njrat | 1f6e992bb9f1e4ba2640df7f5f44036fd70696c9b3f3d7a18562bb28fbf3b0e2

General

Target

sample.exe
Size

137KB
MD5

22ae02a0257adbbf653910e99f3cf6cc
SHA1

1b610c0bca5caf1e5bdcd409949c269b7e51313d
SHA256

812464aa0dfc28db563abf6f12caba88f4c8998ad5813741b781c3ddbcba1eaf
SHA512

3c5abc665e103cc039edbc58ac3828d6a9cd44254616dd27bd4623e7aff6ba488440edb1732a521738ecfbd0918c1c1cdcf3c4169d1220f3f85a54db5aed4470
SSDEEP

3072:s59ZqNXGJoDAsdXMuhuz+bAd7j5+XpidGClihmQi:ccG2DAoIz3nFdBi

Score

10^/10

njrat nyan cat rezer0 trojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

medallos.duckdns.org:2054

Mutex

89a15ad405

Attributes

reg_key
89a15ad405
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral2/memory/2388-7-0x0000000005330000-0x0000000005346000-memory.dmp	rezer0

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

sample.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation sample.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

sample.exe

description pid process target process

PID 2388 set thread context of 1468 2388 sample.exe sample.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

428 schtasks.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	sample.exe

description	pid	process	target process
PID 2388 set thread context of 1468	2388	sample.exe	sample.exe

pid	process
428	schtasks.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

sample.exe

description	pid	process
Token: SeDebugPrivilege	1468	sample.exe
Token: 33	1468	sample.exe
Token: SeIncBasePriorityPrivilege	1468	sample.exe
Token: 33	1468	sample.exe
Token: SeIncBasePriorityPrivilege	1468	sample.exe
Token: 33	1468	sample.exe
Token: SeIncBasePriorityPrivilege	1468	sample.exe
Token: 33	1468	sample.exe
Token: SeIncBasePriorityPrivilege	1468	sample.exe
Token: 33	1468	sample.exe
Token: SeIncBasePriorityPrivilege	1468	sample.exe
Token: 33	1468	sample.exe
Token: SeIncBasePriorityPrivilege	1468	sample.exe
Token: 33	1468	sample.exe
Token: SeIncBasePriorityPrivilege	1468	sample.exe
Token: 33	1468	sample.exe
Token: SeIncBasePriorityPrivilege	1468	sample.exe
Token: 33	1468	sample.exe
Token: SeIncBasePriorityPrivilege	1468	sample.exe
Token: 33	1468	sample.exe
Token: SeIncBasePriorityPrivilege	1468	sample.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

sample.exe

description	pid	process	target process
PID 2388 wrote to memory of 428	2388	sample.exe	schtasks.exe
PID 2388 wrote to memory of 428	2388	sample.exe	schtasks.exe
PID 2388 wrote to memory of 428	2388	sample.exe	schtasks.exe
PID 2388 wrote to memory of 1468	2388	sample.exe	sample.exe
PID 2388 wrote to memory of 1468	2388	sample.exe	sample.exe
PID 2388 wrote to memory of 1468	2388	sample.exe	sample.exe
PID 2388 wrote to memory of 1468	2388	sample.exe	sample.exe
PID 2388 wrote to memory of 1468	2388	sample.exe	sample.exe
PID 2388 wrote to memory of 1468	2388	sample.exe	sample.exe
PID 2388 wrote to memory of 1468	2388	sample.exe	sample.exe
PID 2388 wrote to memory of 1468	2388	sample.exe	sample.exe

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vRvlEEzoAS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2834.tmp"
2⤵
- Creates scheduled task(s)
PID:428

C:\Users\Admin\AppData\Local\Temp\sample.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1468

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sample.exe.log
Filesize
507B

MD5
ab4c71d3ff6255edd4e5c1e09540f49e

SHA1
22e06bf4e258741b5df918061871cba998c50cea

SHA256
1690fec628f775dd3c3385b800eed126b37978ef2ffd592b024052724caafb5a

SHA512
8fa7d0045796e6cda7c28e2b9a690ef550619828c1b5d0ebf8e8367aff4bf4d9f63121e5b4f199d30cb8006eb584c6767f4c59150749b8256dab9dd0ebd9f1af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2834.tmp
Filesize
1KB

MD5
e515bab079294cc82cf3833257b712c0

SHA1
07e967c45172b65dad55bcfe3cddcddc0d908375

SHA256
8dbb50fc0d12f90be711c945f4439d3f856d17628785ae975d54ceebecfc9935

SHA512
20af559fe36dca0b31db8f72d0833795fa10ddca247618cb358f6c2e52a76e7a18bdbbbdbc051fd23ccd117e840af9819543e5cfe23e906bd2e25913c6e04d55

Download Submit
memory/1468-18-0x0000000074FA0000-0x0000000075750000-memory.dmp

Filesize
7.7MB

Download
memory/1468-13-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1468-22-0x0000000074FA0000-0x0000000075750000-memory.dmp

Filesize
7.7MB

Download
memory/1468-21-0x0000000074FA0000-0x0000000075750000-memory.dmp

Filesize
7.7MB

Download
memory/1468-20-0x0000000005200000-0x0000000005266000-memory.dmp

Filesize
408KB

Download
memory/1468-19-0x0000000004FA0000-0x0000000004FAA000-memory.dmp

Filesize
40KB

Download
memory/1468-17-0x0000000074FA0000-0x0000000075750000-memory.dmp

Filesize
7.7MB

Download
memory/2388-7-0x0000000005330000-0x0000000005346000-memory.dmp

Filesize
88KB

Download
memory/2388-2-0x00000000051B0000-0x000000000524C000-memory.dmp

Filesize
624KB

Download
memory/2388-9-0x0000000074FA0000-0x0000000075750000-memory.dmp

Filesize
7.7MB

Download
memory/2388-1-0x00000000007F0000-0x0000000000818000-memory.dmp

Filesize
160KB

Download
memory/2388-16-0x0000000074FA0000-0x0000000075750000-memory.dmp

Filesize
7.7MB

Download
memory/2388-8-0x0000000005CB0000-0x0000000006254000-memory.dmp

Filesize
5.6MB

Download
memory/2388-0-0x0000000074FAE000-0x0000000074FAF000-memory.dmp

Filesize
4KB

Download
memory/2388-3-0x0000000002B30000-0x0000000002B40000-memory.dmp

Filesize
64KB

Download
memory/2388-6-0x0000000074FA0000-0x0000000075750000-memory.dmp

Filesize
7.7MB

Download
memory/2388-5-0x0000000074FAE000-0x0000000074FAF000-memory.dmp

Filesize
4KB

Download
memory/2388-4-0x0000000005360000-0x00000000053F2000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads