njrat | b7d0ded75d90d6564378aa3cef07ee6d81043ae8f8e51fd0ea9c459617933a42

General

Target

B7D0DED75D90D6564378AA3CEF07EE6D81043AE8F8E51.exe
Size

491KB
MD5

38ce6952a20ff8bad29372531d7d18c0
SHA1

394502b774b18e13b84b624cb6309e82b0980dd4
SHA256

b7d0ded75d90d6564378aa3cef07ee6d81043ae8f8e51fd0ea9c459617933a42
SHA512

6b27b9537a28d9ae10780a30eef68a6fceebaf8e1cb77307c59884e9be82b9fb37c7ee3c3c12ea34814c4d6840f25954fe505f0201a9e788d43a443bcaa718a2

Score

10^/10

njrat m1 persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

m1

C2

6.tcp.ngrok.io:16704

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

Server.sfx.exeServer.exeTemp.exe

pid process

1152 Server.sfx.exe
3532 Server.exe
728 Temp.exe

pid	process
1152	Server.sfx.exe
3532	Server.exe
728	Temp.exe

Drops startup file 2 IoCs

Processes:

Temp.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	Temp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	Temp.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Temp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp.exe\" .."	Temp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp.exe\" .."	Temp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3716 schtasks.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

Server.exeTemp.exe

pid process

3532 Server.exe
728 Temp.exe

pid	process
3716	schtasks.exe

pid	process
3532	Server.exe
728	Temp.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

Temp.exe

description	pid	process
Token: SeDebugPrivilege	728	Temp.exe
Token: 33	728	Temp.exe
Token: SeIncBasePriorityPrivilege	728	Temp.exe
Token: 33	728	Temp.exe
Token: SeIncBasePriorityPrivilege	728	Temp.exe
Token: 33	728	Temp.exe
Token: SeIncBasePriorityPrivilege	728	Temp.exe
Token: 33	728	Temp.exe
Token: SeIncBasePriorityPrivilege	728	Temp.exe
Token: 33	728	Temp.exe
Token: SeIncBasePriorityPrivilege	728	Temp.exe
Token: 33	728	Temp.exe
Token: SeIncBasePriorityPrivilege	728	Temp.exe
Token: 33	728	Temp.exe
Token: SeIncBasePriorityPrivilege	728	Temp.exe
Token: 33	728	Temp.exe
Token: SeIncBasePriorityPrivilege	728	Temp.exe
Token: 33	728	Temp.exe
Token: SeIncBasePriorityPrivilege	728	Temp.exe
Token: 33	728	Temp.exe
Token: SeIncBasePriorityPrivilege	728	Temp.exe
Token: 33	728	Temp.exe
Token: SeIncBasePriorityPrivilege	728	Temp.exe
Token: 33	728	Temp.exe
Token: SeIncBasePriorityPrivilege	728	Temp.exe
Token: 33	728	Temp.exe
Token: SeIncBasePriorityPrivilege	728	Temp.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

B7D0DED75D90D6564378AA3CEF07EE6D81043AE8F8E51.execmd.exeServer.sfx.exeServer.exeTemp.exe

description	pid	process	target process
PID 2832 wrote to memory of 768	2832	B7D0DED75D90D6564378AA3CEF07EE6D81043AE8F8E51.exe	cmd.exe
PID 2832 wrote to memory of 768	2832	B7D0DED75D90D6564378AA3CEF07EE6D81043AE8F8E51.exe	cmd.exe
PID 2832 wrote to memory of 768	2832	B7D0DED75D90D6564378AA3CEF07EE6D81043AE8F8E51.exe	cmd.exe
PID 768 wrote to memory of 1152	768	cmd.exe	Server.sfx.exe
PID 768 wrote to memory of 1152	768	cmd.exe	Server.sfx.exe
PID 768 wrote to memory of 1152	768	cmd.exe	Server.sfx.exe
PID 1152 wrote to memory of 3532	1152	Server.sfx.exe	Server.exe
PID 1152 wrote to memory of 3532	1152	Server.sfx.exe	Server.exe
PID 1152 wrote to memory of 3532	1152	Server.sfx.exe	Server.exe
PID 3532 wrote to memory of 728	3532	Server.exe	Temp.exe
PID 3532 wrote to memory of 728	3532	Server.exe	Temp.exe
PID 3532 wrote to memory of 728	3532	Server.exe	Temp.exe
PID 728 wrote to memory of 3716	728	Temp.exe	schtasks.exe
PID 728 wrote to memory of 3716	728	Temp.exe	schtasks.exe
PID 728 wrote to memory of 3716	728	Temp.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\B7D0DED75D90D6564378AA3CEF07EE6D81043AE8F8E51.exe
"C:\Users\Admin\AppData\Local\Temp\B7D0DED75D90D6564378AA3CEF07EE6D81043AE8F8E51.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:768

