njrat | 0a170ca414d288bc25ebb5ce92ccd51ff0f62b1479d669172194bf0067601df1

General

Target

z2d6Yt5v.exe
Size

23KB
MD5

9bb6d4f72a348ad47cc97185604f4dd9
SHA1

7384957e8a29f517654fcbd905861574e772d3ed
SHA256

0a170ca414d288bc25ebb5ce92ccd51ff0f62b1479d669172194bf0067601df1
SHA512

3a1e4c94afd24c89a256deca640467c833547fe431c2041f3afc6fafdd3551f7d4f14edfa5be6099901d4bb38526fdfe197702dd334c74d98951887187cf2c48

Score

10^/10

njrat bouffon evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Bouffon

C2

noiphack93.hopto.org:5553

Mutex

af48625ee196d906557ab2d838a9cc2f

Attributes

reg_key
af48625ee196d906557ab2d838a9cc2f
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

Core Service.exetmp2B42.tmp.exetmp2B42.tmp.exe

pid process

868 Core Service.exe
4080 tmp2B42.tmp.exe
1640 tmp2B42.tmp.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
868	Core Service.exe
4080	tmp2B42.tmp.exe
1640	tmp2B42.tmp.exe

Drops startup file 5 IoCs

Processes:

tmp2B42.tmp.exeCore Service.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	tmp2B42.tmp.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Services.url	tmp2B42.tmp.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe	Core Service.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af48625ee196d906557ab2d838a9cc2f.exe	Core Service.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	tmp2B42.tmp.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Core Service.exetmp2B42.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\af48625ee196d906557ab2d838a9cc2f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Core Service.exe\" .."	Core Service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\af48625ee196d906557ab2d838a9cc2f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Core Service.exe\" .."	Core Service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp2B42.tmp.exe\" .."	tmp2B42.tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp2B42.tmp.exe\" .."	tmp2B42.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

824 schtasks.exe
2472 schtasks.exe

pid	process
824	schtasks.exe
2472	schtasks.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

Core Service.exetmp2B42.tmp.exe

description	pid	process
Token: SeDebugPrivilege	868	Core Service.exe
Token: 33	868	Core Service.exe
Token: SeIncBasePriorityPrivilege	868	Core Service.exe
Token: 33	868	Core Service.exe
Token: SeIncBasePriorityPrivilege	868	Core Service.exe
Token: 33	868	Core Service.exe
Token: SeIncBasePriorityPrivilege	868	Core Service.exe
Token: 33	868	Core Service.exe
Token: SeIncBasePriorityPrivilege	868	Core Service.exe
Token: 33	868	Core Service.exe
Token: SeIncBasePriorityPrivilege	868	Core Service.exe
Token: 33	868	Core Service.exe
Token: SeIncBasePriorityPrivilege	868	Core Service.exe
Token: 33	868	Core Service.exe
Token: SeIncBasePriorityPrivilege	868	Core Service.exe
Token: 33	868	Core Service.exe
Token: SeIncBasePriorityPrivilege	868	Core Service.exe
Token: 33	868	Core Service.exe
Token: SeIncBasePriorityPrivilege	868	Core Service.exe
Token: 33	868	Core Service.exe
Token: SeIncBasePriorityPrivilege	868	Core Service.exe
Token: 33	868	Core Service.exe
Token: SeIncBasePriorityPrivilege	868	Core Service.exe
Token: 33	868	Core Service.exe
Token: SeIncBasePriorityPrivilege	868	Core Service.exe
Token: 33	868	Core Service.exe
Token: SeIncBasePriorityPrivilege	868	Core Service.exe
Token: 33	868	Core Service.exe
Token: SeIncBasePriorityPrivilege	868	Core Service.exe
Token: SeDebugPrivilege	4080	tmp2B42.tmp.exe
Token: 33	868	Core Service.exe
Token: SeIncBasePriorityPrivilege	868	Core Service.exe
Token: 33	4080	tmp2B42.tmp.exe
Token: SeIncBasePriorityPrivilege	4080	tmp2B42.tmp.exe
Token: 33	4080	tmp2B42.tmp.exe
Token: SeIncBasePriorityPrivilege	4080	tmp2B42.tmp.exe
Token: 33	868	Core Service.exe
Token: SeIncBasePriorityPrivilege	868	Core Service.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

z2d6Yt5v.exeCore Service.exetmp2B42.tmp.exetmp2B42.tmp.exe

description	pid	process	target process
PID 984 wrote to memory of 868	984	z2d6Yt5v.exe	Core Service.exe
PID 984 wrote to memory of 868	984	z2d6Yt5v.exe	Core Service.exe
PID 984 wrote to memory of 868	984	z2d6Yt5v.exe	Core Service.exe
PID 868 wrote to memory of 728	868	Core Service.exe	netsh.exe
PID 868 wrote to memory of 728	868	Core Service.exe	netsh.exe
PID 868 wrote to memory of 728	868	Core Service.exe	netsh.exe
PID 868 wrote to memory of 4080	868	Core Service.exe	tmp2B42.tmp.exe
PID 868 wrote to memory of 4080	868	Core Service.exe	tmp2B42.tmp.exe
PID 868 wrote to memory of 4080	868	Core Service.exe	tmp2B42.tmp.exe
PID 4080 wrote to memory of 2264	4080	tmp2B42.tmp.exe	schtasks.exe
PID 4080 wrote to memory of 2264	4080	tmp2B42.tmp.exe	schtasks.exe
PID 4080 wrote to memory of 2264	4080	tmp2B42.tmp.exe	schtasks.exe
PID 4080 wrote to memory of 824	4080	tmp2B42.tmp.exe	schtasks.exe
PID 4080 wrote to memory of 824	4080	tmp2B42.tmp.exe	schtasks.exe
PID 4080 wrote to memory of 824	4080	tmp2B42.tmp.exe	schtasks.exe
PID 1640 wrote to memory of 3180	1640	tmp2B42.tmp.exe	schtasks.exe
PID 1640 wrote to memory of 3180	1640	tmp2B42.tmp.exe	schtasks.exe
PID 1640 wrote to memory of 3180	1640	tmp2B42.tmp.exe	schtasks.exe
PID 1640 wrote to memory of 2472	1640	tmp2B42.tmp.exe	schtasks.exe
PID 1640 wrote to memory of 2472	1640	tmp2B42.tmp.exe	schtasks.exe
PID 1640 wrote to memory of 2472	1640	tmp2B42.tmp.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\z2d6Yt5v.exe
"C:\Users\Admin\AppData\Local\Temp\z2d6Yt5v.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:984

C:\Users\Admin\AppData\Local\Temp\Core Service.exe
"C:\Users\Admin\AppData\Local\Temp\Core Service.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Core Service.exe" "Core Service.exe" ENABLE
3⤵
PID:728

C:\Users\Admin\AppData\Local\Temp\tmp2B42.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2B42.tmp.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
4⤵
PID:2264

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\tmp2B42.tmp.exe" /sc minute /mo 1
4⤵
- Creates scheduled task(s)
PID:824

C:\Users\Admin\AppData\Local\Temp\tmp2B42.tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp2B42.tmp.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
2⤵
PID:3180

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\tmp2B42.tmp.exe" /sc minute /mo 1
2⤵
- Creates scheduled task(s)
PID:2472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Core Service.exe
MD5
9bb6d4f72a348ad47cc97185604f4dd9

SHA1
7384957e8a29f517654fcbd905861574e772d3ed

SHA256
0a170ca414d288bc25ebb5ce92ccd51ff0f62b1479d669172194bf0067601df1

SHA512
3a1e4c94afd24c89a256deca640467c833547fe431c2041f3afc6fafdd3551f7d4f14edfa5be6099901d4bb38526fdfe197702dd334c74d98951887187cf2c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Core Service.exe
MD5
9bb6d4f72a348ad47cc97185604f4dd9

SHA1
7384957e8a29f517654fcbd905861574e772d3ed

SHA256
0a170ca414d288bc25ebb5ce92ccd51ff0f62b1479d669172194bf0067601df1

SHA512
3a1e4c94afd24c89a256deca640467c833547fe431c2041f3afc6fafdd3551f7d4f14edfa5be6099901d4bb38526fdfe197702dd334c74d98951887187cf2c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2B42.tmp.exe
MD5
e313917d108e311f518d000a83349e42

SHA1
4d6561b1f4dda2e62106698ffd6b4be9e42b2bca

SHA256
a7dc742ea2c45d9cfbdd20fcb07214f0cf6e1d2dddd76a01addb0fe42e8b979b

SHA512
3e785fca574aa94cf7d41390e8bdb228fd6ace75212efff8ccbe7e062ede056688dc8e1b308c73f648bae06f492d021231c45b8203b7d079d79320e0ec6049fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2B42.tmp.exe
MD5
e313917d108e311f518d000a83349e42

SHA1
4d6561b1f4dda2e62106698ffd6b4be9e42b2bca

SHA256
a7dc742ea2c45d9cfbdd20fcb07214f0cf6e1d2dddd76a01addb0fe42e8b979b

SHA512
3e785fca574aa94cf7d41390e8bdb228fd6ace75212efff8ccbe7e062ede056688dc8e1b308c73f648bae06f492d021231c45b8203b7d079d79320e0ec6049fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2B42.tmp.exe
MD5
e313917d108e311f518d000a83349e42

SHA1
4d6561b1f4dda2e62106698ffd6b4be9e42b2bca

SHA256
a7dc742ea2c45d9cfbdd20fcb07214f0cf6e1d2dddd76a01addb0fe42e8b979b

SHA512
3e785fca574aa94cf7d41390e8bdb228fd6ace75212efff8ccbe7e062ede056688dc8e1b308c73f648bae06f492d021231c45b8203b7d079d79320e0ec6049fe

Download Submit
memory/728-3-0x0000000000000000-mapping.dmp

Download
memory/824-8-0x0000000000000000-mapping.dmp

Download
memory/868-0-0x0000000000000000-mapping.dmp

Download
memory/2264-7-0x0000000000000000-mapping.dmp

Download
memory/2472-11-0x0000000000000000-mapping.dmp

Download
memory/3180-10-0x0000000000000000-mapping.dmp

Download
memory/4080-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads