0000000004BD0000-0x0000000004C10000-memory.dmp

Filesize
256KB

Download
memory/2036-66-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2036-64-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2036-62-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2036-61-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2036-60-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2036-58-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2036-57-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads