njrat | eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4

General

Target

eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4.exe
Size

37KB
MD5

f0e1a89b03abdd826e7c90638f82bd63
SHA1

cd3134167e54900784b4cf6efcafe7bd2bc458ad
SHA256

eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4
SHA512

5274482e4cb77e0acf990d0606333d204be912738bc060e5b6b4094e6be15c02d741b92345e61c6bf090d69a253d9d586352e23f8bf571e053a71bc889719156

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

127.0.0.1,127.0.0.1:3222

Mutex

7e2377223e3439a6407c3c6896272242

Attributes

reg_key
7e2377223e3439a6407c3c6896272242
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

cheat.exe

pid process

2184 cheat.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 2 IoCs

Processes:

cheat.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7e2377223e3439a6407c3c6896272242.exe	cheat.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7e2377223e3439a6407c3c6896272242.exe	cheat.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cheat.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\7e2377223e3439a6407c3c6896272242 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\cheat.exe\" .."	cheat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7e2377223e3439a6407c3c6896272242 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\cheat.exe\" .."	cheat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cheat.exe

pid	process
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe
2184	cheat.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

cheat.exe

pid process

2184 cheat.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

cheat.exe

description	pid	process
Token: SeDebugPrivilege	2184	cheat.exe
Token: 33	2184	cheat.exe
Token: SeIncBasePriorityPrivilege	2184	cheat.exe
Token: 33	2184	cheat.exe
Token: SeIncBasePriorityPrivilege	2184	cheat.exe
Token: 33	2184	cheat.exe
Token: SeIncBasePriorityPrivilege	2184	cheat.exe
Token: 33	2184	cheat.exe
Token: SeIncBasePriorityPrivilege	2184	cheat.exe
Token: 33	2184	cheat.exe
Token: SeIncBasePriorityPrivilege	2184	cheat.exe
Token: 33	2184	cheat.exe
Token: SeIncBasePriorityPrivilege	2184	cheat.exe
Token: 33	2184	cheat.exe
Token: SeIncBasePriorityPrivilege	2184	cheat.exe
Token: 33	2184	cheat.exe
Token: SeIncBasePriorityPrivilege	2184	cheat.exe
Token: 33	2184	cheat.exe
Token: SeIncBasePriorityPrivilege	2184	cheat.exe
Token: 33	2184	cheat.exe
Token: SeIncBasePriorityPrivilege	2184	cheat.exe
Token: 33	2184	cheat.exe
Token: SeIncBasePriorityPrivilege	2184	cheat.exe
Token: 33	2184	cheat.exe
Token: SeIncBasePriorityPrivilege	2184	cheat.exe
Token: 33	2184	cheat.exe
Token: SeIncBasePriorityPrivilege	2184	cheat.exe
Token: 33	2184	cheat.exe
Token: SeIncBasePriorityPrivilege	2184	cheat.exe
Token: 33	2184	cheat.exe
Token: SeIncBasePriorityPrivilege	2184	cheat.exe
Token: 33	2184	cheat.exe
Token: SeIncBasePriorityPrivilege	2184	cheat.exe
Token: 33	2184	cheat.exe
Token: SeIncBasePriorityPrivilege	2184	cheat.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4.execheat.exe

description	pid	process	target process
PID 3172 wrote to memory of 2184	3172	eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4.exe	cheat.exe
PID 3172 wrote to memory of 2184	3172	eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4.exe	cheat.exe
PID 3172 wrote to memory of 2184	3172	eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4.exe	cheat.exe
PID 2184 wrote to memory of 2352	2184	cheat.exe	netsh.exe
PID 2184 wrote to memory of 2352	2184	cheat.exe	netsh.exe
PID 2184 wrote to memory of 2352	2184	cheat.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4.exe
"C:\Users\Admin\AppData\Local\Temp\eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3172

C:\Users\Admin\AppData\Local\Temp\cheat.exe
"C:\Users\Admin\AppData\Local\Temp\cheat.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\cheat.exe" "cheat.exe" ENABLE
3⤵
PID:2352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cheat.exe
MD5
f0e1a89b03abdd826e7c90638f82bd63

SHA1
cd3134167e54900784b4cf6efcafe7bd2bc458ad

SHA256
eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4

SHA512
5274482e4cb77e0acf990d0606333d204be912738bc060e5b6b4094e6be15c02d741b92345e61c6bf090d69a253d9d586352e23f8bf571e053a71bc889719156

Download Submit
C:\Users\Admin\AppData\Local\Temp\cheat.exe
MD5
f0e1a89b03abdd826e7c90638f82bd63

SHA1
cd3134167e54900784b4cf6efcafe7bd2bc458ad

SHA256
eeaeea4dd8b546df89208106c429bb3b7e9a906bab426e8a2610fe4588c320a4

SHA512
5274482e4cb77e0acf990d0606333d204be912738bc060e5b6b4094e6be15c02d741b92345e61c6bf090d69a253d9d586352e23f8bf571e053a71bc889719156

Download Submit
memory/2184-116-0x0000000000000000-mapping.dmp

Download
memory/2184-119-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/2352-120-0x0000000000000000-mapping.dmp

Download
memory/3172-115-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads