njrat | 449ce4867605f3e0314710eee5031b05ffc2c9b1cedc6214160b575a53de6812

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-09-2024 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

449ce4867605f3e0314710eee5031b05ffc2c9b1cedc6214160b575a53de6812.exe
Size

327KB
MD5

51b869db68994c50f63c8fbe4054a346
SHA1

627a1343536b5ac1e6d1fd5b06792e906eedded4
SHA256

449ce4867605f3e0314710eee5031b05ffc2c9b1cedc6214160b575a53de6812
SHA512

65e7a8b499d08ac00862ecb0ba4bc5bf94334026368c3eefb77142543a445a05b6351811a815e8913deabe45ddbe6c91c2b2da957d928b567f0c494cec2cd629
SSDEEP

6144:mdeqxwx+PiZZTZP2I0MKff5ch7M1soSGpjpt4nh+2j3hVa9gXmiQt3K:aX5czoSGPt4p3hVfXmiQt6

Score

10^/10

njrat nyan cat discovery trojan

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

seznam.hopto.org:5050

Mutex

a321f292c1b24fe7931

Attributes

reg_key
a321f292c1b24fe7931
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	449ce4867605f3e0314710eee5031b05ffc2c9b1cedc6214160b575a53de6812.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2932	449ce4867605f3e0314710eee5031b05ffc2c9b1cedc6214160b575a53de6812.exe
Token: 33	2932	449ce4867605f3e0314710eee5031b05ffc2c9b1cedc6214160b575a53de6812.exe
Token: SeIncBasePriorityPrivilege	2932	449ce4867605f3e0314710eee5031b05ffc2c9b1cedc6214160b575a53de6812.exe
Token: 33	2932	449ce4867605f3e0314710eee5031b05ffc2c9b1cedc6214160b575a53de6812.exe
Token: SeIncBasePriorityPrivilege	2932	449ce4867605f3e0314710eee5031b05ffc2c9b1cedc6214160b575a53de6812.exe
Token: 33	2932	449ce4867605f3e0314710eee5031b05ffc2c9b1cedc6214160b575a53de6812.exe
Token: SeIncBasePriorityPrivilege	2932	449ce4867605f3e0314710eee5031b05ffc2c9b1cedc6214160b575a53de6812.exe
Token: 33	2932	449ce4867605f3e0314710eee5031b05ffc2c9b1cedc6214160b575a53de6812.exe
Token: SeIncBasePriorityPrivilege	2932	449ce4867605f3e0314710eee5031b05ffc2c9b1cedc6214160b575a53de6812.exe
Token: 33	2932	449ce4867605f3e0314710eee5031b05ffc2c9b1cedc6214160b575a53de6812.exe
Token: SeIncBasePriorityPrivilege	2932	449ce4867605f3e0314710eee5031b05ffc2c9b1cedc6214160b575a53de6812.exe
Token: 33	2932	449ce4867605f3e0314710eee5031b05ffc2c9b1cedc6214160b575a53de6812.exe
Token: SeIncBasePriorityPrivilege	2932	449ce4867605f3e0314710eee5031b05ffc2c9b1cedc6214160b575a53de6812.exe
Token: 33	2932	449ce4867605f3e0314710eee5031b05ffc2c9b1cedc6214160b575a53de6812.exe
Token: SeIncBasePriorityPrivilege	2932	449ce4867605f3e0314710eee5031b05ffc2c9b1cedc6214160b575a53de6812.exe
Token: 33	2932	449ce4867605f3e0314710eee5031b05ffc2c9b1cedc6214160b575a53de6812.exe
Token: SeIncBasePriorityPrivilege	2932	449ce4867605f3e0314710eee5031b05ffc2c9b1cedc6214160b575a53de6812.exe
Token: 33	2932	449ce4867605f3e0314710eee5031b05ffc2c9b1cedc6214160b575a53de6812.exe
Token: SeIncBasePriorityPrivilege	2932	449ce4867605f3e0314710eee5031b05ffc2c9b1cedc6214160b575a53de6812.exe
Token: 33	2932	449ce4867605f3e0314710eee5031b05ffc2c9b1cedc6214160b575a53de6812.exe
Token: SeIncBasePriorityPrivilege	2932	449ce4867605f3e0314710eee5031b05ffc2c9b1cedc6214160b575a53de6812.exe
Token: 33	2932	449ce4867605f3e0314710eee5031b05ffc2c9b1cedc6214160b575a53de6812.exe
Token: SeIncBasePriorityPrivilege	2932	449ce4867605f3e0314710eee5031b05ffc2c9b1cedc6214160b575a53de6812.exe
Token: 33	2932	449ce4867605f3e0314710eee5031b05ffc2c9b1cedc6214160b575a53de6812.exe
Token: SeIncBasePriorityPrivilege	2932	449ce4867605f3e0314710eee5031b05ffc2c9b1cedc6214160b575a53de6812.exe
Token: 33	2932	449ce4867605f3e0314710eee5031b05ffc2c9b1cedc6214160b575a53de6812.exe
Token: SeIncBasePriorityPrivilege	2932	449ce4867605f3e0314710eee5031b05ffc2c9b1cedc6214160b575a53de6812.exe

C:\Users\Admin\AppData\Local\Temp\449ce4867605f3e0314710eee5031b05ffc2c9b1cedc6214160b575a53de6812.exe
"C:\Users\Admin\AppData\Local\Temp\449ce4867605f3e0314710eee5031b05ffc2c9b1cedc6214160b575a53de6812.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2932-0-0x000000007439E000-0x000000007439F000-memory.dmp

Filesize
4KB

Download
memory/2932-1-0x00000000011B0000-0x0000000001208000-memory.dmp

Filesize
352KB

Download
memory/2932-2-0x000000007439E000-0x000000007439F000-memory.dmp

Filesize
4KB

Download
memory/2932-3-0x0000000074390000-0x0000000074A7E000-memory.dmp

Filesize
6.9MB

Download
memory/2932-5-0x0000000074390000-0x0000000074A7E000-memory.dmp

Filesize
6.9MB

Download
memory/2932-7-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download