njrat | b1c0e35f47273a236518f43ee56c0367d8b423ca9ed8f9e7ad4a875caa47bb69

General

Target

753c707e47bce65d32be781ea1584e0b_JaffaCakes118.exe
Size

84KB
MD5

753c707e47bce65d32be781ea1584e0b
SHA1

7b43f6a910b01553dfae51560570365e3ce9ed42
SHA256

b1c0e35f47273a236518f43ee56c0367d8b423ca9ed8f9e7ad4a875caa47bb69
SHA512

8afc2ebbc80e17e42317202e9479e0c223456cf9f0b22ccdf9fe486eff19ebf9a33a2e00c01aa81168d4ad9950c34c8d78dc2f5821702fe61874221088d3cdda
SSDEEP

1536:2ppfa5dJy8Cgrw7rPNDwhucaDlZ5gb0HI//4gQF0eCaL:3yIwmhuDlZWbcO4/waL

Score

10^/10

njrat nyan cat discovery persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

NYAN CAT

C2

narotomagic.publicvm.com:6663

Mutex

a728eeadc9774101a351e2a5b3fe9598

Attributes

reg_key
a728eeadc9774101a351e2a5b3fe9598
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	753c707e47bce65d32be781ea1584e0b_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
1572	primt.exe
3300	primt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\primt.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\primt.exe\""	753c707e47bce65d32be781ea1584e0b_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3016 set thread context of 4380	3016	753c707e47bce65d32be781ea1584e0b_JaffaCakes118.exe	86
PID 1572 set thread context of 3300	1572	primt.exe	102

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	753c707e47bce65d32be781ea1584e0b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	primt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	primt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	753c707e47bce65d32be781ea1584e0b_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	3016	753c707e47bce65d32be781ea1584e0b_JaffaCakes118.exe
Token: SeDebugPrivilege	1572	primt.exe
Token: SeDebugPrivilege	3300	primt.exe
Token: 33	3300	primt.exe
Token: SeIncBasePriorityPrivilege	3300	primt.exe
Token: 33	3300	primt.exe
Token: SeIncBasePriorityPrivilege	3300	primt.exe
Token: 33	3300	primt.exe
Token: SeIncBasePriorityPrivilege	3300	primt.exe
Token: 33	3300	primt.exe
Token: SeIncBasePriorityPrivilege	3300	primt.exe
Token: 33	3300	primt.exe
Token: SeIncBasePriorityPrivilege	3300	primt.exe
Token: 33	3300	primt.exe
Token: SeIncBasePriorityPrivilege	3300	primt.exe
Token: 33	3300	primt.exe
Token: SeIncBasePriorityPrivilege	3300	primt.exe
Token: 33	3300	primt.exe
Token: SeIncBasePriorityPrivilege	3300	primt.exe
Token: 33	3300	primt.exe
Token: SeIncBasePriorityPrivilege	3300	primt.exe
Token: 33	3300	primt.exe
Token: SeIncBasePriorityPrivilege	3300	primt.exe
Token: 33	3300	primt.exe
Token: SeIncBasePriorityPrivilege	3300	primt.exe
Token: 33	3300	primt.exe
Token: SeIncBasePriorityPrivilege	3300	primt.exe
Token: 33	3300	primt.exe
Token: SeIncBasePriorityPrivilege	3300	primt.exe
Token: 33	3300	primt.exe
Token: SeIncBasePriorityPrivilege	3300	primt.exe
Token: 33	3300	primt.exe
Token: SeIncBasePriorityPrivilege	3300	primt.exe
Token: 33	3300	primt.exe
Token: SeIncBasePriorityPrivilege	3300	primt.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 4380	3016	753c707e47bce65d32be781ea1584e0b_JaffaCakes118.exe	86
PID 3016 wrote to memory of 4380	3016	753c707e47bce65d32be781ea1584e0b_JaffaCakes118.exe	86
PID 3016 wrote to memory of 4380	3016	753c707e47bce65d32be781ea1584e0b_JaffaCakes118.exe	86
PID 3016 wrote to memory of 4380	3016	753c707e47bce65d32be781ea1584e0b_JaffaCakes118.exe	86
PID 3016 wrote to memory of 4380	3016	753c707e47bce65d32be781ea1584e0b_JaffaCakes118.exe	86
PID 3016 wrote to memory of 4380	3016	753c707e47bce65d32be781ea1584e0b_JaffaCakes118.exe	86
PID 3016 wrote to memory of 4380	3016	753c707e47bce65d32be781ea1584e0b_JaffaCakes118.exe	86
PID 3016 wrote to memory of 4380	3016	753c707e47bce65d32be781ea1584e0b_JaffaCakes118.exe	86
PID 4380 wrote to memory of 1572	4380	753c707e47bce65d32be781ea1584e0b_JaffaCakes118.exe	100
PID 4380 wrote to memory of 1572	4380	753c707e47bce65d32be781ea1584e0b_JaffaCakes118.exe	100
PID 4380 wrote to memory of 1572	4380	753c707e47bce65d32be781ea1584e0b_JaffaCakes118.exe	100
PID 1572 wrote to memory of 3300	1572	primt.exe	102
PID 1572 wrote to memory of 3300	1572	primt.exe	102
PID 1572 wrote to memory of 3300	1572	primt.exe	102
PID 1572 wrote to memory of 3300	1572	primt.exe	102
PID 1572 wrote to memory of 3300	1572	primt.exe	102
PID 1572 wrote to memory of 3300	1572	primt.exe	102
PID 1572 wrote to memory of 3300	1572	primt.exe	102
PID 1572 wrote to memory of 3300	1572	primt.exe	102

C:\Users\Admin\AppData\Local\Temp\753c707e47bce65d32be781ea1584e0b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\753c707e47bce65d32be781ea1584e0b_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\753c707e47bce65d32be781ea1584e0b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\753c707e47bce65d32be781ea1584e0b_JaffaCakes118.exe
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Users\Admin\AppData\Roaming\primt.exe
    "C:\Users\Admin\AppData\Roaming\primt.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Users\Admin\AppData\Roaming\primt.exe
      C:\Users\Admin\AppData\Roaming\primt.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\753c707e47bce65d32be781ea1584e0b_JaffaCakes118.exe.log

Filesize
224B

MD5
9c4b66f77f12558c48b620ddfb44029d

SHA1
446651db643b943ec37b9b3599655e211a4bc73e

SHA256
42f723d18283fda6a0904046cc29ee8d10e562d20c7615259a46ae9c0e4c9708

SHA512
983aed0ec15a79b716ac6dc080146e4ed098c117c31167053fb5971649dc621d1db5292fdd76f3010f094b75d57ea0bdb35bc829c6ba37e4d276b266361dee8e

Download Submit
C:\Users\Admin\AppData\Roaming\primt.exe

Filesize
48.9MB

MD5
aafcba1ee9b8392b7694e404bb3108f2

SHA1
baa6a8c4683ef2f167400a1a0def234b959d4092

SHA256
8bd26471d5a6b48328fc079834e75d0a7f19493e80fb445d9dd78472cec9d516

SHA512
262c65adc2073fab2911357d66bbfcf009c781b7002e2655f4ba1c490b859a9d721316f60577c841a30105025460698d3313b997d75d6ce4515c39c13659dfc1

Download Submit
memory/1572-23-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/1572-22-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/1572-28-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/3016-0-0x0000000074EF2000-0x0000000074EF3000-memory.dmp

Filesize
4KB

Download
memory/3016-1-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/3016-7-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/3016-2-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/3300-29-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/3300-30-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/3300-31-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/4380-6-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/4380-8-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/4380-10-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/4380-21-0x0000000074EF0000-0x00000000754A1000-memory.dmp

Filesize
5.7MB

Download
memory/4380-3-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads