njrat | e1a51853ecacc1cc2ecb286ee437e3ec340c78a398e88cab47eaa874ac7af7de

General

Target

GeforceNow.exe
Size

29KB
MD5

f1aa4749c6bf4f095862c0a26c32eb26
SHA1

99cfe703d358c76b06feccc397c4461e39e02309
SHA256

e1a51853ecacc1cc2ecb286ee437e3ec340c78a398e88cab47eaa874ac7af7de
SHA512

4e3ab6ba5a010f0e9162cfce693b199d161f5fcb33f5d51bb5948e8aebc281750e58b9d8e1a8cac04e7627afa2adbc584094a840e0e899c46032098d82ae99f2

Score

10^/10

njrat x33 evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

x33

C2

flubabapro.duckdns.org:53

Mutex

599ba46d0096edac8ad1cb1ef14e5829

Attributes

reg_key
599ba46d0096edac8ad1cb1ef14e5829
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

riot.exe

pid process

3248 riot.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 2 IoCs

Processes:

riot.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\599ba46d0096edac8ad1cb1ef14e5829.exe	riot.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\599ba46d0096edac8ad1cb1ef14e5829.exe	riot.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

riot.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\599ba46d0096edac8ad1cb1ef14e5829 = "\"C:\\Users\\Admin\\riot.exe\" .."	riot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\599ba46d0096edac8ad1cb1ef14e5829 = "\"C:\\Users\\Admin\\riot.exe\" .."	riot.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

riot.exe

pid	process
3248	riot.exe
3248	riot.exe
3248	riot.exe
3248	riot.exe
3248	riot.exe
3248	riot.exe
3248	riot.exe
3248	riot.exe
3248	riot.exe
3248	riot.exe
3248	riot.exe
3248	riot.exe
3248	riot.exe
3248	riot.exe
3248	riot.exe
3248	riot.exe
3248	riot.exe
3248	riot.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

riot.exe

description pid process

Token: SeDebugPrivilege 3248 riot.exe

description	pid	process
Token: SeDebugPrivilege	3248	riot.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

GeforceNow.exeriot.exe

description	pid	process	target process
PID 3264 wrote to memory of 3248	3264	GeforceNow.exe	riot.exe
PID 3264 wrote to memory of 3248	3264	GeforceNow.exe	riot.exe
PID 3264 wrote to memory of 3248	3264	GeforceNow.exe	riot.exe
PID 3248 wrote to memory of 1368	3248	riot.exe	netsh.exe
PID 3248 wrote to memory of 1368	3248	riot.exe	netsh.exe
PID 3248 wrote to memory of 1368	3248	riot.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\GeforceNow.exe
"C:\Users\Admin\AppData\Local\Temp\GeforceNow.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3264

C:\Users\Admin\riot.exe
"C:\Users\Admin\riot.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3248

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\riot.exe" "riot.exe" ENABLE
3⤵
PID:1368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\riot.exe
MD5
f1aa4749c6bf4f095862c0a26c32eb26

SHA1
99cfe703d358c76b06feccc397c4461e39e02309

SHA256
e1a51853ecacc1cc2ecb286ee437e3ec340c78a398e88cab47eaa874ac7af7de

SHA512
4e3ab6ba5a010f0e9162cfce693b199d161f5fcb33f5d51bb5948e8aebc281750e58b9d8e1a8cac04e7627afa2adbc584094a840e0e899c46032098d82ae99f2

Download Submit
C:\Users\Admin\riot.exe
MD5
f1aa4749c6bf4f095862c0a26c32eb26

SHA1
99cfe703d358c76b06feccc397c4461e39e02309

SHA256
e1a51853ecacc1cc2ecb286ee437e3ec340c78a398e88cab47eaa874ac7af7de

SHA512
4e3ab6ba5a010f0e9162cfce693b199d161f5fcb33f5d51bb5948e8aebc281750e58b9d8e1a8cac04e7627afa2adbc584094a840e0e899c46032098d82ae99f2

Download Submit
memory/1368-118-0x0000000000000000-mapping.dmp

Download
memory/3248-115-0x0000000000000000-mapping.dmp

Download
memory/3248-119-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/3264-114-0x00000000007C0000-0x000000000086E000-memory.dmp

Filesize
696KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads