njrat | cf75d51ec31d817017d71dbe8def69d443e4ecca131e70ca6252ebc455e065a2

Analysis

max time kernel
150s
max time network
162s
platform
windows10_x64
resource
win10v20210408
submitted
11-09-2021 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe
Size

398KB
MD5

61522f3e0ff5ffcd3b70af0969ce67ff
SHA1

055acee75181881b27e6c489b85efc530ed2a145
SHA256

cf75d51ec31d817017d71dbe8def69d443e4ecca131e70ca6252ebc455e065a2
SHA512

650da92d3c10f8649253016c721a7c522b213342913c134303a843aedee51e10e77a6913a8fe707a26b895d606dd2d362a5eba14de25c5f90a5eee1f8f8defd8

Score

10^/10

njrat aaa lammer evasion persistence suricata trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

hacktrojancy.ddns.net:1177

Mutex

d4edd1f042d4d9678bd0e6fffb41b44f

Attributes

reg_key
d4edd1f042d4d9678bd0e6fffb41b44f
splitter
|'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

aaa

0.tcp.ngrok.io:18926

Mutex

25cfdc389bb9a2acd67334f0453faa4c

Attributes

reg_key
25cfdc389bb9a2acd67334f0453faa4c
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 5 IoCs

Processes:

Lammer.exeaaa.exeNetFlix Creator.exeTrojan.exeChrome.exe

pid process

500 Lammer.exe
2072 aaa.exe
852 NetFlix Creator.exe
1744 Trojan.exe
1784 Chrome.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
500	Lammer.exe
2072	aaa.exe
852	NetFlix Creator.exe
1744	Trojan.exe
1784	Chrome.exe

Drops startup file 4 IoCs

Processes:

Chrome.exeTrojan.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4edd1f042d4d9678bd0e6fffb41b44f.exe	Chrome.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4edd1f042d4d9678bd0e6fffb41b44f.exe	Chrome.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\25cfdc389bb9a2acd67334f0453faa4c.exe	Trojan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\25cfdc389bb9a2acd67334f0453faa4c.exe	Trojan.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Trojan.exeChrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\25cfdc389bb9a2acd67334f0453faa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\25cfdc389bb9a2acd67334f0453faa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\d4edd1f042d4d9678bd0e6fffb41b44f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Chrome.exe\" .."	Chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\d4edd1f042d4d9678bd0e6fffb41b44f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Chrome.exe\" .."	Chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Trojan.exeChrome.exe

description	pid	process
Token: SeDebugPrivilege	1744	Trojan.exe
Token: SeDebugPrivilege	1784	Chrome.exe
Token: 33	1784	Chrome.exe
Token: SeIncBasePriorityPrivilege	1784	Chrome.exe
Token: 33	1744	Trojan.exe
Token: SeIncBasePriorityPrivilege	1744	Trojan.exe
Token: 33	1784	Chrome.exe
Token: 33	1744	Trojan.exe
Token: SeIncBasePriorityPrivilege	1744	Trojan.exe
Token: SeIncBasePriorityPrivilege	1784	Chrome.exe
Token: 33	1784	Chrome.exe
Token: SeIncBasePriorityPrivilege	1784	Chrome.exe
Token: 33	1744	Trojan.exe
Token: SeIncBasePriorityPrivilege	1744	Trojan.exe
Token: 33	1784	Chrome.exe
Token: SeIncBasePriorityPrivilege	1784	Chrome.exe
Token: 33	1744	Trojan.exe
Token: SeIncBasePriorityPrivilege	1744	Trojan.exe
Token: 33	1744	Trojan.exe
Token: SeIncBasePriorityPrivilege	1744	Trojan.exe
Token: 33	1784	Chrome.exe
Token: SeIncBasePriorityPrivilege	1784	Chrome.exe
Token: 33	1744	Trojan.exe
Token: 33	1784	Chrome.exe
Token: SeIncBasePriorityPrivilege	1744	Trojan.exe
Token: SeIncBasePriorityPrivilege	1784	Chrome.exe
Token: 33	1784	Chrome.exe
Token: SeIncBasePriorityPrivilege	1784	Chrome.exe
Token: 33	1744	Trojan.exe
Token: SeIncBasePriorityPrivilege	1744	Trojan.exe
Token: 33	1784	Chrome.exe
Token: 33	1744	Trojan.exe
Token: SeIncBasePriorityPrivilege	1744	Trojan.exe
Token: SeIncBasePriorityPrivilege	1784	Chrome.exe
Token: 33	1744	Trojan.exe
Token: SeIncBasePriorityPrivilege	1744	Trojan.exe
Token: 33	1784	Chrome.exe
Token: SeIncBasePriorityPrivilege	1784	Chrome.exe
Token: 33	1744	Trojan.exe
Token: SeIncBasePriorityPrivilege	1744	Trojan.exe
Token: 33	1784	Chrome.exe
Token: SeIncBasePriorityPrivilege	1784	Chrome.exe
Token: 33	1744	Trojan.exe
Token: SeIncBasePriorityPrivilege	1744	Trojan.exe
Token: 33	1784	Chrome.exe
Token: SeIncBasePriorityPrivilege	1784	Chrome.exe
Token: 33	1744	Trojan.exe
Token: SeIncBasePriorityPrivilege	1744	Trojan.exe
Token: 33	1784	Chrome.exe
Token: SeIncBasePriorityPrivilege	1784	Chrome.exe
Token: 33	1744	Trojan.exe
Token: SeIncBasePriorityPrivilege	1744	Trojan.exe
Token: 33	1784	Chrome.exe
Token: SeIncBasePriorityPrivilege	1784	Chrome.exe
Token: 33	1744	Trojan.exe
Token: 33	1784	Chrome.exe
Token: SeIncBasePriorityPrivilege	1784	Chrome.exe
Token: SeIncBasePriorityPrivilege	1744	Trojan.exe
Token: 33	1744	Trojan.exe
Token: SeIncBasePriorityPrivilege	1744	Trojan.exe
Token: 33	1784	Chrome.exe
Token: SeIncBasePriorityPrivilege	1784	Chrome.exe
Token: 33	1744	Trojan.exe
Token: SeIncBasePriorityPrivilege	1744	Trojan.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exeaaa.exeLammer.exeChrome.exeTrojan.exe

description	pid	process	target process
PID 584 wrote to memory of 500	584	CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe	Lammer.exe
PID 584 wrote to memory of 500	584	CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe	Lammer.exe
PID 584 wrote to memory of 500	584	CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe	Lammer.exe
PID 584 wrote to memory of 2072	584	CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe	aaa.exe
PID 584 wrote to memory of 2072	584	CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe	aaa.exe
PID 584 wrote to memory of 2072	584	CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe	aaa.exe
PID 584 wrote to memory of 852	584	CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe	NetFlix Creator.exe
PID 584 wrote to memory of 852	584	CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe	NetFlix Creator.exe
PID 584 wrote to memory of 852	584	CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe	NetFlix Creator.exe
PID 2072 wrote to memory of 1744	2072	aaa.exe	Trojan.exe
PID 2072 wrote to memory of 1744	2072	aaa.exe	Trojan.exe
PID 2072 wrote to memory of 1744	2072	aaa.exe	Trojan.exe
PID 500 wrote to memory of 1784	500	Lammer.exe	Chrome.exe
PID 500 wrote to memory of 1784	500	Lammer.exe	Chrome.exe
PID 500 wrote to memory of 1784	500	Lammer.exe	Chrome.exe
PID 1784 wrote to memory of 2400	1784	Chrome.exe	netsh.exe
PID 1784 wrote to memory of 2400	1784	Chrome.exe	netsh.exe
PID 1784 wrote to memory of 2400	1784	Chrome.exe	netsh.exe
PID 1744 wrote to memory of 2576	1744	Trojan.exe	netsh.exe
PID 1744 wrote to memory of 2576	1744	Trojan.exe	netsh.exe
PID 1744 wrote to memory of 2576	1744	Trojan.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe
"C:\Users\Admin\AppData\Local\Temp\CF75D51EC31D817017D71DBE8DEF69D443E4ECCA131E7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:584

C:\Users\Admin\AppData\Local\Temp\Lammer.exe
"C:\Users\Admin\AppData\Local\Temp\Lammer.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:500

C:\Users\Admin\AppData\Local\Temp\Chrome.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Chrome.exe" "Chrome.exe" ENABLE
4⤵
PID:2400

C:\Users\Admin\AppData\Local\Temp\aaa.exe
"C:\Users\Admin\AppData\Local\Temp\aaa.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2072

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
4⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\NetFlix Creator.exe
"C:\Users\Admin\AppData\Local\Temp\NetFlix Creator.exe"
2⤵
- Executes dropped EXE
PID:852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Chrome.exe
MD5
01ac12dcf50810001019cd6b1dfa0d9f

SHA1
76b0213514cccebff4c5202cad1f6b0e21992db7

SHA256
4de7225c68600683c3315e42335deca4e05b2b1e94ad1f5f00a730eb7c7c0f01

SHA512
48074f500404e35f92e869d0e74e92865fa51b1bd6f382939cb2da7a37f69afc7d1811e7612cbef64e551b232de6abca61c6f43e30ad1724ffe483468b7818fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome.exe
MD5
01ac12dcf50810001019cd6b1dfa0d9f

SHA1
76b0213514cccebff4c5202cad1f6b0e21992db7

SHA256
4de7225c68600683c3315e42335deca4e05b2b1e94ad1f5f00a730eb7c7c0f01

SHA512
48074f500404e35f92e869d0e74e92865fa51b1bd6f382939cb2da7a37f69afc7d1811e7612cbef64e551b232de6abca61c6f43e30ad1724ffe483468b7818fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lammer.exe
MD5
01ac12dcf50810001019cd6b1dfa0d9f

SHA1
76b0213514cccebff4c5202cad1f6b0e21992db7

SHA256
4de7225c68600683c3315e42335deca4e05b2b1e94ad1f5f00a730eb7c7c0f01

SHA512
48074f500404e35f92e869d0e74e92865fa51b1bd6f382939cb2da7a37f69afc7d1811e7612cbef64e551b232de6abca61c6f43e30ad1724ffe483468b7818fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lammer.exe
MD5
01ac12dcf50810001019cd6b1dfa0d9f

SHA1
76b0213514cccebff4c5202cad1f6b0e21992db7

SHA256
4de7225c68600683c3315e42335deca4e05b2b1e94ad1f5f00a730eb7c7c0f01

SHA512
48074f500404e35f92e869d0e74e92865fa51b1bd6f382939cb2da7a37f69afc7d1811e7612cbef64e551b232de6abca61c6f43e30ad1724ffe483468b7818fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\NetFlix Creator.exe
MD5
116a916ff39ebc0daf9d91e036894527

SHA1
a0a8141606bba86eba2049a3a52d9e26aa0df606

SHA256
b9d7e49ef7f5d2bcccebf1640f47772e6dae4f687517f319759720f012ca81b6

SHA512
0ad2dcbc58bc04dc2b1127c9d2565752ad5f96368e96efa76c7878d5610884cfada98fbc3ce7b7f04f2155f1da591bf2da8c7524c5d8b85d977fb30ef1b510f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NetFlix Creator.exe
MD5
116a916ff39ebc0daf9d91e036894527

SHA1
a0a8141606bba86eba2049a3a52d9e26aa0df606

SHA256
b9d7e49ef7f5d2bcccebf1640f47772e6dae4f687517f319759720f012ca81b6

SHA512
0ad2dcbc58bc04dc2b1127c9d2565752ad5f96368e96efa76c7878d5610884cfada98fbc3ce7b7f04f2155f1da591bf2da8c7524c5d8b85d977fb30ef1b510f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
MD5
b5742eabacc2885b792bbaea9090f44f

SHA1
a600b268146c6573ccb052fd05ec45bf4825d7d6

SHA256
c367adcbc8da11bbab12771824543f78d842efa423ce03745598cf6ff9b411a6

SHA512
c76b9a8b7d16d42ab23b6487efafb3a2b3e6cd5155dc6ad8283f786429b752d84317652fa55275f52fc94344135d525e2c3ebad2920cf7328e361cc663ef2174

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
MD5
b5742eabacc2885b792bbaea9090f44f

SHA1
a600b268146c6573ccb052fd05ec45bf4825d7d6

SHA256
c367adcbc8da11bbab12771824543f78d842efa423ce03745598cf6ff9b411a6

SHA512
c76b9a8b7d16d42ab23b6487efafb3a2b3e6cd5155dc6ad8283f786429b752d84317652fa55275f52fc94344135d525e2c3ebad2920cf7328e361cc663ef2174

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaa.exe
MD5
b5742eabacc2885b792bbaea9090f44f

SHA1
a600b268146c6573ccb052fd05ec45bf4825d7d6

SHA256
c367adcbc8da11bbab12771824543f78d842efa423ce03745598cf6ff9b411a6

SHA512
c76b9a8b7d16d42ab23b6487efafb3a2b3e6cd5155dc6ad8283f786429b752d84317652fa55275f52fc94344135d525e2c3ebad2920cf7328e361cc663ef2174

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaa.exe
MD5
b5742eabacc2885b792bbaea9090f44f

SHA1
a600b268146c6573ccb052fd05ec45bf4825d7d6

SHA256
c367adcbc8da11bbab12771824543f78d842efa423ce03745598cf6ff9b411a6

SHA512
c76b9a8b7d16d42ab23b6487efafb3a2b3e6cd5155dc6ad8283f786429b752d84317652fa55275f52fc94344135d525e2c3ebad2920cf7328e361cc663ef2174

Download Submit
memory/500-128-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/500-114-0x0000000000000000-mapping.dmp

Download
memory/852-133-0x00000000053A0000-0x000000000589E000-memory.dmp

Filesize
5.0MB

Download
memory/852-125-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/852-127-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/852-130-0x00000000053A0000-0x000000000589E000-memory.dmp

Filesize
5.0MB

Download
memory/852-131-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/852-132-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/852-120-0x0000000000000000-mapping.dmp

Download
memory/852-123-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/852-126-0x00000000058A0000-0x00000000058A1000-memory.dmp

Filesize
4KB

Download
memory/1744-134-0x0000000000000000-mapping.dmp

Download
memory/1744-140-0x0000000001400000-0x0000000001401000-memory.dmp

Filesize
4KB

Download
memory/1784-137-0x0000000000000000-mapping.dmp

Download
memory/1784-141-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2072-129-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/2072-117-0x0000000000000000-mapping.dmp

Download
memory/2400-142-0x0000000000000000-mapping.dmp

Download
memory/2576-143-0x0000000000000000-mapping.dmp

Download