njrat | 63d4943fbc9e572db52df96729327f29c0342f7b7f192d823dc7a322116f033d

General

Target

ad24b1319a3a895d8b83a0deae7eac57.exe
Size

78KB
MD5

ad24b1319a3a895d8b83a0deae7eac57
SHA1

81f2908cbb43a41fac8208a9805c06521331f512
SHA256

63d4943fbc9e572db52df96729327f29c0342f7b7f192d823dc7a322116f033d
SHA512

b061a04845024ed69a1da828f2c85f9f47ff8a5214db47231645db4eef639d18b7c1e6d97e0751ee977e84eca4e4561a8963f1d8468ac424f55a2844e4719231

Score

10^/10

njrat lime suricata trojan

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

Lime

C2

daudas.ddns.net:7075

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
12345

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 3 IoCs

Processes:

Client.exeClient.exeClient.exe

pid process

1992 Client.exe
1468 Client.exe
1632 Client.exe

pid	process
1992	Client.exe
1468	Client.exe
1632	Client.exe

Drops startup file 2 IoCs

Processes:

Client.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe

Loads dropped DLL 1 IoCs

Processes:

ad24b1319a3a895d8b83a0deae7eac57.exe

pid process

1676 ad24b1319a3a895d8b83a0deae7eac57.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1548 schtasks.exe
1748 schtasks.exe
1952 schtasks.exe
1736 schtasks.exe
Kills process with taskkill 8 IoCs
evasion

Processes:

TASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exe

pid process

472 TASKKILL.exe
528 TASKKILL.exe
1976 TASKKILL.exe
1396 TASKKILL.exe
320 TASKKILL.exe
1752 TASKKILL.exe
1848 TASKKILL.exe
852 TASKKILL.exe

pid	process
1548	schtasks.exe
1748	schtasks.exe
1952	schtasks.exe
1736	schtasks.exe

pid	process
472	TASKKILL.exe
528	TASKKILL.exe
1976	TASKKILL.exe
1396	TASKKILL.exe
320	TASKKILL.exe
1752	TASKKILL.exe
1848	TASKKILL.exe
852	TASKKILL.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

ad24b1319a3a895d8b83a0deae7eac57.exeClient.exeClient.exeClient.exe

pid	process
1676	ad24b1319a3a895d8b83a0deae7eac57.exe
1676	ad24b1319a3a895d8b83a0deae7eac57.exe
1676	ad24b1319a3a895d8b83a0deae7eac57.exe
1676	ad24b1319a3a895d8b83a0deae7eac57.exe
1676	ad24b1319a3a895d8b83a0deae7eac57.exe
1992	Client.exe
1992	Client.exe
1992	Client.exe
1992	Client.exe
1992	Client.exe
1468	Client.exe
1468	Client.exe
1468	Client.exe
1468	Client.exe
1468	Client.exe
1468	Client.exe
1468	Client.exe
1632	Client.exe
1632	Client.exe
1632	Client.exe
1632	Client.exe
1632	Client.exe
1632	Client.exe
1632	Client.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

ad24b1319a3a895d8b83a0deae7eac57.exeTASKKILL.exeTASKKILL.exeClient.exeTASKKILL.exeTASKKILL.exeClient.exeTASKKILL.exeTASKKILL.exeClient.exeTASKKILL.exeTASKKILL.exe

description	pid	process
Token: SeDebugPrivilege	1676	ad24b1319a3a895d8b83a0deae7eac57.exe
Token: SeDebugPrivilege	320	TASKKILL.exe
Token: SeDebugPrivilege	1396	TASKKILL.exe
Token: SeDebugPrivilege	1992	Client.exe
Token: SeDebugPrivilege	1752	TASKKILL.exe
Token: SeDebugPrivilege	1848	TASKKILL.exe
Token: 33	1992	Client.exe
Token: SeIncBasePriorityPrivilege	1992	Client.exe
Token: 33	1992	Client.exe
Token: SeIncBasePriorityPrivilege	1992	Client.exe
Token: 33	1992	Client.exe
Token: SeIncBasePriorityPrivilege	1992	Client.exe
Token: SeDebugPrivilege	1468	Client.exe
Token: SeDebugPrivilege	852	TASKKILL.exe
Token: SeDebugPrivilege	472	TASKKILL.exe
Token: 33	1992	Client.exe
Token: SeIncBasePriorityPrivilege	1992	Client.exe
Token: 33	1992	Client.exe
Token: SeIncBasePriorityPrivilege	1992	Client.exe
Token: 33	1992	Client.exe
Token: SeIncBasePriorityPrivilege	1992	Client.exe
Token: 33	1992	Client.exe
Token: SeIncBasePriorityPrivilege	1992	Client.exe
Token: 33	1992	Client.exe
Token: SeIncBasePriorityPrivilege	1992	Client.exe
Token: 33	1992	Client.exe
Token: SeIncBasePriorityPrivilege	1992	Client.exe
Token: 33	1992	Client.exe
Token: SeIncBasePriorityPrivilege	1992	Client.exe
Token: SeDebugPrivilege	1632	Client.exe
Token: SeDebugPrivilege	528	TASKKILL.exe
Token: SeDebugPrivilege	1976	TASKKILL.exe
Token: 33	1992	Client.exe
Token: SeIncBasePriorityPrivilege	1992	Client.exe
Token: 33	1992	Client.exe
Token: SeIncBasePriorityPrivilege	1992	Client.exe
Token: 33	1992	Client.exe
Token: SeIncBasePriorityPrivilege	1992	Client.exe
Token: 33	1992	Client.exe
Token: SeIncBasePriorityPrivilege	1992	Client.exe
Token: 33	1992	Client.exe
Token: SeIncBasePriorityPrivilege	1992	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ad24b1319a3a895d8b83a0deae7eac57.exeClient.exetaskeng.exeClient.exeClient.exe

description	pid	process	target process
PID 1676 wrote to memory of 1396	1676	ad24b1319a3a895d8b83a0deae7eac57.exe	TASKKILL.exe
PID 1676 wrote to memory of 1396	1676	ad24b1319a3a895d8b83a0deae7eac57.exe	TASKKILL.exe
PID 1676 wrote to memory of 1396	1676	ad24b1319a3a895d8b83a0deae7eac57.exe	TASKKILL.exe
PID 1676 wrote to memory of 1396	1676	ad24b1319a3a895d8b83a0deae7eac57.exe	TASKKILL.exe
PID 1676 wrote to memory of 320	1676	ad24b1319a3a895d8b83a0deae7eac57.exe	TASKKILL.exe
PID 1676 wrote to memory of 320	1676	ad24b1319a3a895d8b83a0deae7eac57.exe	TASKKILL.exe
PID 1676 wrote to memory of 320	1676	ad24b1319a3a895d8b83a0deae7eac57.exe	TASKKILL.exe
PID 1676 wrote to memory of 320	1676	ad24b1319a3a895d8b83a0deae7eac57.exe	TASKKILL.exe
PID 1676 wrote to memory of 792	1676	ad24b1319a3a895d8b83a0deae7eac57.exe	schtasks.exe
PID 1676 wrote to memory of 792	1676	ad24b1319a3a895d8b83a0deae7eac57.exe	schtasks.exe
PID 1676 wrote to memory of 792	1676	ad24b1319a3a895d8b83a0deae7eac57.exe	schtasks.exe
PID 1676 wrote to memory of 792	1676	ad24b1319a3a895d8b83a0deae7eac57.exe	schtasks.exe
PID 1676 wrote to memory of 1952	1676	ad24b1319a3a895d8b83a0deae7eac57.exe	schtasks.exe
PID 1676 wrote to memory of 1952	1676	ad24b1319a3a895d8b83a0deae7eac57.exe	schtasks.exe
PID 1676 wrote to memory of 1952	1676	ad24b1319a3a895d8b83a0deae7eac57.exe	schtasks.exe
PID 1676 wrote to memory of 1952	1676	ad24b1319a3a895d8b83a0deae7eac57.exe	schtasks.exe
PID 1676 wrote to memory of 1992	1676	ad24b1319a3a895d8b83a0deae7eac57.exe	Client.exe
PID 1676 wrote to memory of 1992	1676	ad24b1319a3a895d8b83a0deae7eac57.exe	Client.exe
PID 1676 wrote to memory of 1992	1676	ad24b1319a3a895d8b83a0deae7eac57.exe	Client.exe
PID 1676 wrote to memory of 1992	1676	ad24b1319a3a895d8b83a0deae7eac57.exe	Client.exe
PID 1992 wrote to memory of 1752	1992	Client.exe	TASKKILL.exe
PID 1992 wrote to memory of 1752	1992	Client.exe	TASKKILL.exe
PID 1992 wrote to memory of 1752	1992	Client.exe	TASKKILL.exe
PID 1992 wrote to memory of 1752	1992	Client.exe	TASKKILL.exe
PID 1992 wrote to memory of 1848	1992	Client.exe	TASKKILL.exe
PID 1992 wrote to memory of 1848	1992	Client.exe	TASKKILL.exe
PID 1992 wrote to memory of 1848	1992	Client.exe	TASKKILL.exe
PID 1992 wrote to memory of 1848	1992	Client.exe	TASKKILL.exe
PID 1992 wrote to memory of 1956	1992	Client.exe	schtasks.exe
PID 1992 wrote to memory of 1956	1992	Client.exe	schtasks.exe
PID 1992 wrote to memory of 1956	1992	Client.exe	schtasks.exe
PID 1992 wrote to memory of 1956	1992	Client.exe	schtasks.exe
PID 1992 wrote to memory of 1736	1992	Client.exe	schtasks.exe
PID 1992 wrote to memory of 1736	1992	Client.exe	schtasks.exe
PID 1992 wrote to memory of 1736	1992	Client.exe	schtasks.exe
PID 1992 wrote to memory of 1736	1992	Client.exe	schtasks.exe
PID 656 wrote to memory of 1468	656	taskeng.exe	Client.exe
PID 656 wrote to memory of 1468	656	taskeng.exe	Client.exe
PID 656 wrote to memory of 1468	656	taskeng.exe	Client.exe
PID 656 wrote to memory of 1468	656	taskeng.exe	Client.exe
PID 1468 wrote to memory of 852	1468	Client.exe	TASKKILL.exe
PID 1468 wrote to memory of 852	1468	Client.exe	TASKKILL.exe
PID 1468 wrote to memory of 852	1468	Client.exe	TASKKILL.exe
PID 1468 wrote to memory of 852	1468	Client.exe	TASKKILL.exe
PID 1468 wrote to memory of 472	1468	Client.exe	TASKKILL.exe
PID 1468 wrote to memory of 472	1468	Client.exe	TASKKILL.exe
PID 1468 wrote to memory of 472	1468	Client.exe	TASKKILL.exe
PID 1468 wrote to memory of 472	1468	Client.exe	TASKKILL.exe
PID 1468 wrote to memory of 792	1468	Client.exe	schtasks.exe
PID 1468 wrote to memory of 792	1468	Client.exe	schtasks.exe
PID 1468 wrote to memory of 792	1468	Client.exe	schtasks.exe
PID 1468 wrote to memory of 792	1468	Client.exe	schtasks.exe
PID 1468 wrote to memory of 1548	1468	Client.exe	schtasks.exe
PID 1468 wrote to memory of 1548	1468	Client.exe	schtasks.exe
PID 1468 wrote to memory of 1548	1468	Client.exe	schtasks.exe
PID 1468 wrote to memory of 1548	1468	Client.exe	schtasks.exe
PID 656 wrote to memory of 1632	656	taskeng.exe	Client.exe
PID 656 wrote to memory of 1632	656	taskeng.exe	Client.exe
PID 656 wrote to memory of 1632	656	taskeng.exe	Client.exe
PID 656 wrote to memory of 1632	656	taskeng.exe	Client.exe
PID 1632 wrote to memory of 528	1632	Client.exe	TASKKILL.exe
PID 1632 wrote to memory of 528	1632	Client.exe	TASKKILL.exe
PID 1632 wrote to memory of 528	1632	Client.exe	TASKKILL.exe
PID 1632 wrote to memory of 528	1632	Client.exe	TASKKILL.exe

C:\Users\Admin\AppData\Local\Temp\ad24b1319a3a895d8b83a0deae7eac57.exe
"C:\Users\Admin\AppData\Local\Temp\ad24b1319a3a895d8b83a0deae7eac57.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
2⤵
PID:792

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\ad24b1319a3a895d8b83a0deae7eac57.exe" /sc minute /mo 1
2⤵
- Creates scheduled task(s)
PID:1952

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:1956

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\Client.exe" /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:1736

C:\Windows\system32\taskeng.exe
taskeng.exe {34F8959E-96B2-4392-9D42-A164E6C349C6} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:656

C:\Users\Admin\AppData\Local\Temp\Client.exe
C:\Users\Admin\AppData\Local\Temp\Client.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:472

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:792

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\Client.exe" /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:1548

C:\Users\Admin\AppData\Local\Temp\Client.exe
C:\Users\Admin\AppData\Local\Temp\Client.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:1996

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\Client.exe" /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Client.exe

MD5
ad24b1319a3a895d8b83a0deae7eac57

SHA1
81f2908cbb43a41fac8208a9805c06521331f512

SHA256
63d4943fbc9e572db52df96729327f29c0342f7b7f192d823dc7a322116f033d

SHA512
b061a04845024ed69a1da828f2c85f9f47ff8a5214db47231645db4eef639d18b7c1e6d97e0751ee977e84eca4e4561a8963f1d8468ac424f55a2844e4719231

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

MD5
ad24b1319a3a895d8b83a0deae7eac57

SHA1
81f2908cbb43a41fac8208a9805c06521331f512

SHA256
63d4943fbc9e572db52df96729327f29c0342f7b7f192d823dc7a322116f033d

SHA512
b061a04845024ed69a1da828f2c85f9f47ff8a5214db47231645db4eef639d18b7c1e6d97e0751ee977e84eca4e4561a8963f1d8468ac424f55a2844e4719231

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

MD5
ad24b1319a3a895d8b83a0deae7eac57

SHA1
81f2908cbb43a41fac8208a9805c06521331f512

SHA256
63d4943fbc9e572db52df96729327f29c0342f7b7f192d823dc7a322116f033d

SHA512
b061a04845024ed69a1da828f2c85f9f47ff8a5214db47231645db4eef639d18b7c1e6d97e0751ee977e84eca4e4561a8963f1d8468ac424f55a2844e4719231

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

MD5
ad24b1319a3a895d8b83a0deae7eac57

SHA1
81f2908cbb43a41fac8208a9805c06521331f512

SHA256
63d4943fbc9e572db52df96729327f29c0342f7b7f192d823dc7a322116f033d

SHA512
b061a04845024ed69a1da828f2c85f9f47ff8a5214db47231645db4eef639d18b7c1e6d97e0751ee977e84eca4e4561a8963f1d8468ac424f55a2844e4719231

Download Submit
\Users\Admin\AppData\Local\Temp\Client.exe

MD5
ad24b1319a3a895d8b83a0deae7eac57

SHA1
81f2908cbb43a41fac8208a9805c06521331f512

SHA256
63d4943fbc9e572db52df96729327f29c0342f7b7f192d823dc7a322116f033d

SHA512
b061a04845024ed69a1da828f2c85f9f47ff8a5214db47231645db4eef639d18b7c1e6d97e0751ee977e84eca4e4561a8963f1d8468ac424f55a2844e4719231

Download Submit
memory/320-58-0x0000000000000000-mapping.dmp

Download
memory/472-75-0x0000000000000000-mapping.dmp

Download
memory/528-82-0x0000000000000000-mapping.dmp

Download
memory/792-59-0x0000000000000000-mapping.dmp

Download
memory/792-77-0x0000000000000000-mapping.dmp

Download
memory/852-74-0x0000000000000000-mapping.dmp

Download
memory/1396-57-0x0000000000000000-mapping.dmp

Download
memory/1468-76-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/1468-71-0x0000000000000000-mapping.dmp

Download
memory/1548-78-0x0000000000000000-mapping.dmp

Download
memory/1632-84-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/1632-79-0x0000000000000000-mapping.dmp

Download
memory/1676-55-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download
memory/1676-56-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/1736-70-0x0000000000000000-mapping.dmp

Download
memory/1748-86-0x0000000000000000-mapping.dmp

Download
memory/1752-66-0x0000000000000000-mapping.dmp

Download
memory/1848-67-0x0000000000000000-mapping.dmp

Download
memory/1952-60-0x0000000000000000-mapping.dmp

Download
memory/1956-69-0x0000000000000000-mapping.dmp

Download
memory/1976-83-0x0000000000000000-mapping.dmp

Download
memory/1992-68-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/1992-62-0x0000000000000000-mapping.dmp

Download
memory/1996-85-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads