njrat | 54f33fa555874b30e6045c4bfd467779b0683e1bcafb69d0987c59019203c9d3

Analysis

max time kernel
151s
max time network
145s
platform
windows10_x64
resource
win10v20210408
submitted
13-08-2021 23:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2AD561E9BB9F780F56D5E7A280574432.exe
Size

375KB
MD5

2ad561e9bb9f780f56d5e7a280574432
SHA1

e6bc833d62ef0ec1e08674a0a8707e3ce2f09007
SHA256

54f33fa555874b30e6045c4bfd467779b0683e1bcafb69d0987c59019203c9d3
SHA512

8b74c1f6df444ce101102e3b036e2f77c9e0b1ebb085db2de8e45905ab10b47c845040548901632c130c4db6b4403a5905d864c461cb9bed6cd5fe49fc0ce064

Score

10^/10

njrat hacked evasion persistence suricata trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

212.192.241.42:5552

Mutex

34adf4afddd35097c6bf7951c5baad3a

Attributes

reg_key
34adf4afddd35097c6bf7951c5baad3a
splitter
|'|'|

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\putty.exe\","	2AD561E9BB9F780F56D5E7A280574432.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\putty.exe\","	server.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata

Executes dropped EXE 2 IoCs

pid	Process
2952	server.exe
908	server.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34adf4afddd35097c6bf7951c5baad3a.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34adf4afddd35097c6bf7951c5baad3a.exe	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\34adf4afddd35097c6bf7951c5baad3a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\34adf4afddd35097c6bf7951c5baad3a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 652 set thread context of 3684	652	2AD561E9BB9F780F56D5E7A280574432.exe	83
PID 2952 set thread context of 908	2952	server.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	2AD561E9BB9F780F56D5E7A280574432.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	server.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2252	powershell.exe
2252	powershell.exe
2252	powershell.exe
3860	powershell.exe
3860	powershell.exe
3860	powershell.exe
652	2AD561E9BB9F780F56D5E7A280574432.exe
652	2AD561E9BB9F780F56D5E7A280574432.exe
652	2AD561E9BB9F780F56D5E7A280574432.exe
652	2AD561E9BB9F780F56D5E7A280574432.exe
652	2AD561E9BB9F780F56D5E7A280574432.exe
652	2AD561E9BB9F780F56D5E7A280574432.exe
652	2AD561E9BB9F780F56D5E7A280574432.exe
652	2AD561E9BB9F780F56D5E7A280574432.exe
652	2AD561E9BB9F780F56D5E7A280574432.exe
652	2AD561E9BB9F780F56D5E7A280574432.exe
652	2AD561E9BB9F780F56D5E7A280574432.exe
652	2AD561E9BB9F780F56D5E7A280574432.exe
652	2AD561E9BB9F780F56D5E7A280574432.exe
652	2AD561E9BB9F780F56D5E7A280574432.exe
652	2AD561E9BB9F780F56D5E7A280574432.exe
3140	powershell.exe
3140	powershell.exe
3140	powershell.exe
736	powershell.exe
736	powershell.exe
736	powershell.exe
3964	powershell.exe
3964	powershell.exe
3964	powershell.exe
2952	server.exe
2952	server.exe
2952	server.exe
2952	server.exe
2952	server.exe
2952	server.exe
2952	server.exe
2952	server.exe
2952	server.exe
2952	server.exe
2952	server.exe
2952	server.exe
2952	server.exe
2952	server.exe
2952	server.exe
3976	powershell.exe
3976	powershell.exe
3976	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeIncreaseQuotaPrivilege	2252	powershell.exe
Token: SeSecurityPrivilege	2252	powershell.exe
Token: SeTakeOwnershipPrivilege	2252	powershell.exe
Token: SeLoadDriverPrivilege	2252	powershell.exe
Token: SeSystemProfilePrivilege	2252	powershell.exe
Token: SeSystemtimePrivilege	2252	powershell.exe
Token: SeProfSingleProcessPrivilege	2252	powershell.exe
Token: SeIncBasePriorityPrivilege	2252	powershell.exe
Token: SeCreatePagefilePrivilege	2252	powershell.exe
Token: SeBackupPrivilege	2252	powershell.exe
Token: SeRestorePrivilege	2252	powershell.exe
Token: SeShutdownPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeSystemEnvironmentPrivilege	2252	powershell.exe
Token: SeRemoteShutdownPrivilege	2252	powershell.exe
Token: SeUndockPrivilege	2252	powershell.exe
Token: SeManageVolumePrivilege	2252	powershell.exe
Token: 33	2252	powershell.exe
Token: 34	2252	powershell.exe
Token: 35	2252	powershell.exe
Token: 36	2252	powershell.exe
Token: SeIncreaseQuotaPrivilege	2252	powershell.exe
Token: SeSecurityPrivilege	2252	powershell.exe
Token: SeTakeOwnershipPrivilege	2252	powershell.exe
Token: SeLoadDriverPrivilege	2252	powershell.exe
Token: SeSystemProfilePrivilege	2252	powershell.exe
Token: SeSystemtimePrivilege	2252	powershell.exe
Token: SeProfSingleProcessPrivilege	2252	powershell.exe
Token: SeIncBasePriorityPrivilege	2252	powershell.exe
Token: SeCreatePagefilePrivilege	2252	powershell.exe
Token: SeBackupPrivilege	2252	powershell.exe
Token: SeRestorePrivilege	2252	powershell.exe
Token: SeShutdownPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeSystemEnvironmentPrivilege	2252	powershell.exe
Token: SeRemoteShutdownPrivilege	2252	powershell.exe
Token: SeUndockPrivilege	2252	powershell.exe
Token: SeManageVolumePrivilege	2252	powershell.exe
Token: 33	2252	powershell.exe
Token: 34	2252	powershell.exe
Token: 35	2252	powershell.exe
Token: 36	2252	powershell.exe
Token: SeDebugPrivilege	3860	powershell.exe
Token: SeIncreaseQuotaPrivilege	3860	powershell.exe
Token: SeSecurityPrivilege	3860	powershell.exe
Token: SeTakeOwnershipPrivilege	3860	powershell.exe
Token: SeLoadDriverPrivilege	3860	powershell.exe
Token: SeSystemProfilePrivilege	3860	powershell.exe
Token: SeSystemtimePrivilege	3860	powershell.exe
Token: SeProfSingleProcessPrivilege	3860	powershell.exe
Token: SeIncBasePriorityPrivilege	3860	powershell.exe
Token: SeCreatePagefilePrivilege	3860	powershell.exe
Token: SeBackupPrivilege	3860	powershell.exe
Token: SeRestorePrivilege	3860	powershell.exe
Token: SeShutdownPrivilege	3860	powershell.exe
Token: SeDebugPrivilege	3860	powershell.exe
Token: SeSystemEnvironmentPrivilege	3860	powershell.exe
Token: SeRemoteShutdownPrivilege	3860	powershell.exe
Token: SeUndockPrivilege	3860	powershell.exe
Token: SeManageVolumePrivilege	3860	powershell.exe
Token: 33	3860	powershell.exe
Token: 34	3860	powershell.exe
Token: 35	3860	powershell.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 652 wrote to memory of 2252	652	2AD561E9BB9F780F56D5E7A280574432.exe	75
PID 652 wrote to memory of 2252	652	2AD561E9BB9F780F56D5E7A280574432.exe	75
PID 652 wrote to memory of 2252	652	2AD561E9BB9F780F56D5E7A280574432.exe	75
PID 652 wrote to memory of 3860	652	2AD561E9BB9F780F56D5E7A280574432.exe	77
PID 652 wrote to memory of 3860	652	2AD561E9BB9F780F56D5E7A280574432.exe	77
PID 652 wrote to memory of 3860	652	2AD561E9BB9F780F56D5E7A280574432.exe	77
PID 652 wrote to memory of 3740	652	2AD561E9BB9F780F56D5E7A280574432.exe	82
PID 652 wrote to memory of 3740	652	2AD561E9BB9F780F56D5E7A280574432.exe	82
PID 652 wrote to memory of 3740	652	2AD561E9BB9F780F56D5E7A280574432.exe	82
PID 652 wrote to memory of 3684	652	2AD561E9BB9F780F56D5E7A280574432.exe	83
PID 652 wrote to memory of 3684	652	2AD561E9BB9F780F56D5E7A280574432.exe	83
PID 652 wrote to memory of 3684	652	2AD561E9BB9F780F56D5E7A280574432.exe	83
PID 652 wrote to memory of 3684	652	2AD561E9BB9F780F56D5E7A280574432.exe	83
PID 652 wrote to memory of 3684	652	2AD561E9BB9F780F56D5E7A280574432.exe	83
PID 652 wrote to memory of 3684	652	2AD561E9BB9F780F56D5E7A280574432.exe	83
PID 652 wrote to memory of 3684	652	2AD561E9BB9F780F56D5E7A280574432.exe	83
PID 652 wrote to memory of 3684	652	2AD561E9BB9F780F56D5E7A280574432.exe	83
PID 3740 wrote to memory of 3140	3740	WScript.exe	84
PID 3740 wrote to memory of 3140	3740	WScript.exe	84
PID 3740 wrote to memory of 3140	3740	WScript.exe	84
PID 3684 wrote to memory of 2952	3684	2AD561E9BB9F780F56D5E7A280574432.exe	86
PID 3684 wrote to memory of 2952	3684	2AD561E9BB9F780F56D5E7A280574432.exe	86
PID 3684 wrote to memory of 2952	3684	2AD561E9BB9F780F56D5E7A280574432.exe	86
PID 2952 wrote to memory of 736	2952	server.exe	87
PID 2952 wrote to memory of 736	2952	server.exe	87
PID 2952 wrote to memory of 736	2952	server.exe	87
PID 2952 wrote to memory of 3964	2952	server.exe	89
PID 2952 wrote to memory of 3964	2952	server.exe	89
PID 2952 wrote to memory of 3964	2952	server.exe	89
PID 2952 wrote to memory of 3984	2952	server.exe	91
PID 2952 wrote to memory of 3984	2952	server.exe	91
PID 2952 wrote to memory of 3984	2952	server.exe	91
PID 2952 wrote to memory of 908	2952	server.exe	92
PID 2952 wrote to memory of 908	2952	server.exe	92
PID 2952 wrote to memory of 908	2952	server.exe	92
PID 2952 wrote to memory of 908	2952	server.exe	92
PID 2952 wrote to memory of 908	2952	server.exe	92
PID 2952 wrote to memory of 908	2952	server.exe	92
PID 2952 wrote to memory of 908	2952	server.exe	92
PID 2952 wrote to memory of 908	2952	server.exe	92
PID 3984 wrote to memory of 3976	3984	WScript.exe	93
PID 3984 wrote to memory of 3976	3984	WScript.exe	93
PID 3984 wrote to memory of 3976	3984	WScript.exe	93
PID 908 wrote to memory of 2160	908	server.exe	95
PID 908 wrote to memory of 2160	908	server.exe	95
PID 908 wrote to memory of 2160	908	server.exe	95

C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
"C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:652
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2252
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3860
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Ikjuwwswk.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Local\putty.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3140
- C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  C:\Users\Admin\AppData\Local\Temp\2AD561E9BB9F780F56D5E7A280574432.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:736
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3964
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Ikjuwwswk.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3984
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Local\putty.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3976
  - - C:\Users\Admin\AppData\Local\Temp\server.exe
      C:\Users\Admin\AppData\Local\Temp\server.exe
      4⤵
      Executes dropped EXE
      Drops startup file
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:908
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        5⤵
        
        PID:2160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/652-114-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/652-119-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/652-116-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/652-312-0x0000000006930000-0x0000000006976000-memory.dmp

Filesize
280KB

Download
memory/652-313-0x0000000006980000-0x00000000069F5000-memory.dmp

Filesize
468KB

Download
memory/652-117-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/652-118-0x0000000004CE0000-0x00000000051DE000-memory.dmp

Filesize
5.0MB

Download
memory/736-546-0x0000000007313000-0x0000000007314000-memory.dmp

Filesize
4KB

Download
memory/736-462-0x0000000007310000-0x0000000007311000-memory.dmp

Filesize
4KB

Download
memory/736-464-0x0000000007312000-0x0000000007313000-memory.dmp

Filesize
4KB

Download
memory/908-1042-0x0000000004F40000-0x0000000004FDC000-memory.dmp

Filesize
624KB

Download
memory/2252-139-0x0000000008BB0000-0x0000000008BB1000-memory.dmp

Filesize
4KB

Download
memory/2252-149-0x0000000006A93000-0x0000000006A94000-memory.dmp

Filesize
4KB

Download
memory/2252-123-0x00000000043D0000-0x00000000043D1000-memory.dmp

Filesize
4KB

Download
memory/2252-124-0x00000000070D0000-0x00000000070D1000-memory.dmp

Filesize
4KB

Download
memory/2252-125-0x0000000006A90000-0x0000000006A91000-memory.dmp

Filesize
4KB

Download
memory/2252-126-0x0000000006A92000-0x0000000006A93000-memory.dmp

Filesize
4KB

Download
memory/2252-127-0x0000000006E30000-0x0000000006E31000-memory.dmp

Filesize
4KB

Download
memory/2252-128-0x0000000006ED0000-0x0000000006ED1000-memory.dmp

Filesize
4KB

Download
memory/2252-129-0x0000000007020000-0x0000000007021000-memory.dmp

Filesize
4KB

Download
memory/2252-130-0x0000000007800000-0x0000000007801000-memory.dmp

Filesize
4KB

Download
memory/2252-131-0x0000000006A70000-0x0000000006A71000-memory.dmp

Filesize
4KB

Download
memory/2252-132-0x0000000008150000-0x0000000008151000-memory.dmp

Filesize
4KB

Download
memory/2252-133-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

Filesize
4KB

Download
memory/2252-138-0x0000000008E40000-0x0000000008E41000-memory.dmp

Filesize
4KB

Download
memory/2252-140-0x0000000008C00000-0x0000000008C01000-memory.dmp

Filesize
4KB

Download
memory/2252-148-0x0000000009F60000-0x0000000009F61000-memory.dmp

Filesize
4KB

Download
memory/2952-440-0x0000000002F90000-0x0000000002F91000-memory.dmp

Filesize
4KB

Download
memory/3140-329-0x0000000007390000-0x0000000007391000-memory.dmp

Filesize
4KB

Download
memory/3140-396-0x0000000007393000-0x0000000007394000-memory.dmp

Filesize
4KB

Download
memory/3140-357-0x0000000009BB0000-0x0000000009BB1000-memory.dmp

Filesize
4KB

Download
memory/3140-352-0x0000000009980000-0x0000000009981000-memory.dmp

Filesize
4KB

Download
memory/3140-345-0x00000000099C0000-0x00000000099F3000-memory.dmp

Filesize
204KB

Download
memory/3140-336-0x0000000008C40000-0x0000000008C41000-memory.dmp

Filesize
4KB

Download
memory/3140-358-0x000000007F2F0000-0x000000007F2F1000-memory.dmp

Filesize
4KB

Download
memory/3140-333-0x00000000081F0000-0x00000000081F1000-memory.dmp

Filesize
4KB

Download
memory/3140-331-0x0000000007392000-0x0000000007393000-memory.dmp

Filesize
4KB

Download
memory/3684-316-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3684-321-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/3860-192-0x0000000007462000-0x0000000007463000-memory.dmp

Filesize
4KB

Download
memory/3860-224-0x0000000007463000-0x0000000007464000-memory.dmp

Filesize
4KB

Download
memory/3860-190-0x0000000007460000-0x0000000007461000-memory.dmp

Filesize
4KB

Download
memory/3964-689-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/3964-726-0x0000000000C53000-0x0000000000C54000-memory.dmp

Filesize
4KB

Download
memory/3964-690-0x0000000000C52000-0x0000000000C53000-memory.dmp

Filesize
4KB

Download
memory/3976-892-0x00000000075C3000-0x00000000075C4000-memory.dmp

Filesize
4KB

Download
memory/3976-802-0x00000000075C0000-0x00000000075C1000-memory.dmp

Filesize
4KB

Download
memory/3976-803-0x00000000075C2000-0x00000000075C3000-memory.dmp

Filesize
4KB

Download
memory/3976-891-0x000000007EFB0000-0x000000007EFB1000-memory.dmp

Filesize
4KB

Download