njrat | cebee7dc0112f960319868d6df1f9db37868e1912def20304af20a21bf409250

General

Target

440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
Size

361KB
MD5

440776946da09827ff0ac2f56741c086
SHA1

62cfd5f03712e636fd5883f2b92fb565d2207f33
SHA256

cebee7dc0112f960319868d6df1f9db37868e1912def20304af20a21bf409250
SHA512

521288f212ffd3a3422ca36c8e6fca3ee94030ea5b369798e3332e4a52c4a3f94cdcd9b70e31a7ae1f85c93527161349827dacb285f11529e799932db4522b1d
SSDEEP

6144:k2EKdoUIe33cHZBYuJalMd13x0cH9Bek4PN5mYUpg:HEKGf5UlY3zH9BsmYUi

Score

10^/10

njrat nyan cat persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

NYAN CAT

C2

dongreg202020.kozow.com:8874

Mutex

df42226e7936412c9a9e4b35efad0718

Attributes

reg_key
df42226e7936412c9a9e4b35efad0718
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

2984 svchost.exe
1512 svchost.exe
Loads dropped DLL 1 IoCs

Processes:

440776946da09827ff0ac2f56741c086_JaffaCakes118.exe

pid process

2568 440776946da09827ff0ac2f56741c086_JaffaCakes118.exe

pid	process
2984	svchost.exe
1512	svchost.exe

pid	process
2568	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

440776946da09827ff0ac2f56741c086_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

440776946da09827ff0ac2f56741c086_JaffaCakes118.exesvchost.exe

description	pid	process	target process
PID 1948 set thread context of 2568	1948	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
PID 2984 set thread context of 1512	2984	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

440776946da09827ff0ac2f56741c086_JaffaCakes118.exesvchost.exe

pid	process
1948	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
1948	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
1948	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
2984	svchost.exe
2984	svchost.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

440776946da09827ff0ac2f56741c086_JaffaCakes118.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1948	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
Token: SeDebugPrivilege	2984	svchost.exe
Token: SeDebugPrivilege	1512	svchost.exe
Token: 33	1512	svchost.exe
Token: SeIncBasePriorityPrivilege	1512	svchost.exe
Token: 33	1512	svchost.exe
Token: SeIncBasePriorityPrivilege	1512	svchost.exe
Token: 33	1512	svchost.exe
Token: SeIncBasePriorityPrivilege	1512	svchost.exe
Token: 33	1512	svchost.exe
Token: SeIncBasePriorityPrivilege	1512	svchost.exe
Token: 33	1512	svchost.exe
Token: SeIncBasePriorityPrivilege	1512	svchost.exe
Token: 33	1512	svchost.exe
Token: SeIncBasePriorityPrivilege	1512	svchost.exe
Token: 33	1512	svchost.exe
Token: SeIncBasePriorityPrivilege	1512	svchost.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

440776946da09827ff0ac2f56741c086_JaffaCakes118.exe440776946da09827ff0ac2f56741c086_JaffaCakes118.exesvchost.exe

description	pid	process	target process
PID 1948 wrote to memory of 2568	1948	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
PID 1948 wrote to memory of 2568	1948	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
PID 1948 wrote to memory of 2568	1948	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
PID 1948 wrote to memory of 2568	1948	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
PID 1948 wrote to memory of 2568	1948	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
PID 1948 wrote to memory of 2568	1948	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
PID 1948 wrote to memory of 2568	1948	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
PID 1948 wrote to memory of 2568	1948	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
PID 1948 wrote to memory of 2568	1948	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
PID 2568 wrote to memory of 2984	2568	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe	svchost.exe
PID 2568 wrote to memory of 2984	2568	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe	svchost.exe
PID 2568 wrote to memory of 2984	2568	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe	svchost.exe
PID 2568 wrote to memory of 2984	2568	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe	svchost.exe
PID 2984 wrote to memory of 1512	2984	svchost.exe	svchost.exe
PID 2984 wrote to memory of 1512	2984	svchost.exe	svchost.exe
PID 2984 wrote to memory of 1512	2984	svchost.exe	svchost.exe
PID 2984 wrote to memory of 1512	2984	svchost.exe	svchost.exe
PID 2984 wrote to memory of 1512	2984	svchost.exe	svchost.exe
PID 2984 wrote to memory of 1512	2984	svchost.exe	svchost.exe
PID 2984 wrote to memory of 1512	2984	svchost.exe	svchost.exe
PID 2984 wrote to memory of 1512	2984	svchost.exe	svchost.exe
PID 2984 wrote to memory of 1512	2984	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\440776946da09827ff0ac2f56741c086_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\AppData\Local\Temp\440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
"{path}"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2568

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984

C:\Users\Admin\AppData\Roaming\svchost.exe
"{path}"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1512

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\svchost.exe
Filesize
49.2MB

MD5
f8e66751585e640ac30943ea38254f08

SHA1
60d3fe9649265213d2b03a86340ed3696cbacbab

SHA256
8e71abe2d0e33ef7a462b1fb54c0c56135d8428ab33786940a4acf32b5dacce4

SHA512
656d54522043f0f8e7fba0c3f14345212f5277ee9b2a6b9c2a8b06b70281d462206f94ca984e83849885627db57facc040acf07841603810e998d654351ccde0

Download Submit
memory/1512-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1948-0-0x00000000743B1000-0x00000000743B2000-memory.dmp

Filesize
4KB

Download
memory/1948-1-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/1948-2-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/1948-3-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/1948-4-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/1948-21-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/2568-5-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2568-20-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/2568-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2568-15-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2568-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2568-22-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/2568-19-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2568-9-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2568-11-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2568-31-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/2568-7-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2984-32-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/2984-30-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download
memory/2984-46-0x00000000743B0000-0x000000007495B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads