njrat | b7d0ded75d90d6564378aa3cef07ee6d81043ae8f8e51fd0ea9c459617933a42

Analysis

max time kernel
149s
max time network
189s
platform
windows7_x64
resource
win7-en-20210920
submitted
25-10-2021 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

B7D0DED75D90D6564378AA3CEF07EE6D81043AE8F8E51.exe
Size

491KB
MD5

38ce6952a20ff8bad29372531d7d18c0
SHA1

394502b774b18e13b84b624cb6309e82b0980dd4
SHA256

b7d0ded75d90d6564378aa3cef07ee6d81043ae8f8e51fd0ea9c459617933a42
SHA512

6b27b9537a28d9ae10780a30eef68a6fceebaf8e1cb77307c59884e9be82b9fb37c7ee3c3c12ea34814c4d6840f25954fe505f0201a9e788d43a443bcaa718a2

Score

10^/10

njrat m1 persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

6.tcp.ngrok.io:16704

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 5 IoCs

Processes:

Server.sfx.exeServer.exeTemp.exeServer.exeServer.exe

pid process

1604 Server.sfx.exe
968 Server.exe
1480 Temp.exe
896 Server.exe
588 Server.exe

pid	process
1604	Server.sfx.exe
968	Server.exe
1480	Temp.exe
896	Server.exe
588	Server.exe

Drops startup file 2 IoCs

Processes:

Temp.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	Temp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	Temp.exe

Loads dropped DLL 5 IoCs

Processes:

cmd.exeServer.sfx.exeServer.exe

pid process

812 cmd.exe
1604 Server.sfx.exe
1604 Server.sfx.exe
1604 Server.sfx.exe
968 Server.exe

pid	process
812	cmd.exe
1604	Server.sfx.exe
1604	Server.sfx.exe
1604	Server.sfx.exe
968	Server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Temp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp.exe\" .."	Temp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp.exe\" .."	Temp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1836 schtasks.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Temp.exe

pid process

1480 Temp.exe

pid	process
1836	schtasks.exe

pid	process
1480	Temp.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

Temp.exe

description	pid	process
Token: SeDebugPrivilege	1480	Temp.exe
Token: 33	1480	Temp.exe
Token: SeIncBasePriorityPrivilege	1480	Temp.exe
Token: 33	1480	Temp.exe
Token: SeIncBasePriorityPrivilege	1480	Temp.exe
Token: 33	1480	Temp.exe
Token: SeIncBasePriorityPrivilege	1480	Temp.exe
Token: 33	1480	Temp.exe
Token: SeIncBasePriorityPrivilege	1480	Temp.exe
Token: 33	1480	Temp.exe
Token: SeIncBasePriorityPrivilege	1480	Temp.exe
Token: 33	1480	Temp.exe
Token: SeIncBasePriorityPrivilege	1480	Temp.exe
Token: 33	1480	Temp.exe
Token: SeIncBasePriorityPrivilege	1480	Temp.exe
Token: 33	1480	Temp.exe
Token: SeIncBasePriorityPrivilege	1480	Temp.exe
Token: 33	1480	Temp.exe
Token: SeIncBasePriorityPrivilege	1480	Temp.exe
Token: 33	1480	Temp.exe
Token: SeIncBasePriorityPrivilege	1480	Temp.exe
Token: 33	1480	Temp.exe
Token: SeIncBasePriorityPrivilege	1480	Temp.exe
Token: 33	1480	Temp.exe
Token: SeIncBasePriorityPrivilege	1480	Temp.exe
Token: 33	1480	Temp.exe
Token: SeIncBasePriorityPrivilege	1480	Temp.exe
Token: 33	1480	Temp.exe
Token: SeIncBasePriorityPrivilege	1480	Temp.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

B7D0DED75D90D6564378AA3CEF07EE6D81043AE8F8E51.execmd.exeServer.sfx.exeServer.exeTemp.exetaskeng.exe

description	pid	process	target process
PID 724 wrote to memory of 812	724	B7D0DED75D90D6564378AA3CEF07EE6D81043AE8F8E51.exe	cmd.exe
PID 724 wrote to memory of 812	724	B7D0DED75D90D6564378AA3CEF07EE6D81043AE8F8E51.exe	cmd.exe
PID 724 wrote to memory of 812	724	B7D0DED75D90D6564378AA3CEF07EE6D81043AE8F8E51.exe	cmd.exe
PID 724 wrote to memory of 812	724	B7D0DED75D90D6564378AA3CEF07EE6D81043AE8F8E51.exe	cmd.exe
PID 812 wrote to memory of 1604	812	cmd.exe	Server.sfx.exe
PID 812 wrote to memory of 1604	812	cmd.exe	Server.sfx.exe
PID 812 wrote to memory of 1604	812	cmd.exe	Server.sfx.exe
PID 812 wrote to memory of 1604	812	cmd.exe	Server.sfx.exe
PID 1604 wrote to memory of 968	1604	Server.sfx.exe	Server.exe
PID 1604 wrote to memory of 968	1604	Server.sfx.exe	Server.exe
PID 1604 wrote to memory of 968	1604	Server.sfx.exe	Server.exe
PID 1604 wrote to memory of 968	1604	Server.sfx.exe	Server.exe
PID 968 wrote to memory of 1480	968	Server.exe	Temp.exe
PID 968 wrote to memory of 1480	968	Server.exe	Temp.exe
PID 968 wrote to memory of 1480	968	Server.exe	Temp.exe
PID 968 wrote to memory of 1480	968	Server.exe	Temp.exe
PID 1480 wrote to memory of 1836	1480	Temp.exe	schtasks.exe
PID 1480 wrote to memory of 1836	1480	Temp.exe	schtasks.exe
PID 1480 wrote to memory of 1836	1480	Temp.exe	schtasks.exe
PID 1480 wrote to memory of 1836	1480	Temp.exe	schtasks.exe
PID 1112 wrote to memory of 896	1112	taskeng.exe	Server.exe
PID 1112 wrote to memory of 896	1112	taskeng.exe	Server.exe
PID 1112 wrote to memory of 896	1112	taskeng.exe	Server.exe
PID 1112 wrote to memory of 896	1112	taskeng.exe	Server.exe
PID 1112 wrote to memory of 588	1112	taskeng.exe	Server.exe
PID 1112 wrote to memory of 588	1112	taskeng.exe	Server.exe
PID 1112 wrote to memory of 588	1112	taskeng.exe	Server.exe
PID 1112 wrote to memory of 588	1112	taskeng.exe	Server.exe

C:\Users\Admin\AppData\Local\Temp\B7D0DED75D90D6564378AA3CEF07EE6D81043AE8F8E51.exe
"C:\Users\Admin\AppData\Local\Temp\B7D0DED75D90D6564378AA3CEF07EE6D81043AE8F8E51.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:724

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:812

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.sfx.exe
Server.sfx.exe -p1111
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1604

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:968

C:\Users\Admin\AppData\Local\Temp\Temp.exe
"C:\Users\Admin\AppData\Local\Temp\Temp.exe"
5⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
6⤵
- Creates scheduled task(s)
PID:1836

C:\Windows\system32\taskeng.exe
taskeng.exe {189DD937-4602-4F16-AA91-2ECCFC323467} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
2⤵
- Executes dropped EXE
PID:896

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
2⤵
- Executes dropped EXE
PID:588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
MD5
cec92223347872a8799157529419bce8

SHA1
6b8f96b457ec8c7419a298345dbb0fc1225a1019

SHA256
7e09c9d1af9ca8d68ae70dc90dc2a92d35dcae7de44da8052998ba0db6dead85

SHA512
1cdea463a3554f35caa357d4fa271282ff17b831a4985eda03c3fd494d4a15171c3eb7206a50fff6ae01cf2ed598b7394e56ec0034b9497ffb841cb15e12e1d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.sfx.exe
MD5
0151a4149ba60b63001bdb6e42e208cb

SHA1
ff645213728b329d1283c85dc80fea300cfa0e49

SHA256
6f75507d27249b6729889ae8f77613ad2f2b01fb7deff271b0e2cf8bcfa98e60

SHA512
9deaf287b14ed8dfed9220f3bbe2a023ba2f16537eb199c75804e02861cae41c63eebfb7ee9cd4b7a2f4f49aefbfeeea8b235ce7eab516a72454b9e78825afa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.sfx.exe
MD5
0151a4149ba60b63001bdb6e42e208cb

SHA1
ff645213728b329d1283c85dc80fea300cfa0e49

SHA256
6f75507d27249b6729889ae8f77613ad2f2b01fb7deff271b0e2cf8bcfa98e60

SHA512
9deaf287b14ed8dfed9220f3bbe2a023ba2f16537eb199c75804e02861cae41c63eebfb7ee9cd4b7a2f4f49aefbfeeea8b235ce7eab516a72454b9e78825afa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe
MD5
df24ae4ef4f5e04599c3f3a12b1f186b

SHA1
89472d86e58137da606226eec065100a18d4d856

SHA256
e5b82a70a90522c865a40cda14ef8477ebc5adc580ca43103bea3001d28265fd

SHA512
e42ccd4f6e192a4624465f209e0b3dc0133cf08ef64ad2da72b5ac521c95e683c0dfbc8ee45bf9d2191fd38dd253de00fe0a07d73c0b92dcc1bc9b863ba77a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe
MD5
df24ae4ef4f5e04599c3f3a12b1f186b

SHA1
89472d86e58137da606226eec065100a18d4d856

SHA256
e5b82a70a90522c865a40cda14ef8477ebc5adc580ca43103bea3001d28265fd

SHA512
e42ccd4f6e192a4624465f209e0b3dc0133cf08ef64ad2da72b5ac521c95e683c0dfbc8ee45bf9d2191fd38dd253de00fe0a07d73c0b92dcc1bc9b863ba77a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
MD5
df24ae4ef4f5e04599c3f3a12b1f186b

SHA1
89472d86e58137da606226eec065100a18d4d856

SHA256
e5b82a70a90522c865a40cda14ef8477ebc5adc580ca43103bea3001d28265fd

SHA512
e42ccd4f6e192a4624465f209e0b3dc0133cf08ef64ad2da72b5ac521c95e683c0dfbc8ee45bf9d2191fd38dd253de00fe0a07d73c0b92dcc1bc9b863ba77a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
MD5
df24ae4ef4f5e04599c3f3a12b1f186b

SHA1
89472d86e58137da606226eec065100a18d4d856

SHA256
e5b82a70a90522c865a40cda14ef8477ebc5adc580ca43103bea3001d28265fd

SHA512
e42ccd4f6e192a4624465f209e0b3dc0133cf08ef64ad2da72b5ac521c95e683c0dfbc8ee45bf9d2191fd38dd253de00fe0a07d73c0b92dcc1bc9b863ba77a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
MD5
df24ae4ef4f5e04599c3f3a12b1f186b

SHA1
89472d86e58137da606226eec065100a18d4d856

SHA256
e5b82a70a90522c865a40cda14ef8477ebc5adc580ca43103bea3001d28265fd

SHA512
e42ccd4f6e192a4624465f209e0b3dc0133cf08ef64ad2da72b5ac521c95e683c0dfbc8ee45bf9d2191fd38dd253de00fe0a07d73c0b92dcc1bc9b863ba77a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp.exe
MD5
df24ae4ef4f5e04599c3f3a12b1f186b

SHA1
89472d86e58137da606226eec065100a18d4d856

SHA256
e5b82a70a90522c865a40cda14ef8477ebc5adc580ca43103bea3001d28265fd

SHA512
e42ccd4f6e192a4624465f209e0b3dc0133cf08ef64ad2da72b5ac521c95e683c0dfbc8ee45bf9d2191fd38dd253de00fe0a07d73c0b92dcc1bc9b863ba77a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp.exe
MD5
df24ae4ef4f5e04599c3f3a12b1f186b

SHA1
89472d86e58137da606226eec065100a18d4d856

SHA256
e5b82a70a90522c865a40cda14ef8477ebc5adc580ca43103bea3001d28265fd

SHA512
e42ccd4f6e192a4624465f209e0b3dc0133cf08ef64ad2da72b5ac521c95e683c0dfbc8ee45bf9d2191fd38dd253de00fe0a07d73c0b92dcc1bc9b863ba77a70

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Server.sfx.exe
MD5
0151a4149ba60b63001bdb6e42e208cb

SHA1
ff645213728b329d1283c85dc80fea300cfa0e49

SHA256
6f75507d27249b6729889ae8f77613ad2f2b01fb7deff271b0e2cf8bcfa98e60

SHA512
9deaf287b14ed8dfed9220f3bbe2a023ba2f16537eb199c75804e02861cae41c63eebfb7ee9cd4b7a2f4f49aefbfeeea8b235ce7eab516a72454b9e78825afa0

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe
MD5
df24ae4ef4f5e04599c3f3a12b1f186b

SHA1
89472d86e58137da606226eec065100a18d4d856

SHA256
e5b82a70a90522c865a40cda14ef8477ebc5adc580ca43103bea3001d28265fd

SHA512
e42ccd4f6e192a4624465f209e0b3dc0133cf08ef64ad2da72b5ac521c95e683c0dfbc8ee45bf9d2191fd38dd253de00fe0a07d73c0b92dcc1bc9b863ba77a70

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe
MD5
df24ae4ef4f5e04599c3f3a12b1f186b

SHA1
89472d86e58137da606226eec065100a18d4d856

SHA256
e5b82a70a90522c865a40cda14ef8477ebc5adc580ca43103bea3001d28265fd

SHA512
e42ccd4f6e192a4624465f209e0b3dc0133cf08ef64ad2da72b5ac521c95e683c0dfbc8ee45bf9d2191fd38dd253de00fe0a07d73c0b92dcc1bc9b863ba77a70

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe
MD5
df24ae4ef4f5e04599c3f3a12b1f186b

SHA1
89472d86e58137da606226eec065100a18d4d856

SHA256
e5b82a70a90522c865a40cda14ef8477ebc5adc580ca43103bea3001d28265fd

SHA512
e42ccd4f6e192a4624465f209e0b3dc0133cf08ef64ad2da72b5ac521c95e683c0dfbc8ee45bf9d2191fd38dd253de00fe0a07d73c0b92dcc1bc9b863ba77a70

Download Submit
\Users\Admin\AppData\Local\Temp\Temp.exe
MD5
df24ae4ef4f5e04599c3f3a12b1f186b

SHA1
89472d86e58137da606226eec065100a18d4d856

SHA256
e5b82a70a90522c865a40cda14ef8477ebc5adc580ca43103bea3001d28265fd

SHA512
e42ccd4f6e192a4624465f209e0b3dc0133cf08ef64ad2da72b5ac521c95e683c0dfbc8ee45bf9d2191fd38dd253de00fe0a07d73c0b92dcc1bc9b863ba77a70

Download Submit
memory/588-90-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/588-86-0x0000000000000000-mapping.dmp

Download
memory/588-88-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/724-54-0x0000000075C11000-0x0000000075C13000-memory.dmp

Filesize
8KB

Download
memory/812-55-0x0000000000000000-mapping.dmp

Download
memory/896-85-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/896-83-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/896-81-0x0000000000000000-mapping.dmp

Download
memory/968-70-0x0000000004360000-0x0000000004361000-memory.dmp

Filesize
4KB

Download
memory/968-68-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/968-65-0x0000000000000000-mapping.dmp

Download
memory/1480-78-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/1480-76-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/1480-73-0x0000000000000000-mapping.dmp

Download
memory/1604-59-0x0000000000000000-mapping.dmp

Download
memory/1836-79-0x0000000000000000-mapping.dmp

Download