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.sfx.exe
Server.sfx.exe -p1111
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3532

C:\Users\Admin\AppData\Local\Temp\Temp.exe
"C:\Users\Admin\AppData\Local\Temp\Temp.exe"
5⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:728

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
6⤵
- Creates scheduled task(s)
PID:3716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
MD5
cec92223347872a8799157529419bce8

SHA1
6b8f96b457ec8c7419a298345dbb0fc1225a1019

SHA256
7e09c9d1af9ca8d68ae70dc90dc2a92d35dcae7de44da8052998ba0db6dead85

SHA512
1cdea463a3554f35caa357d4fa271282ff17b831a4985eda03c3fd494d4a15171c3eb7206a50fff6ae01cf2ed598b7394e56ec0034b9497ffb841cb15e12e1d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.sfx.exe
MD5
0151a4149ba60b63001bdb6e42e208cb

SHA1
ff645213728b329d1283c85dc80fea300cfa0e49

SHA256
6f75507d27249b6729889ae8f77613ad2f2b01fb7deff271b0e2cf8bcfa98e60

SHA512
9deaf287b14ed8dfed9220f3bbe2a023ba2f16537eb199c75804e02861cae41c63eebfb7ee9cd4b7a2f4f49aefbfeeea8b235ce7eab516a72454b9e78825afa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Server.sfx.exe
MD5
0151a4149ba60b63001bdb6e42e208cb

SHA1
ff645213728b329d1283c85dc80fea300cfa0e49

SHA256
6f75507d27249b6729889ae8f77613ad2f2b01fb7deff271b0e2cf8bcfa98e60

SHA512
9deaf287b14ed8dfed9220f3bbe2a023ba2f16537eb199c75804e02861cae41c63eebfb7ee9cd4b7a2f4f49aefbfeeea8b235ce7eab516a72454b9e78825afa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe
MD5
df24ae4ef4f5e04599c3f3a12b1f186b

SHA1
89472d86e58137da606226eec065100a18d4d856

SHA256
e5b82a70a90522c865a40cda14ef8477ebc5adc580ca43103bea3001d28265fd

SHA512
e42ccd4f6e192a4624465f209e0b3dc0133cf08ef64ad2da72b5ac521c95e683c0dfbc8ee45bf9d2191fd38dd253de00fe0a07d73c0b92dcc1bc9b863ba77a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.exe
MD5
df24ae4ef4f5e04599c3f3a12b1f186b

SHA1
89472d86e58137da606226eec065100a18d4d856

SHA256
e5b82a70a90522c865a40cda14ef8477ebc5adc580ca43103bea3001d28265fd

SHA512
e42ccd4f6e192a4624465f209e0b3dc0133cf08ef64ad2da72b5ac521c95e683c0dfbc8ee45bf9d2191fd38dd253de00fe0a07d73c0b92dcc1bc9b863ba77a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp.exe
MD5
df24ae4ef4f5e04599c3f3a12b1f186b

SHA1
89472d86e58137da606226eec065100a18d4d856

SHA256
e5b82a70a90522c865a40cda14ef8477ebc5adc580ca43103bea3001d28265fd

SHA512
e42ccd4f6e192a4624465f209e0b3dc0133cf08ef64ad2da72b5ac521c95e683c0dfbc8ee45bf9d2191fd38dd253de00fe0a07d73c0b92dcc1bc9b863ba77a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp.exe
MD5
df24ae4ef4f5e04599c3f3a12b1f186b

SHA1
89472d86e58137da606226eec065100a18d4d856

SHA256
e5b82a70a90522c865a40cda14ef8477ebc5adc580ca43103bea3001d28265fd

SHA512
e42ccd4f6e192a4624465f209e0b3dc0133cf08ef64ad2da72b5ac521c95e683c0dfbc8ee45bf9d2191fd38dd253de00fe0a07d73c0b92dcc1bc9b863ba77a70

Download Submit
memory/728-141-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/728-143-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/728-133-0x0000000000000000-mapping.dmp

Download
memory/728-144-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/728-145-0x0000000005E30000-0x0000000005E31000-memory.dmp

Filesize
4KB

Download
memory/768-117-0x0000000000000000-mapping.dmp

Download
memory/1152-121-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1152-122-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1152-119-0x0000000000000000-mapping.dmp

Download
memory/2832-116-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2832-115-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/3532-130-0x0000000005BA0000-0x0000000005BA1000-memory.dmp

Filesize
4KB

Download
memory/3532-131-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/3532-132-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/3532-129-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/3532-127-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/3532-124-0x0000000000000000-mapping.dmp

Download
memory/3716-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads