njrat | 01a7fccd0aa64adcaa13e7109f8c969cabefcba820efaafbd75c6cd28490fe64

General

Target

dd5f2accefc6c6e3f0ffaa939e7466b0.exe
Size

93KB
MD5

dd5f2accefc6c6e3f0ffaa939e7466b0
SHA1

9acf53d5bf720e9bd7ebd2222d9c367be68eb6c4
SHA256

01a7fccd0aa64adcaa13e7109f8c969cabefcba820efaafbd75c6cd28490fe64
SHA512

e64d7c39b806d7a0bfa1065b50320f227e632f74b69f084f4f721f15f06dffb07e6f7addc5bed574359419922b06915b33b9834ed391b5f6baffd30ded7fa02e

Score

10^/10

njrat hacked evasion suricata trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

aXZpendpei5kZG5zLm5ldAStrikStrik:MTEyMg==

Mutex

2fc48b1a11b49734cf2eee30891a9de9

Attributes

reg_key
2fc48b1a11b49734cf2eee30891a9de9
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

3040 server.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
3040	server.exe

Drops startup file 2 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Javax64.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Javax64.exe	server.exe

Drops file in System32 directory 2 IoCs

Processes:

server.exe

description ioc process

File created C:\Windows\SysWOW64\Javax64.exe server.exe
File opened for modification C:\Windows\SysWOW64\Javax64.exe server.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

3040 server.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Javax64.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Javax64.exe	server.exe

pid	process
3040	server.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	3040	server.exe
Token: 33	3040	server.exe
Token: SeIncBasePriorityPrivilege	3040	server.exe
Token: 33	3040	server.exe
Token: SeIncBasePriorityPrivilege	3040	server.exe
Token: 33	3040	server.exe
Token: SeIncBasePriorityPrivilege	3040	server.exe
Token: 33	3040	server.exe
Token: SeIncBasePriorityPrivilege	3040	server.exe
Token: 33	3040	server.exe
Token: SeIncBasePriorityPrivilege	3040	server.exe
Token: 33	3040	server.exe
Token: SeIncBasePriorityPrivilege	3040	server.exe
Token: 33	3040	server.exe
Token: SeIncBasePriorityPrivilege	3040	server.exe
Token: 33	3040	server.exe
Token: SeIncBasePriorityPrivilege	3040	server.exe
Token: 33	3040	server.exe
Token: SeIncBasePriorityPrivilege	3040	server.exe
Token: 33	3040	server.exe
Token: SeIncBasePriorityPrivilege	3040	server.exe
Token: 33	3040	server.exe
Token: SeIncBasePriorityPrivilege	3040	server.exe
Token: 33	3040	server.exe
Token: SeIncBasePriorityPrivilege	3040	server.exe
Token: 33	3040	server.exe
Token: SeIncBasePriorityPrivilege	3040	server.exe
Token: 33	3040	server.exe
Token: SeIncBasePriorityPrivilege	3040	server.exe
Token: 33	3040	server.exe
Token: SeIncBasePriorityPrivilege	3040	server.exe
Token: 33	3040	server.exe
Token: SeIncBasePriorityPrivilege	3040	server.exe
Token: 33	3040	server.exe
Token: SeIncBasePriorityPrivilege	3040	server.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

dd5f2accefc6c6e3f0ffaa939e7466b0.exeserver.exe

description	pid	process	target process
PID 3380 wrote to memory of 3040	3380	dd5f2accefc6c6e3f0ffaa939e7466b0.exe	server.exe
PID 3380 wrote to memory of 3040	3380	dd5f2accefc6c6e3f0ffaa939e7466b0.exe	server.exe
PID 3380 wrote to memory of 3040	3380	dd5f2accefc6c6e3f0ffaa939e7466b0.exe	server.exe
PID 3040 wrote to memory of 4016	3040	server.exe	netsh.exe
PID 3040 wrote to memory of 4016	3040	server.exe	netsh.exe
PID 3040 wrote to memory of 4016	3040	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\dd5f2accefc6c6e3f0ffaa939e7466b0.exe
"C:\Users\Admin\AppData\Local\Temp\dd5f2accefc6c6e3f0ffaa939e7466b0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3380

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
3⤵
PID:4016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\app
MD5
c60feebd511c87b86dea130692995a0f

SHA1
d64447a8b3d8949cab5a1f8d168f7c6fee6b6a0a

SHA256
632994320c04707e7ef564b3e983a694170561659552a24dfe14a922dcf0f511

SHA512
bf03fbf3329c6f7a21ecd620319ef1a6f676b22a27afd24aab546483c3fe5f6eee7bbcfdc14c5f6626957f2b96519bdd21aaea45d74a80253fa4220c8c12df7c

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
MD5
dd5f2accefc6c6e3f0ffaa939e7466b0

SHA1
9acf53d5bf720e9bd7ebd2222d9c367be68eb6c4

SHA256
01a7fccd0aa64adcaa13e7109f8c969cabefcba820efaafbd75c6cd28490fe64

SHA512
e64d7c39b806d7a0bfa1065b50320f227e632f74b69f084f4f721f15f06dffb07e6f7addc5bed574359419922b06915b33b9834ed391b5f6baffd30ded7fa02e

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
MD5
dd5f2accefc6c6e3f0ffaa939e7466b0

SHA1
9acf53d5bf720e9bd7ebd2222d9c367be68eb6c4

SHA256
01a7fccd0aa64adcaa13e7109f8c969cabefcba820efaafbd75c6cd28490fe64

SHA512
e64d7c39b806d7a0bfa1065b50320f227e632f74b69f084f4f721f15f06dffb07e6f7addc5bed574359419922b06915b33b9834ed391b5f6baffd30ded7fa02e

Download Submit
memory/3040-116-0x0000000000000000-mapping.dmp

Download
memory/3040-120-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/3380-115-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/4016-121-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads