njrat | 01a7fccd0aa64adcaa13e7109f8c969cabefcba820efaafbd75c6cd28490fe64

General

Target

dd5f2accefc6c6e3f0ffaa939e7466b0.exe
Size

93KB
MD5

dd5f2accefc6c6e3f0ffaa939e7466b0
SHA1

9acf53d5bf720e9bd7ebd2222d9c367be68eb6c4
SHA256

01a7fccd0aa64adcaa13e7109f8c969cabefcba820efaafbd75c6cd28490fe64
SHA512

e64d7c39b806d7a0bfa1065b50320f227e632f74b69f084f4f721f15f06dffb07e6f7addc5bed574359419922b06915b33b9834ed391b5f6baffd30ded7fa02e

Score

10^/10

njrat hacked evasion suricata trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

aXZpendpei5kZG5zLm5ldAStrikStrik:MTEyMg==

Mutex

2fc48b1a11b49734cf2eee30891a9de9

Attributes

reg_key
2fc48b1a11b49734cf2eee30891a9de9
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

760 server.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
760	server.exe

Drops startup file 2 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Javax64.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Javax64.exe	server.exe

Loads dropped DLL 2 IoCs

Processes:

dd5f2accefc6c6e3f0ffaa939e7466b0.exe

pid process

600 dd5f2accefc6c6e3f0ffaa939e7466b0.exe
600 dd5f2accefc6c6e3f0ffaa939e7466b0.exe
Drops file in System32 directory 2 IoCs

Processes:

server.exe

description ioc process

File created C:\Windows\SysWOW64\Javax64.exe server.exe
File opened for modification C:\Windows\SysWOW64\Javax64.exe server.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

760 server.exe

pid	process
600	dd5f2accefc6c6e3f0ffaa939e7466b0.exe
600	dd5f2accefc6c6e3f0ffaa939e7466b0.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Javax64.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Javax64.exe	server.exe

pid	process
760	server.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	760	server.exe
Token: 33	760	server.exe
Token: SeIncBasePriorityPrivilege	760	server.exe
Token: 33	760	server.exe
Token: SeIncBasePriorityPrivilege	760	server.exe
Token: 33	760	server.exe
Token: SeIncBasePriorityPrivilege	760	server.exe
Token: 33	760	server.exe
Token: SeIncBasePriorityPrivilege	760	server.exe
Token: 33	760	server.exe
Token: SeIncBasePriorityPrivilege	760	server.exe
Token: 33	760	server.exe
Token: SeIncBasePriorityPrivilege	760	server.exe
Token: 33	760	server.exe
Token: SeIncBasePriorityPrivilege	760	server.exe
Token: 33	760	server.exe
Token: SeIncBasePriorityPrivilege	760	server.exe
Token: 33	760	server.exe
Token: SeIncBasePriorityPrivilege	760	server.exe
Token: 33	760	server.exe
Token: SeIncBasePriorityPrivilege	760	server.exe
Token: 33	760	server.exe
Token: SeIncBasePriorityPrivilege	760	server.exe
Token: 33	760	server.exe
Token: SeIncBasePriorityPrivilege	760	server.exe
Token: 33	760	server.exe
Token: SeIncBasePriorityPrivilege	760	server.exe
Token: 33	760	server.exe
Token: SeIncBasePriorityPrivilege	760	server.exe
Token: 33	760	server.exe
Token: SeIncBasePriorityPrivilege	760	server.exe
Token: 33	760	server.exe
Token: SeIncBasePriorityPrivilege	760	server.exe
Token: 33	760	server.exe
Token: SeIncBasePriorityPrivilege	760	server.exe
Token: 33	760	server.exe
Token: SeIncBasePriorityPrivilege	760	server.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

dd5f2accefc6c6e3f0ffaa939e7466b0.exeserver.exe

description	pid	process	target process
PID 600 wrote to memory of 760	600	dd5f2accefc6c6e3f0ffaa939e7466b0.exe	server.exe
PID 600 wrote to memory of 760	600	dd5f2accefc6c6e3f0ffaa939e7466b0.exe	server.exe
PID 600 wrote to memory of 760	600	dd5f2accefc6c6e3f0ffaa939e7466b0.exe	server.exe
PID 600 wrote to memory of 760	600	dd5f2accefc6c6e3f0ffaa939e7466b0.exe	server.exe
PID 760 wrote to memory of 624	760	server.exe	netsh.exe
PID 760 wrote to memory of 624	760	server.exe	netsh.exe
PID 760 wrote to memory of 624	760	server.exe	netsh.exe
PID 760 wrote to memory of 624	760	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\dd5f2accefc6c6e3f0ffaa939e7466b0.exe
"C:\Users\Admin\AppData\Local\Temp\dd5f2accefc6c6e3f0ffaa939e7466b0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:600

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
3⤵
PID:624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\app
MD5
8fc22f973bec7f0525710dcf02f05edf

SHA1
418f88fe2c59f8d9579994aec4034d785e8ac00c

SHA256
ba0e21ceb11b1ec62709b0141373ce65de5a156b822c9b6d3c3f9ed9ab224a46

SHA512
ac280118b4b0ee9643ecc464bfc91682ccccd530efa81dcc3d9471044305d59de661f865560206f089822299cb431dbad9f81a16ad667251375746d406f2b44d

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
MD5
dd5f2accefc6c6e3f0ffaa939e7466b0

SHA1
9acf53d5bf720e9bd7ebd2222d9c367be68eb6c4

SHA256
01a7fccd0aa64adcaa13e7109f8c969cabefcba820efaafbd75c6cd28490fe64

SHA512
e64d7c39b806d7a0bfa1065b50320f227e632f74b69f084f4f721f15f06dffb07e6f7addc5bed574359419922b06915b33b9834ed391b5f6baffd30ded7fa02e

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
MD5
dd5f2accefc6c6e3f0ffaa939e7466b0

SHA1
9acf53d5bf720e9bd7ebd2222d9c367be68eb6c4

SHA256
01a7fccd0aa64adcaa13e7109f8c969cabefcba820efaafbd75c6cd28490fe64

SHA512
e64d7c39b806d7a0bfa1065b50320f227e632f74b69f084f4f721f15f06dffb07e6f7addc5bed574359419922b06915b33b9834ed391b5f6baffd30ded7fa02e

Download Submit
\Users\Admin\AppData\Roaming\server.exe
MD5
dd5f2accefc6c6e3f0ffaa939e7466b0

SHA1
9acf53d5bf720e9bd7ebd2222d9c367be68eb6c4

SHA256
01a7fccd0aa64adcaa13e7109f8c969cabefcba820efaafbd75c6cd28490fe64

SHA512
e64d7c39b806d7a0bfa1065b50320f227e632f74b69f084f4f721f15f06dffb07e6f7addc5bed574359419922b06915b33b9834ed391b5f6baffd30ded7fa02e

Download Submit
\Users\Admin\AppData\Roaming\server.exe
MD5
dd5f2accefc6c6e3f0ffaa939e7466b0

SHA1
9acf53d5bf720e9bd7ebd2222d9c367be68eb6c4

SHA256
01a7fccd0aa64adcaa13e7109f8c969cabefcba820efaafbd75c6cd28490fe64

SHA512
e64d7c39b806d7a0bfa1065b50320f227e632f74b69f084f4f721f15f06dffb07e6f7addc5bed574359419922b06915b33b9834ed391b5f6baffd30ded7fa02e

Download Submit
memory/600-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/600-55-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/624-64-0x0000000000000000-mapping.dmp

Download
memory/760-58-0x0000000000000000-mapping.dmp

Download
memory/760-62-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads