General

  • Target

    06122024_1551_04122024_Historial-Declcaraciones-vencidas-2022-2023.js.xz

  • Size

    4KB

  • Sample

    241206-tfcgdavqby

  • MD5

    7e9c67f2546cf7786527b9faef7581da

  • SHA1

    62f4d38b8c8b3c743154c1b854aa134f30069b76

  • SHA256

    b91fd2517dd1aa0a3f6ed4c37e62794279da383ee8f3d3724818253efadbcdd8

  • SHA512

    8c0b870f08d08c8e6488318e6024709f19fdb84083819ebbefd3b70e72bc53d83a70c13025b2b73849042a82637ed63ebfa0dc30e39e0834bf38e9e10d1da920

  • SSDEEP

    96:NGkJu2uW91NMUXa0N7Qlvlcq2ehIYWAyu1U8ERx7OwiXJZXSEtThvrp3g7:ItWvAaMjcqzhIYWA1ED7OweCOvrp0

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.desckvbrat.com.br
  • Port:
    21
  • Username:
    desckvbrat1
  • Password:
    fYudY1578@@@@@@

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

hugolganador.duckdns.org:5250

Mutex

f07d2cf4921a47eb98

Attributes
  • reg_key

    f07d2cf4921a47eb98

  • splitter

    @!#&^%$

Targets

    • Target

      06122024_1551_04122024_Historial-Declcaraciones-vencidas-2022-2023.js

    • Size

      195KB

    • MD5

      6675b77a4e527883e0cd36a107269299

    • SHA1

      48b54aab7672ff52328632c110c7b14207f91832

    • SHA256

      cb8afa9d1cab7e87066a992f5954e223720e39064d6d9f425a5e85a13e6a9b3a

    • SHA512

      b4182d413aa3b8133c72a61a3b2136f6a61a4ce0a6f054d40329a00c897140003046ec34fce3dea5de6c88a491b3a920744cb48fb69b6c4f0c70f5bbc6f79046

    • SSDEEP

      3072:lW1tKbWXt+NWXt+NWXt+NWXt+NWXt+NWXt+CWXt+NWXt+NWXt+NWXt+NWXt+NWXC:G

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Hide Artifacts: Hidden Window

      Windows that would typically be displayed when an application carries out an operation can be hidden.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks