njrat | 608a0047a24db367a88e482bef92fd3b9a33db19ad3635b404132202e432eacc

General

Target

tmp/bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Size

23KB
MD5

f4777ed999fd8352227e750ac0e1b85d
SHA1

fb8c3aa14e4a3bd678bb2ac5fb9d8eaa10f55cd3
SHA256

608a0047a24db367a88e482bef92fd3b9a33db19ad3635b404132202e432eacc
SHA512

4f1f20dce2375392339a3c1ef79ec7708b55b539c949b25655f3a1c749f9cdb875b2f5471c3642b586f6cf28e82caa357fd2d786819acdc6fe6cdef3cba06f80

Score

10^/10

njrat evasion trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe

description	pid	process
Token: SeDebugPrivilege	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: 33	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: SeIncBasePriorityPrivilege	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: 33	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: SeIncBasePriorityPrivilege	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: 33	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: SeIncBasePriorityPrivilege	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: 33	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: SeIncBasePriorityPrivilege	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: 33	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: SeIncBasePriorityPrivilege	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: 33	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: SeIncBasePriorityPrivilege	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: 33	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: SeIncBasePriorityPrivilege	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: 33	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: SeIncBasePriorityPrivilege	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: 33	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: SeIncBasePriorityPrivilege	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: 33	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: SeIncBasePriorityPrivilege	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: 33	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: SeIncBasePriorityPrivilege	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: 33	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: SeIncBasePriorityPrivilege	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: 33	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: SeIncBasePriorityPrivilege	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: 33	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: SeIncBasePriorityPrivilege	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: 33	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: SeIncBasePriorityPrivilege	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: 33	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: SeIncBasePriorityPrivilege	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: 33	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
Token: SeIncBasePriorityPrivilege	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe

description	pid	process	target process
PID 880 wrote to memory of 1528	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe	netsh.exe
PID 880 wrote to memory of 1528	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe	netsh.exe
PID 880 wrote to memory of 1528	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe	netsh.exe
PID 880 wrote to memory of 1528	880	bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\tmp\bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\tmp\bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe" "bc61a6f7-5775-425d-9200-2f3e41d4fc52_server.exe" ENABLE
2⤵
PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/880-55-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/880-56-0x0000000001F30000-0x0000000001F31000-memory.dmp

Filesize
4KB

Download
memory/1528-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing