njrat | 90513b75e86063db47f5ab12981e611e1bdad8bd094c062c6c61aa761d7de8fa

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
08-07-2023 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mrnjhdf.bin.exe
Size

374KB
MD5

ba576a58775f397175afb3c6489ce7a6
SHA1

1d360275e14ba307b8d890df12dbab3d3c1a46c2
SHA256

90513b75e86063db47f5ab12981e611e1bdad8bd094c062c6c61aa761d7de8fa
SHA512

e503cb59d691fcf135442e99eba39b01ce908eae0625d7484f35055275090746e60ec60e0734e342a4c7a02aebeb20f6e2781da9a1409d24c4d6c5a855a06372
SSDEEP

6144:RruzpT9ioSfQd74QdWRoOamLIZC4M9w2GoS7ura8cWrafmJDR9a:gz/ioTbuoOaeh4M9QoNr7ymJDR9

Score

10^/10

njrat nyan cat trojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

nj0509.duckdns.org:0509

Mutex

6ce9672712ba4490be

Attributes

reg_key
6ce9672712ba4490be
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mrnjhdf.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mrnjhdf.exe	Powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2172 set thread context of 3032	2172	mrnjhdf.bin.exe	31

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
696	Powershell.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	696	Powershell.exe
Token: SeDebugPrivilege	2172	mrnjhdf.bin.exe
Token: SeDebugPrivilege	3032	InstallUtil.exe
Token: 33	3032	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3032	InstallUtil.exe
Token: 33	3032	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3032	InstallUtil.exe
Token: 33	3032	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3032	InstallUtil.exe
Token: 33	3032	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3032	InstallUtil.exe
Token: 33	3032	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3032	InstallUtil.exe
Token: 33	3032	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3032	InstallUtil.exe
Token: 33	3032	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3032	InstallUtil.exe
Token: 33	3032	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3032	InstallUtil.exe
Token: 33	3032	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3032	InstallUtil.exe
Token: 33	3032	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3032	InstallUtil.exe
Token: 33	3032	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	3032	InstallUtil.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 696	2172	mrnjhdf.bin.exe	29
PID 2172 wrote to memory of 696	2172	mrnjhdf.bin.exe	29
PID 2172 wrote to memory of 696	2172	mrnjhdf.bin.exe	29
PID 2172 wrote to memory of 696	2172	mrnjhdf.bin.exe	29
PID 2172 wrote to memory of 3032	2172	mrnjhdf.bin.exe	31
PID 2172 wrote to memory of 3032	2172	mrnjhdf.bin.exe	31
PID 2172 wrote to memory of 3032	2172	mrnjhdf.bin.exe	31
PID 2172 wrote to memory of 3032	2172	mrnjhdf.bin.exe	31
PID 2172 wrote to memory of 3032	2172	mrnjhdf.bin.exe	31
PID 2172 wrote to memory of 3032	2172	mrnjhdf.bin.exe	31
PID 2172 wrote to memory of 3032	2172	mrnjhdf.bin.exe	31
PID 2172 wrote to memory of 3032	2172	mrnjhdf.bin.exe	31
PID 2172 wrote to memory of 3032	2172	mrnjhdf.bin.exe	31
PID 2172 wrote to memory of 3032	2172	mrnjhdf.bin.exe	31
PID 2172 wrote to memory of 3032	2172	mrnjhdf.bin.exe	31
PID 2172 wrote to memory of 3032	2172	mrnjhdf.bin.exe	31

C:\Users\Admin\AppData\Local\Temp\mrnjhdf.bin.exe
"C:\Users\Admin\AppData\Local\Temp\mrnjhdf.bin.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
  "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\mrnjhdf.bin.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mrnjhdf.exe'
  2⤵
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/696-59-0x0000000002220000-0x0000000002260000-memory.dmp

Filesize
256KB

Download
memory/696-119-0x0000000002220000-0x0000000002260000-memory.dmp

Filesize
256KB

Download
memory/696-60-0x0000000002220000-0x0000000002260000-memory.dmp

Filesize
256KB

Download
memory/2172-91-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2172-69-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2172-61-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/2172-97-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2172-63-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2172-99-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2172-67-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2172-95-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2172-71-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2172-73-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2172-77-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2172-75-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2172-79-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2172-83-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2172-81-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2172-87-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2172-89-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2172-85-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2172-93-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2172-54-0x00000000011C0000-0x0000000001224000-memory.dmp

Filesize
400KB

Download
memory/2172-62-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2172-56-0x00000000010C0000-0x0000000001100000-memory.dmp

Filesize
256KB

Download
memory/2172-65-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2172-101-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2172-103-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2172-105-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2172-109-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2172-107-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2172-111-0x0000000000340000-0x0000000000363000-memory.dmp

Filesize
140KB

Download
memory/2172-120-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2172-55-0x0000000000B50000-0x0000000000BA6000-memory.dmp

Filesize
344KB

Download
memory/3032-114-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3032-113-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3032-112-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3032-118-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3032-115-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3032-116-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3032-122-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3032-124-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3032-125-0x0000000000640000-0x0000000000680000-memory.dmp

Filesize
256KB

Download
memory/3032-126-0x0000000000640000-0x0000000000680000-memory.dmp

Filesize
256KB

Download