njrat | 25c9d000b42a92daeb66f415dab93a5f6d97fe8efbd7855dc08490c93a06ce87

General

Target

cc checker.exe
Size

36KB
MD5

2bde8284cee1fa0fe32a7b815e6b386a
SHA1

8d9f12d9f97980171317fa2fc9ef5a42b50af82a
SHA256

68925c30a00e4698111dd2f8f342568d120beb13ba2442e8129cfc79f8fd08ec
SHA512

847d8739cd122c758051f1620d9212c759d6e8c03b6b9510ad9589937f82c6326c94c39b57fdd4df7780b1455f094fbcaa1769ab8c890233d9fee55deeeaef99
SSDEEP

384:cfiZ9ktDWlPWPISeq90KTqZyQiiAnuPXMmWTetT2/F1qzsEQT:cfiZaDWNwJ9MyQiiCcKT

Score

10^/10

njrat nyan cat discovery persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

NYAN CAT

C2

iiiimmm.myq-see.com:55554

Mutex

4fcb39e2a91345ea8d6202f07912a06e

Attributes

reg_key
4fcb39e2a91345ea8d6202f07912a06e
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 1 IoCs

pid	Process
2636	srss.exe

Loads dropped DLL 2 IoCs

pid	Process
2380	cc checker.exe
2380	cc checker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\srss.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\srss.exe\""	cc checker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc checker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srss.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2636	srss.exe
Token: 33	2636	srss.exe
Token: SeIncBasePriorityPrivilege	2636	srss.exe
Token: 33	2636	srss.exe
Token: SeIncBasePriorityPrivilege	2636	srss.exe
Token: 33	2636	srss.exe
Token: SeIncBasePriorityPrivilege	2636	srss.exe
Token: 33	2636	srss.exe
Token: SeIncBasePriorityPrivilege	2636	srss.exe
Token: 33	2636	srss.exe
Token: SeIncBasePriorityPrivilege	2636	srss.exe
Token: 33	2636	srss.exe
Token: SeIncBasePriorityPrivilege	2636	srss.exe
Token: 33	2636	srss.exe
Token: SeIncBasePriorityPrivilege	2636	srss.exe
Token: 33	2636	srss.exe
Token: SeIncBasePriorityPrivilege	2636	srss.exe
Token: 33	2636	srss.exe
Token: SeIncBasePriorityPrivilege	2636	srss.exe
Token: 33	2636	srss.exe
Token: SeIncBasePriorityPrivilege	2636	srss.exe
Token: 33	2636	srss.exe
Token: SeIncBasePriorityPrivilege	2636	srss.exe
Token: 33	2636	srss.exe
Token: SeIncBasePriorityPrivilege	2636	srss.exe
Token: 33	2636	srss.exe
Token: SeIncBasePriorityPrivilege	2636	srss.exe
Token: 33	2636	srss.exe
Token: SeIncBasePriorityPrivilege	2636	srss.exe
Token: 33	2636	srss.exe
Token: SeIncBasePriorityPrivilege	2636	srss.exe
Token: 33	2636	srss.exe
Token: SeIncBasePriorityPrivilege	2636	srss.exe
Token: 33	2636	srss.exe
Token: SeIncBasePriorityPrivilege	2636	srss.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2636	2380	cc checker.exe	31
PID 2380 wrote to memory of 2636	2380	cc checker.exe	31
PID 2380 wrote to memory of 2636	2380	cc checker.exe	31
PID 2380 wrote to memory of 2636	2380	cc checker.exe	31

C:\Users\Admin\AppData\Local\Temp\cc checker.exe
"C:\Users\Admin\AppData\Local\Temp\cc checker.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\srss.exe
  "C:\Users\Admin\AppData\Local\Temp\srss.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\srss.exe

Filesize
48.9MB

MD5
3f7b474b781d4119a8c7fe29f10e5dc8

SHA1
1680042090deb717006de089c2c8515018a60412

SHA256
97838b9113b9955cc57f417420674b5aee644598ac40480c870b1d7a78c8727d

SHA512
ad25e008977be483ac5bfd5376dd340e7bcffd08e0584c69d71ffb32c54ef406c7ee00d729bd51db100453068d3eeb4e34a1e1f749fbe0fde23814801c70e9a2

Download Submit
memory/2380-0-0x0000000074031000-0x0000000074032000-memory.dmp

Filesize
4KB

Download
memory/2380-1-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/2380-2-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/2380-4-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/2380-14-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/2636-15-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download
memory/2636-16-0x0000000074030000-0x00000000745DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads