njrat | ab911ff317e64605f78af4e8f6f637a8e4a014fb426edb858aab588e105e5fad

General

Target

S123erver.exe
Size

106KB
MD5

9a8bfcdfb43451e84f36db37a5dbeb69
SHA1

631c947853ecd90f85d1ceab0d4929b6f1a567b0
SHA256

ab911ff317e64605f78af4e8f6f637a8e4a014fb426edb858aab588e105e5fad
SHA512

e156cfcbe62af0687118e62eefac1afbf86c8a956c423af55fdfc325aec30b11a0280a8231375610c6990d19b1cb79a557968f93c020ebb4c684592070ec7c92

Score

10^/10

njrat xmrig hacked evasion miner trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

ODIuFRANSESCOjAyLjE2Ny4yFRANSESCODUStrik:MTIzNjE=

Mutex

224a447697bf2b49e78d4ad88e1bc033

Attributes

reg_key
224a447697bf2b49e78d4ad88e1bc033
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

1648 server.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
1648	server.exe

Drops startup file 2 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe

Loads dropped DLL 2 IoCs

Processes:

S123erver.exe

pid process

1588 S123erver.exe
1588 S123erver.exe
Drops file in System32 directory 2 IoCs

Processes:

server.exe

description ioc process

File created C:\Windows\SysWOW64\Explower.exe server.exe
File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

1648 server.exe

pid	process
1588	S123erver.exe
1588	S123erver.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe

pid	process
1648	server.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

S123erver.exeserver.exe

description	pid	process	target process
PID 1588 wrote to memory of 1648	1588	S123erver.exe	server.exe
PID 1588 wrote to memory of 1648	1588	S123erver.exe	server.exe
PID 1588 wrote to memory of 1648	1588	S123erver.exe	server.exe
PID 1588 wrote to memory of 1648	1588	S123erver.exe	server.exe
PID 1648 wrote to memory of 1100	1648	server.exe	netsh.exe
PID 1648 wrote to memory of 1100	1648	server.exe	netsh.exe
PID 1648 wrote to memory of 1100	1648	server.exe	netsh.exe
PID 1648 wrote to memory of 1100	1648	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\S123erver.exe
"C:\Users\Admin\AppData\Local\Temp\S123erver.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
3⤵
PID:1100

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe
MD5
9a8bfcdfb43451e84f36db37a5dbeb69

SHA1
631c947853ecd90f85d1ceab0d4929b6f1a567b0

SHA256
ab911ff317e64605f78af4e8f6f637a8e4a014fb426edb858aab588e105e5fad

SHA512
e156cfcbe62af0687118e62eefac1afbf86c8a956c423af55fdfc325aec30b11a0280a8231375610c6990d19b1cb79a557968f93c020ebb4c684592070ec7c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
MD5
9a8bfcdfb43451e84f36db37a5dbeb69

SHA1
631c947853ecd90f85d1ceab0d4929b6f1a567b0

SHA256
ab911ff317e64605f78af4e8f6f637a8e4a014fb426edb858aab588e105e5fad

SHA512
e156cfcbe62af0687118e62eefac1afbf86c8a956c423af55fdfc325aec30b11a0280a8231375610c6990d19b1cb79a557968f93c020ebb4c684592070ec7c92

Download Submit
C:\Users\Admin\AppData\Roaming\app
MD5
f478c76bbb3174dbc7fabae62224f818

SHA1
bed239508bad9fcd15a9bdea1e132f62468d07d1

SHA256
d7a0af52f260c87ef40bdfc1f1196faf7797593d62c6120ae99957d78762ed1a

SHA512
b653aa05746c721c9129456de3798d9e94385a0e5630c5d497fa0d6076274560885edd5875232b40d07aafa3f0e929e9b3bf2ff388ad2c21b3589cb01b79f94b

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
MD5
9a8bfcdfb43451e84f36db37a5dbeb69

SHA1
631c947853ecd90f85d1ceab0d4929b6f1a567b0

SHA256
ab911ff317e64605f78af4e8f6f637a8e4a014fb426edb858aab588e105e5fad

SHA512
e156cfcbe62af0687118e62eefac1afbf86c8a956c423af55fdfc325aec30b11a0280a8231375610c6990d19b1cb79a557968f93c020ebb4c684592070ec7c92

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
MD5
9a8bfcdfb43451e84f36db37a5dbeb69

SHA1
631c947853ecd90f85d1ceab0d4929b6f1a567b0

SHA256
ab911ff317e64605f78af4e8f6f637a8e4a014fb426edb858aab588e105e5fad

SHA512
e156cfcbe62af0687118e62eefac1afbf86c8a956c423af55fdfc325aec30b11a0280a8231375610c6990d19b1cb79a557968f93c020ebb4c684592070ec7c92

Download Submit
memory/1100-65-0x0000000000000000-mapping.dmp

Download
memory/1588-55-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download
memory/1588-56-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1648-59-0x0000000000000000-mapping.dmp

Download
memory/1648-64-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing