njrat | 0a170ca414d288bc25ebb5ce92ccd51ff0f62b1479d669172194bf0067601df1

General

Target

z2d6Yt5v.exe
Size

23KB
MD5

9bb6d4f72a348ad47cc97185604f4dd9
SHA1

7384957e8a29f517654fcbd905861574e772d3ed
SHA256

0a170ca414d288bc25ebb5ce92ccd51ff0f62b1479d669172194bf0067601df1
SHA512

3a1e4c94afd24c89a256deca640467c833547fe431c2041f3afc6fafdd3551f7d4f14edfa5be6099901d4bb38526fdfe197702dd334c74d98951887187cf2c48

Score

10^/10

njrat bouffon evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Bouffon

C2

noiphack93.hopto.org:5553

Mutex

af48625ee196d906557ab2d838a9cc2f

Attributes

reg_key
af48625ee196d906557ab2d838a9cc2f
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

Core Service.exe

pid process

1680 Core Service.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
1680	Core Service.exe

Drops startup file 2 IoCs

Processes:

Core Service.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe	Core Service.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe	Core Service.exe

Loads dropped DLL 1 IoCs

Processes:

z2d6Yt5v.exe

pid process

364 z2d6Yt5v.exe

pid	process
364	z2d6Yt5v.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Core Service.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\af48625ee196d906557ab2d838a9cc2f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Core Service.exe\" .."	Core Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\af48625ee196d906557ab2d838a9cc2f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Core Service.exe\" .."	Core Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

Core Service.exe

description	pid	process
Token: SeDebugPrivilege	1680	Core Service.exe
Token: 33	1680	Core Service.exe
Token: SeIncBasePriorityPrivilege	1680	Core Service.exe
Token: 33	1680	Core Service.exe
Token: SeIncBasePriorityPrivilege	1680	Core Service.exe
Token: 33	1680	Core Service.exe
Token: SeIncBasePriorityPrivilege	1680	Core Service.exe
Token: 33	1680	Core Service.exe
Token: SeIncBasePriorityPrivilege	1680	Core Service.exe
Token: 33	1680	Core Service.exe
Token: SeIncBasePriorityPrivilege	1680	Core Service.exe
Token: 33	1680	Core Service.exe
Token: SeIncBasePriorityPrivilege	1680	Core Service.exe
Token: 33	1680	Core Service.exe
Token: SeIncBasePriorityPrivilege	1680	Core Service.exe
Token: 33	1680	Core Service.exe
Token: SeIncBasePriorityPrivilege	1680	Core Service.exe
Token: 33	1680	Core Service.exe
Token: SeIncBasePriorityPrivilege	1680	Core Service.exe
Token: 33	1680	Core Service.exe
Token: SeIncBasePriorityPrivilege	1680	Core Service.exe
Token: 33	1680	Core Service.exe
Token: SeIncBasePriorityPrivilege	1680	Core Service.exe
Token: 33	1680	Core Service.exe
Token: SeIncBasePriorityPrivilege	1680	Core Service.exe
Token: 33	1680	Core Service.exe
Token: SeIncBasePriorityPrivilege	1680	Core Service.exe
Token: 33	1680	Core Service.exe
Token: SeIncBasePriorityPrivilege	1680	Core Service.exe
Token: 33	1680	Core Service.exe
Token: SeIncBasePriorityPrivilege	1680	Core Service.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

z2d6Yt5v.exeCore Service.exe

description	pid	process	target process
PID 364 wrote to memory of 1680	364	z2d6Yt5v.exe	Core Service.exe
PID 364 wrote to memory of 1680	364	z2d6Yt5v.exe	Core Service.exe
PID 364 wrote to memory of 1680	364	z2d6Yt5v.exe	Core Service.exe
PID 364 wrote to memory of 1680	364	z2d6Yt5v.exe	Core Service.exe
PID 1680 wrote to memory of 848	1680	Core Service.exe	netsh.exe
PID 1680 wrote to memory of 848	1680	Core Service.exe	netsh.exe
PID 1680 wrote to memory of 848	1680	Core Service.exe	netsh.exe
PID 1680 wrote to memory of 848	1680	Core Service.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\z2d6Yt5v.exe
"C:\Users\Admin\AppData\Local\Temp\z2d6Yt5v.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:364

C:\Users\Admin\AppData\Local\Temp\Core Service.exe
"C:\Users\Admin\AppData\Local\Temp\Core Service.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Core Service.exe" "Core Service.exe" ENABLE
3⤵
PID:848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Core Service.exe
MD5
9bb6d4f72a348ad47cc97185604f4dd9

SHA1
7384957e8a29f517654fcbd905861574e772d3ed

SHA256
0a170ca414d288bc25ebb5ce92ccd51ff0f62b1479d669172194bf0067601df1

SHA512
3a1e4c94afd24c89a256deca640467c833547fe431c2041f3afc6fafdd3551f7d4f14edfa5be6099901d4bb38526fdfe197702dd334c74d98951887187cf2c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Core Service.exe
MD5
9bb6d4f72a348ad47cc97185604f4dd9

SHA1
7384957e8a29f517654fcbd905861574e772d3ed

SHA256
0a170ca414d288bc25ebb5ce92ccd51ff0f62b1479d669172194bf0067601df1

SHA512
3a1e4c94afd24c89a256deca640467c833547fe431c2041f3afc6fafdd3551f7d4f14edfa5be6099901d4bb38526fdfe197702dd334c74d98951887187cf2c48

Download Submit
\Users\Admin\AppData\Local\Temp\Core Service.exe
MD5
9bb6d4f72a348ad47cc97185604f4dd9

SHA1
7384957e8a29f517654fcbd905861574e772d3ed

SHA256
0a170ca414d288bc25ebb5ce92ccd51ff0f62b1479d669172194bf0067601df1

SHA512
3a1e4c94afd24c89a256deca640467c833547fe431c2041f3afc6fafdd3551f7d4f14edfa5be6099901d4bb38526fdfe197702dd334c74d98951887187cf2c48

Download Submit
memory/848-4-0x0000000000000000-mapping.dmp

Download
memory/1680-1-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads