njrat | cd6e990e83a947ee95fc38e33ef891fcd2adca0c669eba160cca49895471663a

General

Target

3daf792075ad0eeacae676b0d7f80a68.exe
Size

31KB
MD5

3daf792075ad0eeacae676b0d7f80a68
SHA1

7b2da0cac13461f09bfba7fad96253e517098ce7
SHA256

cd6e990e83a947ee95fc38e33ef891fcd2adca0c669eba160cca49895471663a
SHA512

da79cfb46e336d052353311cb0fb8a2b151c3f390dfe37dff008d6a8f3dcb09ceaa6c98a3d3c7174aefb0a900a77767c03cbc8742465b9cc75fd8e2847064bff

Score

10^/10

njrat mybot evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

MyBot

C2

6.tcp.ngrok.io:12336

Mutex

442e245fdc9bd3433e2f89240f0d3737

Attributes

reg_key
442e245fdc9bd3433e2f89240f0d3737
splitter
Y262SUCZ4UJJ

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

WindowsServices.exe

pid process

1276 WindowsServices.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Loads dropped DLL 1 IoCs

Processes:

3daf792075ad0eeacae676b0d7f80a68.exe

pid process

1688 3daf792075ad0eeacae676b0d7f80a68.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1276	WindowsServices.exe

pid	process
1688	3daf792075ad0eeacae676b0d7f80a68.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

WindowsServices.exe

description	pid	process
Token: SeDebugPrivilege	1276	WindowsServices.exe
Token: 33	1276	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1276	WindowsServices.exe
Token: 33	1276	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1276	WindowsServices.exe
Token: 33	1276	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1276	WindowsServices.exe
Token: 33	1276	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1276	WindowsServices.exe
Token: 33	1276	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1276	WindowsServices.exe
Token: 33	1276	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1276	WindowsServices.exe
Token: 33	1276	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1276	WindowsServices.exe
Token: 33	1276	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1276	WindowsServices.exe
Token: 33	1276	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1276	WindowsServices.exe
Token: 33	1276	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1276	WindowsServices.exe
Token: 33	1276	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1276	WindowsServices.exe
Token: 33	1276	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1276	WindowsServices.exe
Token: 33	1276	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1276	WindowsServices.exe
Token: 33	1276	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1276	WindowsServices.exe
Token: 33	1276	WindowsServices.exe
Token: SeIncBasePriorityPrivilege	1276	WindowsServices.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

3daf792075ad0eeacae676b0d7f80a68.exeWindowsServices.exe

description	pid	process	target process
PID 1688 wrote to memory of 1276	1688	3daf792075ad0eeacae676b0d7f80a68.exe	WindowsServices.exe
PID 1688 wrote to memory of 1276	1688	3daf792075ad0eeacae676b0d7f80a68.exe	WindowsServices.exe
PID 1688 wrote to memory of 1276	1688	3daf792075ad0eeacae676b0d7f80a68.exe	WindowsServices.exe
PID 1688 wrote to memory of 1276	1688	3daf792075ad0eeacae676b0d7f80a68.exe	WindowsServices.exe
PID 1276 wrote to memory of 1628	1276	WindowsServices.exe	netsh.exe
PID 1276 wrote to memory of 1628	1276	WindowsServices.exe	netsh.exe
PID 1276 wrote to memory of 1628	1276	WindowsServices.exe	netsh.exe
PID 1276 wrote to memory of 1628	1276	WindowsServices.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\3daf792075ad0eeacae676b0d7f80a68.exe
"C:\Users\Admin\AppData\Local\Temp\3daf792075ad0eeacae676b0d7f80a68.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe" "WindowsServices.exe" ENABLE
3⤵
PID:1628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe
MD5
3daf792075ad0eeacae676b0d7f80a68

SHA1
7b2da0cac13461f09bfba7fad96253e517098ce7

SHA256
cd6e990e83a947ee95fc38e33ef891fcd2adca0c669eba160cca49895471663a

SHA512
da79cfb46e336d052353311cb0fb8a2b151c3f390dfe37dff008d6a8f3dcb09ceaa6c98a3d3c7174aefb0a900a77767c03cbc8742465b9cc75fd8e2847064bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsServices.exe
MD5
3daf792075ad0eeacae676b0d7f80a68

SHA1
7b2da0cac13461f09bfba7fad96253e517098ce7

SHA256
cd6e990e83a947ee95fc38e33ef891fcd2adca0c669eba160cca49895471663a

SHA512
da79cfb46e336d052353311cb0fb8a2b151c3f390dfe37dff008d6a8f3dcb09ceaa6c98a3d3c7174aefb0a900a77767c03cbc8742465b9cc75fd8e2847064bff

Download Submit
\Users\Admin\AppData\Local\Temp\WindowsServices.exe
MD5
3daf792075ad0eeacae676b0d7f80a68

SHA1
7b2da0cac13461f09bfba7fad96253e517098ce7

SHA256
cd6e990e83a947ee95fc38e33ef891fcd2adca0c669eba160cca49895471663a

SHA512
da79cfb46e336d052353311cb0fb8a2b151c3f390dfe37dff008d6a8f3dcb09ceaa6c98a3d3c7174aefb0a900a77767c03cbc8742465b9cc75fd8e2847064bff

Download Submit
memory/1276-63-0x0000000000000000-mapping.dmp

Download
memory/1276-67-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/1628-68-0x0000000000000000-mapping.dmp

Download
memory/1688-60-0x0000000075011000-0x0000000075013000-memory.dmp

Filesize
8KB

Download
memory/1688-61-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing