njrat | 0cf5a7646bb4033425811d5d0a1432d229c87e4850228be4ca5493fcaf2c0c3a

General

Target

Vrz7skDd.exe
Size

23KB
MD5

d53632afb8714caff16ff790a2799cd4
SHA1

2b156be1603ee3f615d3727c6d28d30b44821869
SHA256

0cf5a7646bb4033425811d5d0a1432d229c87e4850228be4ca5493fcaf2c0c3a
SHA512

97f2dbb993100d414de977f1bbed851acec1d766f2593038f926f11d3d1d75d82ef6fda136feb12392023defe5c5abc991037900d8101a29f68c11db9a074012

Score

10^/10

njrat ابن سوريا a_b_n_syria evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

ابن سوريا A_B_N_SYRIA

C2

xoruf.ddns.net:5552

Mutex

5e3a65ea61324e81c313ed04d0316f69

Attributes

reg_key
5e3a65ea61324e81c313ed04d0316f69
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

Google Chrome.exe

pid process

1504 Google Chrome.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
1504	Google Chrome.exe

Drops startup file 2 IoCs

Processes:

Google Chrome.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5e3a65ea61324e81c313ed04d0316f69.exe	Google Chrome.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5e3a65ea61324e81c313ed04d0316f69.exe	Google Chrome.exe

Loads dropped DLL 1 IoCs

Processes:

Vrz7skDd.exe

pid process

1084 Vrz7skDd.exe

pid	process
1084	Vrz7skDd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Google Chrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\5e3a65ea61324e81c313ed04d0316f69 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome.exe\" .."	Google Chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5e3a65ea61324e81c313ed04d0316f69 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome.exe\" .."	Google Chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

Google Chrome.exe

description	pid	process
Token: SeDebugPrivilege	1504	Google Chrome.exe
Token: 33	1504	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	1504	Google Chrome.exe
Token: 33	1504	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	1504	Google Chrome.exe
Token: 33	1504	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	1504	Google Chrome.exe
Token: 33	1504	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	1504	Google Chrome.exe
Token: 33	1504	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	1504	Google Chrome.exe
Token: 33	1504	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	1504	Google Chrome.exe
Token: 33	1504	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	1504	Google Chrome.exe
Token: 33	1504	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	1504	Google Chrome.exe
Token: 33	1504	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	1504	Google Chrome.exe
Token: 33	1504	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	1504	Google Chrome.exe
Token: 33	1504	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	1504	Google Chrome.exe
Token: 33	1504	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	1504	Google Chrome.exe
Token: 33	1504	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	1504	Google Chrome.exe
Token: 33	1504	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	1504	Google Chrome.exe
Token: 33	1504	Google Chrome.exe
Token: SeIncBasePriorityPrivilege	1504	Google Chrome.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Vrz7skDd.exeGoogle Chrome.exe

description	pid	process	target process
PID 1084 wrote to memory of 1504	1084	Vrz7skDd.exe	Google Chrome.exe
PID 1084 wrote to memory of 1504	1084	Vrz7skDd.exe	Google Chrome.exe
PID 1084 wrote to memory of 1504	1084	Vrz7skDd.exe	Google Chrome.exe
PID 1084 wrote to memory of 1504	1084	Vrz7skDd.exe	Google Chrome.exe
PID 1504 wrote to memory of 1612	1504	Google Chrome.exe	netsh.exe
PID 1504 wrote to memory of 1612	1504	Google Chrome.exe	netsh.exe
PID 1504 wrote to memory of 1612	1504	Google Chrome.exe	netsh.exe
PID 1504 wrote to memory of 1612	1504	Google Chrome.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\Vrz7skDd.exe
"C:\Users\Admin\AppData\Local\Temp\Vrz7skDd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084

C:\Users\Admin\AppData\Roaming\Google Chrome.exe
"C:\Users\Admin\AppData\Roaming\Google Chrome.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Google Chrome.exe" "Google Chrome.exe" ENABLE
3⤵
PID:1612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Google Chrome.exe
MD5
d53632afb8714caff16ff790a2799cd4

SHA1
2b156be1603ee3f615d3727c6d28d30b44821869

SHA256
0cf5a7646bb4033425811d5d0a1432d229c87e4850228be4ca5493fcaf2c0c3a

SHA512
97f2dbb993100d414de977f1bbed851acec1d766f2593038f926f11d3d1d75d82ef6fda136feb12392023defe5c5abc991037900d8101a29f68c11db9a074012

Download Submit
C:\Users\Admin\AppData\Roaming\Google Chrome.exe
MD5
d53632afb8714caff16ff790a2799cd4

SHA1
2b156be1603ee3f615d3727c6d28d30b44821869

SHA256
0cf5a7646bb4033425811d5d0a1432d229c87e4850228be4ca5493fcaf2c0c3a

SHA512
97f2dbb993100d414de977f1bbed851acec1d766f2593038f926f11d3d1d75d82ef6fda136feb12392023defe5c5abc991037900d8101a29f68c11db9a074012

Download Submit
\Users\Admin\AppData\Roaming\Google Chrome.exe
MD5
d53632afb8714caff16ff790a2799cd4

SHA1
2b156be1603ee3f615d3727c6d28d30b44821869

SHA256
0cf5a7646bb4033425811d5d0a1432d229c87e4850228be4ca5493fcaf2c0c3a

SHA512
97f2dbb993100d414de977f1bbed851acec1d766f2593038f926f11d3d1d75d82ef6fda136feb12392023defe5c5abc991037900d8101a29f68c11db9a074012

Download Submit
memory/1504-3-0x0000000000000000-mapping.dmp

Download
memory/1612-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads