njrat | cf75d51ec31d817017d71dbe8def69d443e4ecca131e70ca6252ebc455e065a2

Analysis

max time kernel
150s
max time network
151s
platform
windows10_x64
resource
win10-en
submitted
11-09-2021 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe
Size

398KB
MD5

61522f3e0ff5ffcd3b70af0969ce67ff
SHA1

055acee75181881b27e6c489b85efc530ed2a145
SHA256

cf75d51ec31d817017d71dbe8def69d443e4ecca131e70ca6252ebc455e065a2
SHA512

650da92d3c10f8649253016c721a7c522b213342913c134303a843aedee51e10e77a6913a8fe707a26b895d606dd2d362a5eba14de25c5f90a5eee1f8f8defd8

Score

10^/10

njrat aaa lammer evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

hacktrojancy.ddns.net:1177

Mutex

d4edd1f042d4d9678bd0e6fffb41b44f

Attributes

reg_key
d4edd1f042d4d9678bd0e6fffb41b44f
splitter
|'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

aaa

0.tcp.ngrok.io:18926

Mutex

25cfdc389bb9a2acd67334f0453faa4c

Attributes

reg_key
25cfdc389bb9a2acd67334f0453faa4c
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 5 IoCs

Processes:

Lammer.exeaaa.exeNetFlix Creator.exeTrojan.exeChrome.exe

pid process

2528 Lammer.exe
3608 aaa.exe
3876 NetFlix Creator.exe
3972 Trojan.exe
4040 Chrome.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
2528	Lammer.exe
3608	aaa.exe
3876	NetFlix Creator.exe
3972	Trojan.exe
4040	Chrome.exe

Drops startup file 4 IoCs

Processes:

Chrome.exeTrojan.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4edd1f042d4d9678bd0e6fffb41b44f.exe	Chrome.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4edd1f042d4d9678bd0e6fffb41b44f.exe	Chrome.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\25cfdc389bb9a2acd67334f0453faa4c.exe	Trojan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\25cfdc389bb9a2acd67334f0453faa4c.exe	Trojan.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Chrome.exeTrojan.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\d4edd1f042d4d9678bd0e6fffb41b44f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Chrome.exe\" .."	Chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\d4edd1f042d4d9678bd0e6fffb41b44f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Chrome.exe\" .."	Chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\25cfdc389bb9a2acd67334f0453faa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\25cfdc389bb9a2acd67334f0453faa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Chrome.exeTrojan.exe

description	pid	process
Token: SeDebugPrivilege	4040	Chrome.exe
Token: SeDebugPrivilege	3972	Trojan.exe
Token: 33	3972	Trojan.exe
Token: SeIncBasePriorityPrivilege	3972	Trojan.exe
Token: 33	4040	Chrome.exe
Token: SeIncBasePriorityPrivilege	4040	Chrome.exe
Token: 33	3972	Trojan.exe
Token: SeIncBasePriorityPrivilege	3972	Trojan.exe
Token: 33	4040	Chrome.exe
Token: SeIncBasePriorityPrivilege	4040	Chrome.exe
Token: 33	3972	Trojan.exe
Token: SeIncBasePriorityPrivilege	3972	Trojan.exe
Token: 33	4040	Chrome.exe
Token: SeIncBasePriorityPrivilege	4040	Chrome.exe
Token: 33	3972	Trojan.exe
Token: SeIncBasePriorityPrivilege	3972	Trojan.exe
Token: 33	4040	Chrome.exe
Token: SeIncBasePriorityPrivilege	4040	Chrome.exe
Token: 33	3972	Trojan.exe
Token: SeIncBasePriorityPrivilege	3972	Trojan.exe
Token: 33	4040	Chrome.exe
Token: SeIncBasePriorityPrivilege	4040	Chrome.exe
Token: 33	3972	Trojan.exe
Token: SeIncBasePriorityPrivilege	3972	Trojan.exe
Token: 33	4040	Chrome.exe
Token: SeIncBasePriorityPrivilege	4040	Chrome.exe
Token: 33	3972	Trojan.exe
Token: SeIncBasePriorityPrivilege	3972	Trojan.exe
Token: 33	4040	Chrome.exe
Token: SeIncBasePriorityPrivilege	4040	Chrome.exe
Token: 33	3972	Trojan.exe
Token: SeIncBasePriorityPrivilege	3972	Trojan.exe
Token: 33	4040	Chrome.exe
Token: SeIncBasePriorityPrivilege	4040	Chrome.exe
Token: 33	3972	Trojan.exe
Token: SeIncBasePriorityPrivilege	3972	Trojan.exe
Token: 33	4040	Chrome.exe
Token: SeIncBasePriorityPrivilege	4040	Chrome.exe
Token: 33	3972	Trojan.exe
Token: SeIncBasePriorityPrivilege	3972	Trojan.exe
Token: 33	4040	Chrome.exe
Token: SeIncBasePriorityPrivilege	4040	Chrome.exe
Token: 33	3972	Trojan.exe
Token: SeIncBasePriorityPrivilege	3972	Trojan.exe
Token: 33	4040	Chrome.exe
Token: SeIncBasePriorityPrivilege	4040	Chrome.exe
Token: 33	3972	Trojan.exe
Token: SeIncBasePriorityPrivilege	3972	Trojan.exe
Token: 33	4040	Chrome.exe
Token: SeIncBasePriorityPrivilege	4040	Chrome.exe
Token: 33	3972	Trojan.exe
Token: SeIncBasePriorityPrivilege	3972	Trojan.exe
Token: 33	4040	Chrome.exe
Token: SeIncBasePriorityPrivilege	4040	Chrome.exe
Token: 33	3972	Trojan.exe
Token: SeIncBasePriorityPrivilege	3972	Trojan.exe
Token: 33	4040	Chrome.exe
Token: SeIncBasePriorityPrivilege	4040	Chrome.exe
Token: 33	3972	Trojan.exe
Token: SeIncBasePriorityPrivilege	3972	Trojan.exe
Token: 33	4040	Chrome.exe
Token: SeIncBasePriorityPrivilege	4040	Chrome.exe
Token: 33	3972	Trojan.exe
Token: SeIncBasePriorityPrivilege	3972	Trojan.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exeaaa.exeLammer.exeTrojan.exeChrome.exe

description	pid	process	target process
PID 4044 wrote to memory of 2528	4044	CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe	Lammer.exe
PID 4044 wrote to memory of 2528	4044	CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe	Lammer.exe
PID 4044 wrote to memory of 2528	4044	CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe	Lammer.exe
PID 4044 wrote to memory of 3608	4044	CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe	aaa.exe
PID 4044 wrote to memory of 3608	4044	CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe	aaa.exe
PID 4044 wrote to memory of 3608	4044	CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe	aaa.exe
PID 4044 wrote to memory of 3876	4044	CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe	NetFlix Creator.exe
PID 4044 wrote to memory of 3876	4044	CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe	NetFlix Creator.exe
PID 4044 wrote to memory of 3876	4044	CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe	NetFlix Creator.exe
PID 3608 wrote to memory of 3972	3608	aaa.exe	Trojan.exe
PID 3608 wrote to memory of 3972	3608	aaa.exe	Trojan.exe
PID 3608 wrote to memory of 3972	3608	aaa.exe	Trojan.exe
PID 2528 wrote to memory of 4040	2528	Lammer.exe	Chrome.exe
PID 2528 wrote to memory of 4040	2528	Lammer.exe	Chrome.exe
PID 2528 wrote to memory of 4040	2528	Lammer.exe	Chrome.exe
PID 3972 wrote to memory of 3936	3972	Trojan.exe	netsh.exe
PID 3972 wrote to memory of 3936	3972	Trojan.exe	netsh.exe
PID 3972 wrote to memory of 3936	3972	Trojan.exe	netsh.exe
PID 4040 wrote to memory of 3744	4040	Chrome.exe	netsh.exe
PID 4040 wrote to memory of 3744	4040	Chrome.exe	netsh.exe
PID 4040 wrote to memory of 3744	4040	Chrome.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe
"C:\Users\Admin\AppData\Local\Temp\CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Users\Admin\AppData\Local\Temp\Lammer.exe
  "C:\Users\Admin\AppData\Local\Temp\Lammer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Users\Admin\AppData\Local\Temp\Chrome.exe
    "C:\Users\Admin\AppData\Local\Temp\Chrome.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4040
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Chrome.exe" "Chrome.exe" ENABLE
      4⤵
      PID:3744
- C:\Users\Admin\AppData\Local\Temp\aaa.exe
  "C:\Users\Admin\AppData\Local\Temp\aaa.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Users\Admin\AppData\Local\Temp\Trojan.exe
    "C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3972
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
      4⤵
      PID:3936
- C:\Users\Admin\AppData\Local\Temp\NetFlix Creator.exe
  "C:\Users\Admin\AppData\Local\Temp\NetFlix Creator.exe"
  2⤵
  - Executes dropped EXE
  PID:3876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Chrome.exe

MD5
01ac12dcf50810001019cd6b1dfa0d9f

SHA1
76b0213514cccebff4c5202cad1f6b0e21992db7

SHA256
4de7225c68600683c3315e42335deca4e05b2b1e94ad1f5f00a730eb7c7c0f01

SHA512
48074f500404e35f92e869d0e74e92865fa51b1bd6f382939cb2da7a37f69afc7d1811e7612cbef64e551b232de6abca61c6f43e30ad1724ffe483468b7818fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome.exe

MD5
01ac12dcf50810001019cd6b1dfa0d9f

SHA1
76b0213514cccebff4c5202cad1f6b0e21992db7

SHA256
4de7225c68600683c3315e42335deca4e05b2b1e94ad1f5f00a730eb7c7c0f01

SHA512
48074f500404e35f92e869d0e74e92865fa51b1bd6f382939cb2da7a37f69afc7d1811e7612cbef64e551b232de6abca61c6f43e30ad1724ffe483468b7818fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lammer.exe

MD5
01ac12dcf50810001019cd6b1dfa0d9f

SHA1
76b0213514cccebff4c5202cad1f6b0e21992db7

SHA256
4de7225c68600683c3315e42335deca4e05b2b1e94ad1f5f00a730eb7c7c0f01

SHA512
48074f500404e35f92e869d0e74e92865fa51b1bd6f382939cb2da7a37f69afc7d1811e7612cbef64e551b232de6abca61c6f43e30ad1724ffe483468b7818fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lammer.exe

MD5
01ac12dcf50810001019cd6b1dfa0d9f

SHA1
76b0213514cccebff4c5202cad1f6b0e21992db7

SHA256
4de7225c68600683c3315e42335deca4e05b2b1e94ad1f5f00a730eb7c7c0f01

SHA512
48074f500404e35f92e869d0e74e92865fa51b1bd6f382939cb2da7a37f69afc7d1811e7612cbef64e551b232de6abca61c6f43e30ad1724ffe483468b7818fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\NetFlix Creator.exe

MD5
116a916ff39ebc0daf9d91e036894527

SHA1
a0a8141606bba86eba2049a3a52d9e26aa0df606

SHA256
b9d7e49ef7f5d2bcccebf1640f47772e6dae4f687517f319759720f012ca81b6

SHA512
0ad2dcbc58bc04dc2b1127c9d2565752ad5f96368e96efa76c7878d5610884cfada98fbc3ce7b7f04f2155f1da591bf2da8c7524c5d8b85d977fb30ef1b510f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NetFlix Creator.exe

MD5
116a916ff39ebc0daf9d91e036894527

SHA1
a0a8141606bba86eba2049a3a52d9e26aa0df606

SHA256
b9d7e49ef7f5d2bcccebf1640f47772e6dae4f687517f319759720f012ca81b6

SHA512
0ad2dcbc58bc04dc2b1127c9d2565752ad5f96368e96efa76c7878d5610884cfada98fbc3ce7b7f04f2155f1da591bf2da8c7524c5d8b85d977fb30ef1b510f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

MD5
b5742eabacc2885b792bbaea9090f44f

SHA1
a600b268146c6573ccb052fd05ec45bf4825d7d6

SHA256
c367adcbc8da11bbab12771824543f78d842efa423ce03745598cf6ff9b411a6

SHA512
c76b9a8b7d16d42ab23b6487efafb3a2b3e6cd5155dc6ad8283f786429b752d84317652fa55275f52fc94344135d525e2c3ebad2920cf7328e361cc663ef2174

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

MD5
b5742eabacc2885b792bbaea9090f44f

SHA1
a600b268146c6573ccb052fd05ec45bf4825d7d6

SHA256
c367adcbc8da11bbab12771824543f78d842efa423ce03745598cf6ff9b411a6

SHA512
c76b9a8b7d16d42ab23b6487efafb3a2b3e6cd5155dc6ad8283f786429b752d84317652fa55275f52fc94344135d525e2c3ebad2920cf7328e361cc663ef2174

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaa.exe

MD5
b5742eabacc2885b792bbaea9090f44f

SHA1
a600b268146c6573ccb052fd05ec45bf4825d7d6

SHA256
c367adcbc8da11bbab12771824543f78d842efa423ce03745598cf6ff9b411a6

SHA512
c76b9a8b7d16d42ab23b6487efafb3a2b3e6cd5155dc6ad8283f786429b752d84317652fa55275f52fc94344135d525e2c3ebad2920cf7328e361cc663ef2174

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaa.exe

MD5
b5742eabacc2885b792bbaea9090f44f

SHA1
a600b268146c6573ccb052fd05ec45bf4825d7d6

SHA256
c367adcbc8da11bbab12771824543f78d842efa423ce03745598cf6ff9b411a6

SHA512
c76b9a8b7d16d42ab23b6487efafb3a2b3e6cd5155dc6ad8283f786429b752d84317652fa55275f52fc94344135d525e2c3ebad2920cf7328e361cc663ef2174

Download Submit
memory/2528-129-0x0000000000820000-0x000000000096A000-memory.dmp

Filesize
1.3MB

Download
memory/2528-115-0x0000000000000000-mapping.dmp

Download
memory/3608-118-0x0000000000000000-mapping.dmp

Download
memory/3608-128-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

Filesize
4KB

Download
memory/3744-144-0x0000000000000000-mapping.dmp

Download
memory/3876-133-0x00000000054D0000-0x00000000059CE000-memory.dmp

Filesize
5.0MB

Download
memory/3876-134-0x00000000054D0000-0x00000000059CE000-memory.dmp

Filesize
5.0MB

Download
memory/3876-131-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/3876-132-0x00000000056E0000-0x00000000056E1000-memory.dmp

Filesize
4KB

Download
memory/3876-124-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/3876-130-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/3876-127-0x00000000059D0000-0x00000000059D1000-memory.dmp

Filesize
4KB

Download
memory/3876-121-0x0000000000000000-mapping.dmp

Download
memory/3876-126-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/3936-143-0x0000000000000000-mapping.dmp

Download
memory/3972-135-0x0000000000000000-mapping.dmp

Download
memory/3972-141-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/4040-142-0x0000000002B60000-0x0000000002B61000-memory.dmp

Filesize
4KB

Download
memory/4040-136-0x0000000000000000-mapping.dmp

Download