njrat | 3f79c48003089ef4f35e9fdcfaeba9323c1a80251e91a3f1bd3673d2ec02a506

General

Target

aff78e3bfeb28385f20384fc6e3f3327.exe
Size

100KB
MD5

aff78e3bfeb28385f20384fc6e3f3327
SHA1

d448f9c3a5df6c8ae81e3178f14b39ce63619b7d
SHA256

3f79c48003089ef4f35e9fdcfaeba9323c1a80251e91a3f1bd3673d2ec02a506
SHA512

9e7fbbe9ba4914828859936f5ad6330a65b1aa58afe26a611a0b6f3d16a5387a4b707790ccb2d67a822f6fc14c4f92b48fbbfffc3af4a04e329daf78ca1d54ee

Score

10^/10

njrat neuf evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

chargeable.exechargeable.exe

pid process

1344 chargeable.exe
1352 chargeable.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Loads dropped DLL 2 IoCs

Processes:

aff78e3bfeb28385f20384fc6e3f3327.exe

pid process

1120 aff78e3bfeb28385f20384fc6e3f3327.exe
1120 aff78e3bfeb28385f20384fc6e3f3327.exe

pid	process
1344	chargeable.exe
1352	chargeable.exe

pid	process
1120	aff78e3bfeb28385f20384fc6e3f3327.exe
1120	aff78e3bfeb28385f20384fc6e3f3327.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aff78e3bfeb28385f20384fc6e3f3327.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aff78e3bfeb28385f20384fc6e3f3327.exe"	aff78e3bfeb28385f20384fc6e3f3327.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	aff78e3bfeb28385f20384fc6e3f3327.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

chargeable.exe

description pid process target process

PID 1344 set thread context of 1352 1344 chargeable.exe chargeable.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1344 set thread context of 1352	1344	chargeable.exe	chargeable.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

chargeable.exe

description	pid	process
Token: SeDebugPrivilege	1352	chargeable.exe
Token: 33	1352	chargeable.exe
Token: SeIncBasePriorityPrivilege	1352	chargeable.exe
Token: 33	1352	chargeable.exe
Token: SeIncBasePriorityPrivilege	1352	chargeable.exe
Token: 33	1352	chargeable.exe
Token: SeIncBasePriorityPrivilege	1352	chargeable.exe
Token: 33	1352	chargeable.exe
Token: SeIncBasePriorityPrivilege	1352	chargeable.exe
Token: 33	1352	chargeable.exe
Token: SeIncBasePriorityPrivilege	1352	chargeable.exe
Token: 33	1352	chargeable.exe
Token: SeIncBasePriorityPrivilege	1352	chargeable.exe
Token: 33	1352	chargeable.exe
Token: SeIncBasePriorityPrivilege	1352	chargeable.exe
Token: 33	1352	chargeable.exe
Token: SeIncBasePriorityPrivilege	1352	chargeable.exe
Token: 33	1352	chargeable.exe
Token: SeIncBasePriorityPrivilege	1352	chargeable.exe
Token: 33	1352	chargeable.exe
Token: SeIncBasePriorityPrivilege	1352	chargeable.exe
Token: 33	1352	chargeable.exe
Token: SeIncBasePriorityPrivilege	1352	chargeable.exe
Token: 33	1352	chargeable.exe
Token: SeIncBasePriorityPrivilege	1352	chargeable.exe
Token: 33	1352	chargeable.exe
Token: SeIncBasePriorityPrivilege	1352	chargeable.exe
Token: 33	1352	chargeable.exe
Token: SeIncBasePriorityPrivilege	1352	chargeable.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

aff78e3bfeb28385f20384fc6e3f3327.exechargeable.exechargeable.exe

description	pid	process	target process
PID 1120 wrote to memory of 1344	1120	aff78e3bfeb28385f20384fc6e3f3327.exe	chargeable.exe
PID 1120 wrote to memory of 1344	1120	aff78e3bfeb28385f20384fc6e3f3327.exe	chargeable.exe
PID 1120 wrote to memory of 1344	1120	aff78e3bfeb28385f20384fc6e3f3327.exe	chargeable.exe
PID 1120 wrote to memory of 1344	1120	aff78e3bfeb28385f20384fc6e3f3327.exe	chargeable.exe
PID 1344 wrote to memory of 1352	1344	chargeable.exe	chargeable.exe
PID 1344 wrote to memory of 1352	1344	chargeable.exe	chargeable.exe
PID 1344 wrote to memory of 1352	1344	chargeable.exe	chargeable.exe
PID 1344 wrote to memory of 1352	1344	chargeable.exe	chargeable.exe
PID 1344 wrote to memory of 1352	1344	chargeable.exe	chargeable.exe
PID 1344 wrote to memory of 1352	1344	chargeable.exe	chargeable.exe
PID 1344 wrote to memory of 1352	1344	chargeable.exe	chargeable.exe
PID 1344 wrote to memory of 1352	1344	chargeable.exe	chargeable.exe
PID 1344 wrote to memory of 1352	1344	chargeable.exe	chargeable.exe
PID 1352 wrote to memory of 1184	1352	chargeable.exe	netsh.exe
PID 1352 wrote to memory of 1184	1352	chargeable.exe	netsh.exe
PID 1352 wrote to memory of 1184	1352	chargeable.exe	netsh.exe
PID 1352 wrote to memory of 1184	1352	chargeable.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\aff78e3bfeb28385f20384fc6e3f3327.exe
"C:\Users\Admin\AppData\Local\Temp\aff78e3bfeb28385f20384fc6e3f3327.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1120

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1344

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
4⤵
PID:1184

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
MD5
abb9fd4e3892c4e712e8594f8af7ba27

SHA1
cd30cac59687d163e275afbf8ed9998d3e011c65

SHA256
59ca6d702a83eca3bcf4cd7208552109dd23161408f30e1c17a7c77e128df0d3

SHA512
c27c59f4163bf623e84c8ef27154d7f71e506ef337567941c3090d8de77d3761b1915e7815e7434ae91c8bf4af2ba567edd7d32461fc0fc8913471a2037486c9

Download Submit
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
MD5
abb9fd4e3892c4e712e8594f8af7ba27

SHA1
cd30cac59687d163e275afbf8ed9998d3e011c65

SHA256
59ca6d702a83eca3bcf4cd7208552109dd23161408f30e1c17a7c77e128df0d3

SHA512
c27c59f4163bf623e84c8ef27154d7f71e506ef337567941c3090d8de77d3761b1915e7815e7434ae91c8bf4af2ba567edd7d32461fc0fc8913471a2037486c9

Download Submit
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
MD5
abb9fd4e3892c4e712e8594f8af7ba27

SHA1
cd30cac59687d163e275afbf8ed9998d3e011c65

SHA256
59ca6d702a83eca3bcf4cd7208552109dd23161408f30e1c17a7c77e128df0d3

SHA512
c27c59f4163bf623e84c8ef27154d7f71e506ef337567941c3090d8de77d3761b1915e7815e7434ae91c8bf4af2ba567edd7d32461fc0fc8913471a2037486c9

Download Submit
\Users\Admin\AppData\Roaming\confuse\chargeable.exe
MD5
abb9fd4e3892c4e712e8594f8af7ba27

SHA1
cd30cac59687d163e275afbf8ed9998d3e011c65

SHA256
59ca6d702a83eca3bcf4cd7208552109dd23161408f30e1c17a7c77e128df0d3

SHA512
c27c59f4163bf623e84c8ef27154d7f71e506ef337567941c3090d8de77d3761b1915e7815e7434ae91c8bf4af2ba567edd7d32461fc0fc8913471a2037486c9

Download Submit
\Users\Admin\AppData\Roaming\confuse\chargeable.exe
MD5
abb9fd4e3892c4e712e8594f8af7ba27

SHA1
cd30cac59687d163e275afbf8ed9998d3e011c65

SHA256
59ca6d702a83eca3bcf4cd7208552109dd23161408f30e1c17a7c77e128df0d3

SHA512
c27c59f4163bf623e84c8ef27154d7f71e506ef337567941c3090d8de77d3761b1915e7815e7434ae91c8bf4af2ba567edd7d32461fc0fc8913471a2037486c9

Download Submit
memory/1184-12-0x0000000000000000-mapping.dmp

Download
memory/1344-4-0x0000000000000000-mapping.dmp

Download
memory/1352-7-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1352-8-0x000000000040748E-mapping.dmp

Download
memory/1352-11-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1352-10-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads