njrat | 746e511b6f9291eea51de5f16e65eeeb5341049cb82ad8abe13d01452e85e469

General

Target

a2105798edb6b4164a60c200ad1c4e3a.exe
Size

27KB
MD5

a2105798edb6b4164a60c200ad1c4e3a
SHA1

2d9a66acba0e05de797f82d4a7b1d266d057078c
SHA256

746e511b6f9291eea51de5f16e65eeeb5341049cb82ad8abe13d01452e85e469
SHA512

7ae2ff37e92b1f1e8d67b2963449d6dc9d10b7ba2d0920e10439f88ce9ff495510760ff500e4c290c2b48a51b6ace0f14cefe0020240b1c846a1594db4174088

Score

10^/10

njrat hacked persistence suricata trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

melhortrojanrerer.duckdns.org:5552

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 1 IoCs

Processes:

system.exe

pid process

3980 system.exe

pid	process
3980	system.exe

Drops startup file 4 IoCs

Processes:

a2105798edb6b4164a60c200ad1c4e3a.exesystem.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	a2105798edb6b4164a60c200ad1c4e3a.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	system.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	system.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	system.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

system.exea2105798edb6b4164a60c200ad1c4e3a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe"	a2105798edb6b4164a60c200ad1c4e3a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	system.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

system.exe

description	pid	process
Token: SeDebugPrivilege	3980	system.exe
Token: 33	3980	system.exe
Token: SeIncBasePriorityPrivilege	3980	system.exe
Token: 33	3980	system.exe
Token: SeIncBasePriorityPrivilege	3980	system.exe
Token: 33	3980	system.exe
Token: SeIncBasePriorityPrivilege	3980	system.exe
Token: 33	3980	system.exe
Token: SeIncBasePriorityPrivilege	3980	system.exe
Token: 33	3980	system.exe
Token: SeIncBasePriorityPrivilege	3980	system.exe
Token: 33	3980	system.exe
Token: SeIncBasePriorityPrivilege	3980	system.exe
Token: 33	3980	system.exe
Token: SeIncBasePriorityPrivilege	3980	system.exe
Token: 33	3980	system.exe
Token: SeIncBasePriorityPrivilege	3980	system.exe
Token: 33	3980	system.exe
Token: SeIncBasePriorityPrivilege	3980	system.exe
Token: 33	3980	system.exe
Token: SeIncBasePriorityPrivilege	3980	system.exe
Token: 33	3980	system.exe
Token: SeIncBasePriorityPrivilege	3980	system.exe
Token: 33	3980	system.exe
Token: SeIncBasePriorityPrivilege	3980	system.exe
Token: 33	3980	system.exe
Token: SeIncBasePriorityPrivilege	3980	system.exe
Token: 33	3980	system.exe
Token: SeIncBasePriorityPrivilege	3980	system.exe
Token: 33	3980	system.exe
Token: SeIncBasePriorityPrivilege	3980	system.exe
Token: 33	3980	system.exe
Token: SeIncBasePriorityPrivilege	3980	system.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

a2105798edb6b4164a60c200ad1c4e3a.exe

description	pid	process	target process
PID 2396 wrote to memory of 3980	2396	a2105798edb6b4164a60c200ad1c4e3a.exe	system.exe
PID 2396 wrote to memory of 3980	2396	a2105798edb6b4164a60c200ad1c4e3a.exe	system.exe
PID 2396 wrote to memory of 3980	2396	a2105798edb6b4164a60c200ad1c4e3a.exe	system.exe
PID 2396 wrote to memory of 1348	2396	a2105798edb6b4164a60c200ad1c4e3a.exe	attrib.exe
PID 2396 wrote to memory of 1348	2396	a2105798edb6b4164a60c200ad1c4e3a.exe	attrib.exe
PID 2396 wrote to memory of 1348	2396	a2105798edb6b4164a60c200ad1c4e3a.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1348 attrib.exe

pid	process
1348	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a2105798edb6b4164a60c200ad1c4e3a.exe
"C:\Users\Admin\AppData\Local\Temp\a2105798edb6b4164a60c200ad1c4e3a.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2396

C:\Users\Admin\AppData\Local\Temp\system.exe
"C:\Users\Admin\AppData\Local\Temp\system.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\system.exe"
2⤵
- Views/modifies file attributes
PID:1348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\system.exe
MD5
a2105798edb6b4164a60c200ad1c4e3a

SHA1
2d9a66acba0e05de797f82d4a7b1d266d057078c

SHA256
746e511b6f9291eea51de5f16e65eeeb5341049cb82ad8abe13d01452e85e469

SHA512
7ae2ff37e92b1f1e8d67b2963449d6dc9d10b7ba2d0920e10439f88ce9ff495510760ff500e4c290c2b48a51b6ace0f14cefe0020240b1c846a1594db4174088

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.exe
MD5
a2105798edb6b4164a60c200ad1c4e3a

SHA1
2d9a66acba0e05de797f82d4a7b1d266d057078c

SHA256
746e511b6f9291eea51de5f16e65eeeb5341049cb82ad8abe13d01452e85e469

SHA512
7ae2ff37e92b1f1e8d67b2963449d6dc9d10b7ba2d0920e10439f88ce9ff495510760ff500e4c290c2b48a51b6ace0f14cefe0020240b1c846a1594db4174088

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
MD5
de8251369fa42d8387f3a6b7e26e28ed

SHA1
812de09947f98566a945fc550dc40cbd7a09fd1b

SHA256
6487d55a15cf8865c91915718554e512aa2a387d33f752e73867a5cca55c92c1

SHA512
1b5a265ce3628f372736359fe59caf92e94b8d41837f89046c406821f2d044dcf35d1be14bc6d0b3e20ba5ef8b6668b8295bd8bcbe032b5edf88578f7771bcc1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
MD5
575936fce0f285df7d7975792778a591

SHA1
9d7d58769f52c14ddefd272d787649b24469a08c

SHA256
d1f641656c2b7eff9310bf67674344b1533837fb13336bc881f8956bc3976039

SHA512
30972f882b0ff5b2ced8965682b883e6e8f264502c07cda9effc99ea65df4414196dd0bd2eee1524d302253e8991859e2added6fa78a795e4bc96590f33712f6

Download Submit
memory/1348-121-0x0000000000000000-mapping.dmp

Download
memory/2396-118-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

Filesize
4KB

Download
memory/3980-119-0x0000000000000000-mapping.dmp

Download
memory/3980-125-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads