njrat | cebee7dc0112f960319868d6df1f9db37868e1912def20304af20a21bf409250

General

Target

440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
Size

361KB
MD5

440776946da09827ff0ac2f56741c086
SHA1

62cfd5f03712e636fd5883f2b92fb565d2207f33
SHA256

cebee7dc0112f960319868d6df1f9db37868e1912def20304af20a21bf409250
SHA512

521288f212ffd3a3422ca36c8e6fca3ee94030ea5b369798e3332e4a52c4a3f94cdcd9b70e31a7ae1f85c93527161349827dacb285f11529e799932db4522b1d
SSDEEP

6144:k2EKdoUIe33cHZBYuJalMd13x0cH9Bek4PN5mYUpg:HEKGf5UlY3zH9BsmYUi

Score

10^/10

njrat nyan cat persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

NYAN CAT

C2

dongreg202020.kozow.com:8874

Mutex

df42226e7936412c9a9e4b35efad0718

Attributes

reg_key
df42226e7936412c9a9e4b35efad0718
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

440776946da09827ff0ac2f56741c086_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exe

pid process

916 svchost.exe
4304 svchost.exe
3968 svchost.exe
3672 svchost.exe

pid	process
916	svchost.exe
4304	svchost.exe
3968	svchost.exe
3672	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

440776946da09827ff0ac2f56741c086_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

440776946da09827ff0ac2f56741c086_JaffaCakes118.exesvchost.exe

description	pid	process	target process
PID 3096 set thread context of 4516	3096	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
PID 916 set thread context of 3672	916	svchost.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

440776946da09827ff0ac2f56741c086_JaffaCakes118.exesvchost.exe

pid	process
3096	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
3096	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
3096	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
3096	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
3096	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
3096	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
916	svchost.exe
916	svchost.exe
916	svchost.exe
916	svchost.exe
916	svchost.exe
916	svchost.exe
916	svchost.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

440776946da09827ff0ac2f56741c086_JaffaCakes118.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	3096	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
Token: SeDebugPrivilege	916	svchost.exe
Token: SeDebugPrivilege	3672	svchost.exe
Token: 33	3672	svchost.exe
Token: SeIncBasePriorityPrivilege	3672	svchost.exe
Token: 33	3672	svchost.exe
Token: SeIncBasePriorityPrivilege	3672	svchost.exe
Token: 33	3672	svchost.exe
Token: SeIncBasePriorityPrivilege	3672	svchost.exe
Token: 33	3672	svchost.exe
Token: SeIncBasePriorityPrivilege	3672	svchost.exe
Token: 33	3672	svchost.exe
Token: SeIncBasePriorityPrivilege	3672	svchost.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

440776946da09827ff0ac2f56741c086_JaffaCakes118.exe440776946da09827ff0ac2f56741c086_JaffaCakes118.exesvchost.exe

description	pid	process	target process
PID 3096 wrote to memory of 3856	3096	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
PID 3096 wrote to memory of 3856	3096	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
PID 3096 wrote to memory of 3856	3096	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
PID 3096 wrote to memory of 4516	3096	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
PID 3096 wrote to memory of 4516	3096	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
PID 3096 wrote to memory of 4516	3096	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
PID 3096 wrote to memory of 4516	3096	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
PID 3096 wrote to memory of 4516	3096	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
PID 3096 wrote to memory of 4516	3096	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
PID 3096 wrote to memory of 4516	3096	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
PID 3096 wrote to memory of 4516	3096	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
PID 4516 wrote to memory of 916	4516	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe	svchost.exe
PID 4516 wrote to memory of 916	4516	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe	svchost.exe
PID 4516 wrote to memory of 916	4516	440776946da09827ff0ac2f56741c086_JaffaCakes118.exe	svchost.exe
PID 916 wrote to memory of 4304	916	svchost.exe	svchost.exe
PID 916 wrote to memory of 4304	916	svchost.exe	svchost.exe
PID 916 wrote to memory of 4304	916	svchost.exe	svchost.exe
PID 916 wrote to memory of 3968	916	svchost.exe	svchost.exe
PID 916 wrote to memory of 3968	916	svchost.exe	svchost.exe
PID 916 wrote to memory of 3968	916	svchost.exe	svchost.exe
PID 916 wrote to memory of 3672	916	svchost.exe	svchost.exe
PID 916 wrote to memory of 3672	916	svchost.exe	svchost.exe
PID 916 wrote to memory of 3672	916	svchost.exe	svchost.exe
PID 916 wrote to memory of 3672	916	svchost.exe	svchost.exe
PID 916 wrote to memory of 3672	916	svchost.exe	svchost.exe
PID 916 wrote to memory of 3672	916	svchost.exe	svchost.exe
PID 916 wrote to memory of 3672	916	svchost.exe	svchost.exe
PID 916 wrote to memory of 3672	916	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\440776946da09827ff0ac2f56741c086_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Users\Admin\AppData\Local\Temp\440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
  "{path}"
  2⤵
  PID:3856
- C:\Users\Admin\AppData\Local\Temp\440776946da09827ff0ac2f56741c086_JaffaCakes118.exe
  "{path}"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:916
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "{path}"
      4⤵
      Executes dropped EXE
      PID:4304
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "{path}"
      4⤵
      Executes dropped EXE
      PID:3968
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "{path}"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4456,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=1304 /prefetch:8
1⤵
PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\440776946da09827ff0ac2f56741c086_JaffaCakes118.exe.log

Filesize
496B

MD5
cb76b18ebed3a9f05a14aed43d35fba6

SHA1
836a4b4e351846fca08b84149cb734cb59b8c0d6

SHA256
8d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349

SHA512
7631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
49.2MB

MD5
ed3726130be0c05562abc95c385f8f34

SHA1
222b2539aa30e93fd186a8d852681bab2fd994d9

SHA256
bf06ed4c9c9cdd95b0c270d1afe25ef4eaec3c0172c2a81fa738b81112cb4ae4

SHA512
f2f35dc7db0043c369298ed0cfabad4995564a27873cf9f1199d97af78297c103b6cdd7a5be7e25795aacbf77287790b1fd968d37f76734d9fb30813c2e2d83e

Download Submit
memory/916-33-0x0000000074C40000-0x00000000751F1000-memory.dmp

Filesize
5.7MB

Download
memory/916-26-0x0000000074C40000-0x00000000751F1000-memory.dmp

Filesize
5.7MB

Download
memory/916-25-0x0000000074C40000-0x00000000751F1000-memory.dmp

Filesize
5.7MB

Download
memory/916-23-0x0000000074C40000-0x00000000751F1000-memory.dmp

Filesize
5.7MB

Download
memory/3096-4-0x0000000074C40000-0x00000000751F1000-memory.dmp

Filesize
5.7MB

Download
memory/3096-10-0x0000000074C40000-0x00000000751F1000-memory.dmp

Filesize
5.7MB

Download
memory/3096-0-0x0000000074C42000-0x0000000074C43000-memory.dmp

Filesize
4KB

Download
memory/3096-3-0x0000000074C42000-0x0000000074C43000-memory.dmp

Filesize
4KB

Download
memory/3096-2-0x0000000074C40000-0x00000000751F1000-memory.dmp

Filesize
5.7MB

Download
memory/3096-1-0x0000000074C40000-0x00000000751F1000-memory.dmp

Filesize
5.7MB

Download
memory/4516-8-0x0000000074C40000-0x00000000751F1000-memory.dmp

Filesize
5.7MB

Download
memory/4516-9-0x0000000074C40000-0x00000000751F1000-memory.dmp

Filesize
5.7MB

Download
memory/4516-11-0x0000000074C40000-0x00000000751F1000-memory.dmp

Filesize
5.7MB

Download
memory/4516-5-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4516-24-0x0000000074C40000-0x00000000751F1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads