njrat | 1f6e992bb9f1e4ba2640df7f5f44036fd70696c9b3f3d7a18562bb28fbf3b0e2

General

Target

sample.exe
Size

137KB
MD5

22ae02a0257adbbf653910e99f3cf6cc
SHA1

1b610c0bca5caf1e5bdcd409949c269b7e51313d
SHA256

812464aa0dfc28db563abf6f12caba88f4c8998ad5813741b781c3ddbcba1eaf
SHA512

3c5abc665e103cc039edbc58ac3828d6a9cd44254616dd27bd4623e7aff6ba488440edb1732a521738ecfbd0918c1c1cdcf3c4169d1220f3f85a54db5aed4470
SSDEEP

3072:s59ZqNXGJoDAsdXMuhuz+bAd7j5+XpidGClihmQi:ccG2DAoIz3nFdBi

Score

10^/10

njrat nyan cat rezer0 trojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

medallos.duckdns.org:2054

Mutex

89a15ad405

Attributes

reg_key
89a15ad405
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/2392-4-0x0000000000410000-0x0000000000426000-memory.dmp	rezer0

Suspicious use of SetThreadContext 1 IoCs

Processes:

sample.exe

description pid process target process

PID 2392 set thread context of 1320 2392 sample.exe sample.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2516 schtasks.exe

description	pid	process	target process
PID 2392 set thread context of 1320	2392	sample.exe	sample.exe

pid	process
2516	schtasks.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

sample.exe

description	pid	process
Token: SeDebugPrivilege	1320	sample.exe
Token: 33	1320	sample.exe
Token: SeIncBasePriorityPrivilege	1320	sample.exe
Token: 33	1320	sample.exe
Token: SeIncBasePriorityPrivilege	1320	sample.exe
Token: 33	1320	sample.exe
Token: SeIncBasePriorityPrivilege	1320	sample.exe
Token: 33	1320	sample.exe
Token: SeIncBasePriorityPrivilege	1320	sample.exe
Token: 33	1320	sample.exe
Token: SeIncBasePriorityPrivilege	1320	sample.exe
Token: 33	1320	sample.exe
Token: SeIncBasePriorityPrivilege	1320	sample.exe
Token: 33	1320	sample.exe
Token: SeIncBasePriorityPrivilege	1320	sample.exe
Token: 33	1320	sample.exe
Token: SeIncBasePriorityPrivilege	1320	sample.exe
Token: 33	1320	sample.exe
Token: SeIncBasePriorityPrivilege	1320	sample.exe
Token: 33	1320	sample.exe
Token: SeIncBasePriorityPrivilege	1320	sample.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

sample.exe

description	pid	process	target process
PID 2392 wrote to memory of 2516	2392	sample.exe	schtasks.exe
PID 2392 wrote to memory of 2516	2392	sample.exe	schtasks.exe
PID 2392 wrote to memory of 2516	2392	sample.exe	schtasks.exe
PID 2392 wrote to memory of 2516	2392	sample.exe	schtasks.exe
PID 2392 wrote to memory of 1320	2392	sample.exe	sample.exe
PID 2392 wrote to memory of 1320	2392	sample.exe	sample.exe
PID 2392 wrote to memory of 1320	2392	sample.exe	sample.exe
PID 2392 wrote to memory of 1320	2392	sample.exe	sample.exe
PID 2392 wrote to memory of 1320	2392	sample.exe	sample.exe
PID 2392 wrote to memory of 1320	2392	sample.exe	sample.exe
PID 2392 wrote to memory of 1320	2392	sample.exe	sample.exe
PID 2392 wrote to memory of 1320	2392	sample.exe	sample.exe
PID 2392 wrote to memory of 1320	2392	sample.exe	sample.exe

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vRvlEEzoAS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp84A.tmp"
2⤵
- Creates scheduled task(s)
PID:2516

C:\Users\Admin\AppData\Local\Temp\sample.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1320

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp84A.tmp
Filesize
1KB

MD5
8e75d948b0d9f9e7dbedfafeae7d0699

SHA1
e0f81dcb7840194baef6f0514e47769beefc87e1

SHA256
f44dc667929a7ff54a775cf3c263eace862dd5bb1ff245867a5906ad03fac595

SHA512
443c8ee7113781726143b4e68012b61550cde66a03008fc6e057e2841ee70005049def2f6aeb4867f51383028b01d31718c28285b43a3d3af113430ab05cfa74

Download Submit
memory/1320-13-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1320-9-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1320-21-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1320-23-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1320-19-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1320-15-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1320-11-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1320-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2392-2-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/2392-1-0x0000000000B60000-0x0000000000B88000-memory.dmp

Filesize
160KB

Download
memory/2392-5-0x0000000074E70000-0x000000007555E000-memory.dmp

Filesize
6.9MB

Download
memory/2392-0-0x0000000074E7E000-0x0000000074E7F000-memory.dmp

Filesize
4KB

Download
memory/2392-4-0x0000000000410000-0x0000000000426000-memory.dmp

Filesize
88KB

Download
memory/2392-3-0x0000000074E70000-0x000000007555E000-memory.dmp

Filesize
6.9MB

Download
memory/2392-24-0x0000000074E70000-0x000000007555E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads