njrat | ffd26fdd5b1c692dfba39bc753f8a5ec_JaffaCakes118

Sharing

Copy URL

Twitter E-mail

General

Target

ffd26fdd5b1c692dfba39bc753f8a5ec_JaffaCakes118
Size

61KB
MD5

ffd26fdd5b1c692dfba39bc753f8a5ec
SHA1

5b6fdcc70ab9c5578d497ece5e813fc77d1cb53d
SHA256

25c9d000b42a92daeb66f415dab93a5f6d97fe8efbd7855dc08490c93a06ce87
SHA512

26009ea3ee075210abc38aad6406360982e1f77c4bae7aaef068b7cb62322696aedab557473db351b7355484d03d4fccea6f2282435e4bcc656b8c038117f59d
SSDEEP

1536:NsqY/fdy64EahR6c+AkUyakhC0j1b7HeL8FrQC7hS:+Jc64NT6+ZZgCyv+L8B7hS

Score

10^/10

nyan cat njrat

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

NYAN CAT

iiiimmm.myq-see.com:55554

Mutex

4fcb39e2a91345ea8d6202f07912a06e

Attributes

reg_key
4fcb39e2a91345ea8d6202f07912a06e
splitter
|'|'|

Signatures

Njrat family
njrat

Unsigned PE 4 IoCs

Checks for missing Authenticode signature.

resource
unpack001/cc checker.exe
unpack001/dimap.dll
unpack001/dimsntfy.dll
unpack001/dimsroam.dll

Files

ffd26fdd5b1c692dfba39bc753f8a5ec_JaffaCakes118
.rar
cc checker.exe
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 24KB - Virtual size: 20KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 672B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
cc dork.txt
dimap.dll
.dll windows:5 windows x86 arch:x86

469e31fbcb0cceedc5dbfe00ddb0c612

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

msvcrt

?terminate@@YAXXZ
free
?_set_new_mode@@YAHH@Z
memmove
?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z
wcscpy
wcscat
_snwprintf
wcschr
_wsplitpath
swscanf
_purecall
??2@YAPAXI@Z
??3@YAXPAX@Z
__CxxFrameHandler
_CxxThrowException
_onexit
__dllonexit
??1type_info@@UAE@XZ
_except_handler3
??0exception@@QAE@ABV0@@Z
iswspace
??1exception@@UAE@XZ
??0exception@@QAE@XZ
?what@exception@@UBEPBDXZ
_adjust_fdiv
malloc
isdigit
??0exception@@QAE@ABQBD@Z
strlen
wcslen
_initterm
memcpy

kernel32

GetModuleHandleW
GetSystemTimeAsFileTime
GetVersion
GetPrivateProfileStringW
CreateDirectoryW
GetPrivateProfileIntW
WideCharToMultiByte
MultiByteToWideChar
WritePrivateProfileStringW
GetLastError
DeleteCriticalSection
DisableThreadLibraryCalls
InterlockedDecrement
InterlockedIncrement
InitializeCriticalSection

shell32

SHGetPathFromIDListW
SHGetSpecialFolderLocation
SHGetMalloc

advapi32

RegCloseKey
RegOpenKeyExW
RegQueryValueExW
GetUserNameW

user32

wsprintfW
CharUpperBuffW

ole32

StringFromGUID2

dinput8

DirectInput8Create

Exports

Exports

DllCanUnloadNow
DllGetClassObject

Sections

.text
Size: 37KB - Virtual size: 37KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 266B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 984B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
dimsntfy.dll
.dll windows:5 windows x86 arch:x86

0f1fc30bf49f7faddc0f3241c2f8ff4a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

dimsntfy.pdb

Imports

msvcrt

_adjust_fdiv
srand
rand
wcslen
malloc
_initterm
free

ntdll

RtlInitUnicodeString
RtlSetEnvironmentVariable

kernel32

CreateProcessW
DuplicateHandle
GetCurrentProcess
CreatePipe
FlushFileBuffers
InterlockedDecrement
RegisterWaitForSingleObject
WriteFile
DeleteTimerQueueTimer
InterlockedExchange
Sleep
InterlockedExchangeAdd
CreateTimerQueueTimer
MulDiv
OpenEventW
FindCloseChangeNotification
FindNextChangeNotification
FindFirstChangeNotificationW
QueueUserWorkItem
SetEvent
LocalFree
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
UnregisterWaitEx
InterlockedIncrement
GetLastError
CloseHandle
DisableThreadLibraryCalls
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
GetSystemTimeAsFileTime
CreateEventW
LocalAlloc

advapi32

AddAccessDeniedAceEx
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
GetTokenInformation
ConvertSidToStringSidW
AllocateAndInitializeSid
FreeSid
CreateProcessAsUserW
RegDeleteKeyW
GetLengthSid
InitializeAcl
AddAccessAllowedAceEx
RegQueryValueExW
UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
RegCreateKeyExW
RegSetValueExW
RegCloseKey
TraceMessage
DuplicateTokenEx
RegOpenKeyExW

netapi32

DsRoleGetPrimaryDomainInformation
DsRoleFreeMemory

userenv

DestroyEnvironmentBlock
CreateEnvironmentBlock
UnregisterGPNotification
RegisterGPNotification
ord149

Exports

Exports

WlDimsLock
WlDimsLogoff
WlDimsLogon
WlDimsShutdown
WlDimsStartShell
WlDimsStartup
WlDimsUnlock

Sections

.text
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 532B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 1008B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
dimsroam.dll
.dll windows:5 windows x86 arch:x86

4c2e2bb76b94f023d19fc83df8b01168

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

dimsroam.pdb

Imports

msvcrt

_adjust_fdiv
malloc
_initterm
free
wcscmp
_atoi64
_wcsicmp
_wcsnicmp
_ultow
_vsnwprintf
wcstoul
wcschr
wcslen

kernel32

WriteFile
SetFileAttributesW
EnterCriticalSection
FlushFileBuffers
SetFilePointer
GetFileSize
FindClose
FindNextFileW
FindFirstFileW
GetFileTime
CreateFileW
SetEndOfFile
DeleteFileW
GetTickCount
ReadFile
GetCurrentThreadId
GetCurrentProcessId
TerminateProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
LeaveCriticalSection
GetCurrentThread
GetCurrentProcess
SystemTimeToFileTime
CloseHandle
GetSystemTimeAsFileTime
CompareFileTime
GetLastError
LocalFree
LocalAlloc
DisableThreadLibraryCalls
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
QueryPerformanceCounter
Sleep
CreateDirectoryW

advapi32

CryptReleaseContext
OpenThreadToken
OpenProcessToken
GetTokenInformation
ConvertSidToStringSidW
CryptAcquireContextW
RegOpenKeyExW
UnregisterTraceGuids
CryptCreateHash
CryptHashData
CryptGetHashParam
CryptDestroyHash
CryptGetUserKey
CryptDestroyKey
RegOpenCurrentUser
RegisterTraceGuidsW
GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
RegCreateKeyExW
RegSetValueExW
RegCloseKey
TraceMessage
RegQueryValueExW

userenv

ExpandEnvironmentStringsForUserW

wldap32

ord88
ord14
ord16
ord145
ord12
ord41
ord301
ord167
ord147
ord224
ord97
ord73
ord127
ord26
ord208
ord79
ord142
ord190
ord40
ord10
ord149
ord18
ord140
ord13

ntdsapi

DsUnBindW
DsBindW
DsReplicaFreeInfo
DsReplicaGetInfo2W

netapi32

NetApiBufferFree
DsRoleFreeMemory
DsRoleGetPrimaryDomainInformation
DsGetDcNameW

crypt32

CertCloseStore
CertAddSerializedElementToStore
CertGetCertificateContextProperty
CertFreeCertificateContext
CryptHashCertificate
CertOpenStore

secur32

GetUserNameExW

Exports

Exports

DimsRoamEntry

Sections

.text
Size: 34KB - Virtual size: 33KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 544B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 1016B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 24KB - Virtual size: 20KB

.rsrc Size: 4KB - Virtual size: 672B

.reloc Size: 4KB - Virtual size: 12B

469e31fbcb0cceedc5dbfe00ddb0c612

Headers

File Characteristics

Imports

msvcrt

kernel32

shell32

advapi32

user32

ole32

dinput8

Exports

Exports

Sections

.text Size: 37KB - Virtual size: 37KB

.data Size: 512B - Virtual size: 266B

.rsrc Size: 1024B - Virtual size: 984B

.reloc Size: 3KB - Virtual size: 2KB

0f1fc30bf49f7faddc0f3241c2f8ff4a

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

ntdll

kernel32

advapi32

netapi32

userenv

Exports

Exports

Sections

.text Size: 15KB - Virtual size: 14KB

.data Size: 512B - Virtual size: 532B

.rsrc Size: 1024B - Virtual size: 1008B

.reloc Size: 1KB - Virtual size: 1KB

4c2e2bb76b94f023d19fc83df8b01168

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

kernel32

advapi32

userenv

wldap32

ntdsapi

netapi32

crypt32

secur32

Exports

Exports

Sections

.text Size: 34KB - Virtual size: 33KB

.data Size: 512B - Virtual size: 544B

.rsrc Size: 1024B - Virtual size: 1016B

.reloc Size: 2KB - Virtual size: 2KB

.text
Size: 24KB - Virtual size: 20KB

.rsrc
Size: 4KB - Virtual size: 672B

.reloc
Size: 4KB - Virtual size: 12B

.text
Size: 37KB - Virtual size: 37KB

.data
Size: 512B - Virtual size: 266B

.rsrc
Size: 1024B - Virtual size: 984B

.reloc
Size: 3KB - Virtual size: 2KB

.text
Size: 15KB - Virtual size: 14KB

.data
Size: 512B - Virtual size: 532B

.rsrc
Size: 1024B - Virtual size: 1008B

.reloc
Size: 1KB - Virtual size: 1KB

.text
Size: 34KB - Virtual size: 33KB

.data
Size: 512B - Virtual size: 544B

.rsrc
Size: 1024B - Virtual size: 1016B

.reloc
Size: 2KB - Virtual size: 2KB