njrat | 9c722b7e216af094f3c8fc75011dac7b619ca0d83042ee7de350d08fccaf7feb

General

Target

gtarpcheat.exe
Size

103KB
MD5

c1baf97f7fb46569c697c3d719ad6cec
SHA1

82396f8670a064715b8c1bf6d54b84e3ccc90331
SHA256

9c722b7e216af094f3c8fc75011dac7b619ca0d83042ee7de350d08fccaf7feb
SHA512

17bdc72566b604b4794b4935022930001a344ebf485a996aaeaa9928a327edfb87a5c009bb400fae5720c43e92742d173677cfb3b33a5ae729c626031794e1eb

Score

10^/10

njrat gta rp evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

GTA RP

C2

microsoftsecurityessentials.duckdns.org:1177

Mutex

2d2d20531cddc7f18203ecb28deee8a9

Attributes

reg_key
2d2d20531cddc7f18203ecb28deee8a9
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

explorer.exe

pid process

756 explorer.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 2 IoCs

Processes:

explorer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2d2d20531cddc7f18203ecb28deee8a9.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2d2d20531cddc7f18203ecb28deee8a9.exe	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\2d2d20531cddc7f18203ecb28deee8a9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe\" .."	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\2d2d20531cddc7f18203ecb28deee8a9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe\" .."	explorer.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3496 taskkill.exe

pid	process
3496	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exe

pid	process
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe
756	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

756 explorer.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

explorer.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	756	explorer.exe
Token: SeDebugPrivilege	3496	taskkill.exe
Token: 33	756	explorer.exe
Token: SeIncBasePriorityPrivilege	756	explorer.exe
Token: 33	756	explorer.exe
Token: SeIncBasePriorityPrivilege	756	explorer.exe
Token: 33	756	explorer.exe
Token: SeIncBasePriorityPrivilege	756	explorer.exe
Token: 33	756	explorer.exe
Token: SeIncBasePriorityPrivilege	756	explorer.exe
Token: 33	756	explorer.exe
Token: SeIncBasePriorityPrivilege	756	explorer.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

gtarpcheat.exeexplorer.exe

description	pid	process	target process
PID 3684 wrote to memory of 756	3684	gtarpcheat.exe	explorer.exe
PID 3684 wrote to memory of 756	3684	gtarpcheat.exe	explorer.exe
PID 3684 wrote to memory of 756	3684	gtarpcheat.exe	explorer.exe
PID 756 wrote to memory of 3468	756	explorer.exe	netsh.exe
PID 756 wrote to memory of 3468	756	explorer.exe	netsh.exe
PID 756 wrote to memory of 3468	756	explorer.exe	netsh.exe
PID 756 wrote to memory of 3496	756	explorer.exe	taskkill.exe
PID 756 wrote to memory of 3496	756	explorer.exe	taskkill.exe
PID 756 wrote to memory of 3496	756	explorer.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\gtarpcheat.exe
"C:\Users\Admin\AppData\Local\Temp\gtarpcheat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3684

C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\explorer.exe" "explorer.exe" ENABLE
3⤵
PID:3468

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM Exsample.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\explorer.exe
MD5
c1baf97f7fb46569c697c3d719ad6cec

SHA1
82396f8670a064715b8c1bf6d54b84e3ccc90331

SHA256
9c722b7e216af094f3c8fc75011dac7b619ca0d83042ee7de350d08fccaf7feb

SHA512
17bdc72566b604b4794b4935022930001a344ebf485a996aaeaa9928a327edfb87a5c009bb400fae5720c43e92742d173677cfb3b33a5ae729c626031794e1eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe
MD5
c1baf97f7fb46569c697c3d719ad6cec

SHA1
82396f8670a064715b8c1bf6d54b84e3ccc90331

SHA256
9c722b7e216af094f3c8fc75011dac7b619ca0d83042ee7de350d08fccaf7feb

SHA512
17bdc72566b604b4794b4935022930001a344ebf485a996aaeaa9928a327edfb87a5c009bb400fae5720c43e92742d173677cfb3b33a5ae729c626031794e1eb

Download Submit
memory/756-116-0x0000000000000000-mapping.dmp

Download
memory/756-119-0x0000000002E60000-0x0000000002E61000-memory.dmp

Filesize
4KB

Download
memory/3468-120-0x0000000000000000-mapping.dmp

Download
memory/3496-121-0x0000000000000000-mapping.dmp

Download
memory/3684-115-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads