njrat | a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b

General

Target

4a9efd5ecea388e5ce1d20b75060874b.exe
Size

2.0MB
MD5

4a9efd5ecea388e5ce1d20b75060874b
SHA1

5cd3796b22f4c126df395f4fbb4285a3997ec345
SHA256

a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b
SHA512

08186d35b539c1984384de0bcf36faf510b997a39f06661c9de573843357dcffbb6c7f750e578f30570dadc3fde2166ee0f1b11e1bcf883d4bef197409c6c006
SSDEEP

3072:OgdUd3vlTmL/A5nzbYHnzVO9qtD2jW+/5LUa:adfiAxbYHnz5ay+/5L

Score

10^/10

njrat nyan cat trojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

juancaf4000.duckdns.org:5050

Mutex

2925ee0393c24d569

Attributes

reg_key
2925ee0393c24d569
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

monost.exemonost.exe

pid process

2712 monost.exe
3792 monost.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2712	monost.exe
3792	monost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

4a9efd5ecea388e5ce1d20b75060874b.exemonost.exemonost.exe

description	pid	process	target process
PID 4572 set thread context of 4316	4572	4a9efd5ecea388e5ce1d20b75060874b.exe	vbc.exe
PID 2712 set thread context of 4452	2712	monost.exe	vbc.exe
PID 3792 set thread context of 3984	3792	monost.exe	vbc.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4100 schtasks.exe
4388 schtasks.exe
4220 schtasks.exe

pid	process
4100	schtasks.exe
4388	schtasks.exe
4220	schtasks.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

vbc.exe

description	pid	process
Token: SeDebugPrivilege	4316	vbc.exe
Token: 33	4316	vbc.exe
Token: SeIncBasePriorityPrivilege	4316	vbc.exe
Token: 33	4316	vbc.exe
Token: SeIncBasePriorityPrivilege	4316	vbc.exe
Token: 33	4316	vbc.exe
Token: SeIncBasePriorityPrivilege	4316	vbc.exe
Token: 33	4316	vbc.exe
Token: SeIncBasePriorityPrivilege	4316	vbc.exe
Token: 33	4316	vbc.exe
Token: SeIncBasePriorityPrivilege	4316	vbc.exe
Token: 33	4316	vbc.exe
Token: SeIncBasePriorityPrivilege	4316	vbc.exe
Token: 33	4316	vbc.exe
Token: SeIncBasePriorityPrivilege	4316	vbc.exe
Token: 33	4316	vbc.exe
Token: SeIncBasePriorityPrivilege	4316	vbc.exe
Token: 33	4316	vbc.exe
Token: SeIncBasePriorityPrivilege	4316	vbc.exe
Token: 33	4316	vbc.exe
Token: SeIncBasePriorityPrivilege	4316	vbc.exe
Token: 33	4316	vbc.exe
Token: SeIncBasePriorityPrivilege	4316	vbc.exe
Token: 33	4316	vbc.exe
Token: SeIncBasePriorityPrivilege	4316	vbc.exe
Token: 33	4316	vbc.exe
Token: SeIncBasePriorityPrivilege	4316	vbc.exe
Token: 33	4316	vbc.exe
Token: SeIncBasePriorityPrivilege	4316	vbc.exe
Token: 33	4316	vbc.exe
Token: SeIncBasePriorityPrivilege	4316	vbc.exe
Token: 33	4316	vbc.exe
Token: SeIncBasePriorityPrivilege	4316	vbc.exe
Token: 33	4316	vbc.exe
Token: SeIncBasePriorityPrivilege	4316	vbc.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

4a9efd5ecea388e5ce1d20b75060874b.execmd.exemonost.execmd.exemonost.execmd.exe

description	pid	process	target process
PID 4572 wrote to memory of 4316	4572	4a9efd5ecea388e5ce1d20b75060874b.exe	vbc.exe
PID 4572 wrote to memory of 4316	4572	4a9efd5ecea388e5ce1d20b75060874b.exe	vbc.exe
PID 4572 wrote to memory of 4316	4572	4a9efd5ecea388e5ce1d20b75060874b.exe	vbc.exe
PID 4572 wrote to memory of 4316	4572	4a9efd5ecea388e5ce1d20b75060874b.exe	vbc.exe
PID 4572 wrote to memory of 4316	4572	4a9efd5ecea388e5ce1d20b75060874b.exe	vbc.exe
PID 4572 wrote to memory of 4316	4572	4a9efd5ecea388e5ce1d20b75060874b.exe	vbc.exe
PID 4572 wrote to memory of 4316	4572	4a9efd5ecea388e5ce1d20b75060874b.exe	vbc.exe
PID 4572 wrote to memory of 4316	4572	4a9efd5ecea388e5ce1d20b75060874b.exe	vbc.exe
PID 4572 wrote to memory of 3920	4572	4a9efd5ecea388e5ce1d20b75060874b.exe	cmd.exe
PID 4572 wrote to memory of 3920	4572	4a9efd5ecea388e5ce1d20b75060874b.exe	cmd.exe
PID 4572 wrote to memory of 3920	4572	4a9efd5ecea388e5ce1d20b75060874b.exe	cmd.exe
PID 4572 wrote to memory of 2516	4572	4a9efd5ecea388e5ce1d20b75060874b.exe	cmd.exe
PID 4572 wrote to memory of 2516	4572	4a9efd5ecea388e5ce1d20b75060874b.exe	cmd.exe
PID 4572 wrote to memory of 2516	4572	4a9efd5ecea388e5ce1d20b75060874b.exe	cmd.exe
PID 2516 wrote to memory of 4220	2516	cmd.exe	schtasks.exe
PID 2516 wrote to memory of 4220	2516	cmd.exe	schtasks.exe
PID 2516 wrote to memory of 4220	2516	cmd.exe	schtasks.exe
PID 4572 wrote to memory of 2704	4572	4a9efd5ecea388e5ce1d20b75060874b.exe	cmd.exe
PID 4572 wrote to memory of 2704	4572	4a9efd5ecea388e5ce1d20b75060874b.exe	cmd.exe
PID 4572 wrote to memory of 2704	4572	4a9efd5ecea388e5ce1d20b75060874b.exe	cmd.exe
PID 2712 wrote to memory of 4452	2712	monost.exe	vbc.exe
PID 2712 wrote to memory of 4452	2712	monost.exe	vbc.exe
PID 2712 wrote to memory of 4452	2712	monost.exe	vbc.exe
PID 2712 wrote to memory of 4452	2712	monost.exe	vbc.exe
PID 2712 wrote to memory of 4452	2712	monost.exe	vbc.exe
PID 2712 wrote to memory of 4452	2712	monost.exe	vbc.exe
PID 2712 wrote to memory of 4452	2712	monost.exe	vbc.exe
PID 2712 wrote to memory of 4452	2712	monost.exe	vbc.exe
PID 2712 wrote to memory of 4328	2712	monost.exe	cmd.exe
PID 2712 wrote to memory of 4328	2712	monost.exe	cmd.exe
PID 2712 wrote to memory of 4328	2712	monost.exe	cmd.exe
PID 2712 wrote to memory of 3152	2712	monost.exe	cmd.exe
PID 2712 wrote to memory of 3152	2712	monost.exe	cmd.exe
PID 2712 wrote to memory of 3152	2712	monost.exe	cmd.exe
PID 3152 wrote to memory of 4100	3152	cmd.exe	schtasks.exe
PID 3152 wrote to memory of 4100	3152	cmd.exe	schtasks.exe
PID 3152 wrote to memory of 4100	3152	cmd.exe	schtasks.exe
PID 2712 wrote to memory of 3412	2712	monost.exe	cmd.exe
PID 2712 wrote to memory of 3412	2712	monost.exe	cmd.exe
PID 2712 wrote to memory of 3412	2712	monost.exe	cmd.exe
PID 3792 wrote to memory of 3984	3792	monost.exe	vbc.exe
PID 3792 wrote to memory of 3984	3792	monost.exe	vbc.exe
PID 3792 wrote to memory of 3984	3792	monost.exe	vbc.exe
PID 3792 wrote to memory of 3984	3792	monost.exe	vbc.exe
PID 3792 wrote to memory of 3984	3792	monost.exe	vbc.exe
PID 3792 wrote to memory of 3984	3792	monost.exe	vbc.exe
PID 3792 wrote to memory of 3984	3792	monost.exe	vbc.exe
PID 3792 wrote to memory of 3984	3792	monost.exe	vbc.exe
PID 3792 wrote to memory of 3780	3792	monost.exe	cmd.exe
PID 3792 wrote to memory of 3780	3792	monost.exe	cmd.exe
PID 3792 wrote to memory of 3780	3792	monost.exe	cmd.exe
PID 3792 wrote to memory of 1340	3792	monost.exe	cmd.exe
PID 3792 wrote to memory of 1340	3792	monost.exe	cmd.exe
PID 3792 wrote to memory of 1340	3792	monost.exe	cmd.exe
PID 1340 wrote to memory of 4388	1340	cmd.exe	schtasks.exe
PID 1340 wrote to memory of 4388	1340	cmd.exe	schtasks.exe
PID 1340 wrote to memory of 4388	1340	cmd.exe	schtasks.exe
PID 3792 wrote to memory of 4884	3792	monost.exe	cmd.exe
PID 3792 wrote to memory of 4884	3792	monost.exe	cmd.exe
PID 3792 wrote to memory of 4884	3792	monost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\4a9efd5ecea388e5ce1d20b75060874b.exe
"C:\Users\Admin\AppData\Local\Temp\4a9efd5ecea388e5ce1d20b75060874b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\monost"
2⤵
PID:3920

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\monost\monost.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\monost\monost.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4220

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\4a9efd5ecea388e5ce1d20b75060874b.exe" "C:\Users\Admin\AppData\Roaming\monost\monost.exe"
2⤵
PID:2704

C:\Users\Admin\AppData\Roaming\monost\monost.exe
C:\Users\Admin\AppData\Roaming\monost\monost.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:4452

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\monost"
2⤵
PID:4328

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\monost\monost.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\monost\monost.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4100

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\monost\monost.exe" "C:\Users\Admin\AppData\Roaming\monost\monost.exe"
2⤵
PID:3412

C:\Users\Admin\AppData\Roaming\monost\monost.exe
C:\Users\Admin\AppData\Roaming\monost\monost.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:3984

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\monost"
2⤵
PID:3780

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\monost\monost.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\monost\monost.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4388

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\monost\monost.exe" "C:\Users\Admin\AppData\Roaming\monost\monost.exe"
2⤵
PID:4884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\monost.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log
Filesize
418B

MD5
89c8a5340eb284f551067d44e27ae8dd

SHA1
d2431ae25a1ab67762a5125574f046f4c951d297

SHA256
73ca1f27b1c153e3405856ebe8b3c6cdd23424d2ab09c0fe1eb0e2075513057b

SHA512
b101ac2e008bd3cc6f97fedb97b8253fb07fed1c334629ecbebe0f4942ccc1070491cddc4daea521164543b6f97ba9b99d2be1c50cc5a013f04e697fea9dbdac

Download Submit
C:\Users\Admin\AppData\Roaming\monost\monost.exe
Filesize
2.0MB

MD5
4a9efd5ecea388e5ce1d20b75060874b

SHA1
5cd3796b22f4c126df395f4fbb4285a3997ec345

SHA256
a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b

SHA512
08186d35b539c1984384de0bcf36faf510b997a39f06661c9de573843357dcffbb6c7f750e578f30570dadc3fde2166ee0f1b11e1bcf883d4bef197409c6c006

Download Submit
C:\Users\Admin\AppData\Roaming\monost\monost.exe
Filesize
2.0MB

MD5
4a9efd5ecea388e5ce1d20b75060874b

SHA1
5cd3796b22f4c126df395f4fbb4285a3997ec345

SHA256
a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b

SHA512
08186d35b539c1984384de0bcf36faf510b997a39f06661c9de573843357dcffbb6c7f750e578f30570dadc3fde2166ee0f1b11e1bcf883d4bef197409c6c006

Download Submit
C:\Users\Admin\AppData\Roaming\monost\monost.exe
Filesize
2.0MB

MD5
4a9efd5ecea388e5ce1d20b75060874b

SHA1
5cd3796b22f4c126df395f4fbb4285a3997ec345

SHA256
a7e5ba6eb88830abc5baa063d667d36a786cd9c845b6d3536aa2c5405332e74b

SHA512
08186d35b539c1984384de0bcf36faf510b997a39f06661c9de573843357dcffbb6c7f750e578f30570dadc3fde2166ee0f1b11e1bcf883d4bef197409c6c006

Download Submit
memory/2712-148-0x0000000000FF0000-0x0000000001000000-memory.dmp

Filesize
64KB

Download
memory/3792-154-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/4316-137-0x0000000005B10000-0x00000000060B4000-memory.dmp

Filesize
5.6MB

Download
memory/4316-144-0x0000000005930000-0x0000000005996000-memory.dmp

Filesize
408KB

Download
memory/4316-145-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/4316-143-0x0000000005670000-0x000000000567A000-memory.dmp

Filesize
40KB

Download
memory/4316-142-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/4316-141-0x00000000056E0000-0x0000000005772000-memory.dmp

Filesize
584KB

Download
memory/4316-136-0x00000000054C0000-0x000000000555C000-memory.dmp

Filesize
624KB

Download
memory/4316-135-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4572-133-0x0000000000E10000-0x0000000000E2E000-memory.dmp

Filesize
120KB

Download
memory/4572-134-0x00000000055E0000-0x00000000055F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads