njrat | e53485cd1127d2af7d09d0e7d971f92d13ac910ec1124055868107fa9738648c

General

Target

a257fb9da7db9e80d787283985c8121c.exe
Size

25KB
MD5

a257fb9da7db9e80d787283985c8121c
SHA1

2c5a07669e3f0e263b7e4eafe79241e03d2683a1
SHA256

e53485cd1127d2af7d09d0e7d971f92d13ac910ec1124055868107fa9738648c
SHA512

04cae19f1d1720f1e2ff8e88a89fea0bb4d40895968ab48588a3cedc6b0c3158430db9093c99a573eb4937bdb2e3d98c925c29c7226e8df46a8f49d491ac02c8

Score

10^/10

njrat pc trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

PC

C2

8.tcp.ngrok.io:17931

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

windows_update.exeServer.exeServer.exe

pid process

1100 windows_update.exe
1708 Server.exe
1764 Server.exe

pid	process
1100	windows_update.exe
1708	Server.exe
1764	Server.exe

Drops startup file 2 IoCs

Processes:

windows_update.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	windows_update.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	windows_update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1728 schtasks.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

a257fb9da7db9e80d787283985c8121c.exewindows_update.exe

pid process

1412 a257fb9da7db9e80d787283985c8121c.exe
1100 windows_update.exe

pid	process
1728	schtasks.exe

pid	process
1412	a257fb9da7db9e80d787283985c8121c.exe
1100	windows_update.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

windows_update.exe

description	pid	process
Token: SeDebugPrivilege	1100	windows_update.exe
Token: 33	1100	windows_update.exe
Token: SeIncBasePriorityPrivilege	1100	windows_update.exe
Token: 33	1100	windows_update.exe
Token: SeIncBasePriorityPrivilege	1100	windows_update.exe
Token: 33	1100	windows_update.exe
Token: SeIncBasePriorityPrivilege	1100	windows_update.exe
Token: 33	1100	windows_update.exe
Token: SeIncBasePriorityPrivilege	1100	windows_update.exe
Token: 33	1100	windows_update.exe
Token: SeIncBasePriorityPrivilege	1100	windows_update.exe
Token: 33	1100	windows_update.exe
Token: SeIncBasePriorityPrivilege	1100	windows_update.exe
Token: 33	1100	windows_update.exe
Token: SeIncBasePriorityPrivilege	1100	windows_update.exe
Token: 33	1100	windows_update.exe
Token: SeIncBasePriorityPrivilege	1100	windows_update.exe
Token: 33	1100	windows_update.exe
Token: SeIncBasePriorityPrivilege	1100	windows_update.exe
Token: 33	1100	windows_update.exe
Token: SeIncBasePriorityPrivilege	1100	windows_update.exe
Token: 33	1100	windows_update.exe
Token: SeIncBasePriorityPrivilege	1100	windows_update.exe
Token: 33	1100	windows_update.exe
Token: SeIncBasePriorityPrivilege	1100	windows_update.exe
Token: 33	1100	windows_update.exe
Token: SeIncBasePriorityPrivilege	1100	windows_update.exe
Token: 33	1100	windows_update.exe
Token: SeIncBasePriorityPrivilege	1100	windows_update.exe
Token: 33	1100	windows_update.exe
Token: SeIncBasePriorityPrivilege	1100	windows_update.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a257fb9da7db9e80d787283985c8121c.exewindows_update.exetaskeng.exe

description	pid	process	target process
PID 1412 wrote to memory of 1100	1412	a257fb9da7db9e80d787283985c8121c.exe	windows_update.exe
PID 1412 wrote to memory of 1100	1412	a257fb9da7db9e80d787283985c8121c.exe	windows_update.exe
PID 1412 wrote to memory of 1100	1412	a257fb9da7db9e80d787283985c8121c.exe	windows_update.exe
PID 1100 wrote to memory of 1728	1100	windows_update.exe	schtasks.exe
PID 1100 wrote to memory of 1728	1100	windows_update.exe	schtasks.exe
PID 1100 wrote to memory of 1728	1100	windows_update.exe	schtasks.exe
PID 848 wrote to memory of 1708	848	taskeng.exe	Server.exe
PID 848 wrote to memory of 1708	848	taskeng.exe	Server.exe
PID 848 wrote to memory of 1708	848	taskeng.exe	Server.exe
PID 848 wrote to memory of 1764	848	taskeng.exe	Server.exe
PID 848 wrote to memory of 1764	848	taskeng.exe	Server.exe
PID 848 wrote to memory of 1764	848	taskeng.exe	Server.exe

C:\Users\Admin\AppData\Local\Temp\a257fb9da7db9e80d787283985c8121c.exe
"C:\Users\Admin\AppData\Local\Temp\a257fb9da7db9e80d787283985c8121c.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1412

C:\Users\Admin\AppData\Roaming\windows_update.exe
"C:\Users\Admin\AppData\Roaming\windows_update.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
3⤵
- Creates scheduled task(s)
PID:1728

C:\Windows\system32\taskeng.exe
taskeng.exe {20C249EB-CE96-4155-A5EC-A1719D3496C6} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:848

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
2⤵
- Executes dropped EXE
PID:1708

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
2⤵
- Executes dropped EXE
PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Server.exe

MD5
a257fb9da7db9e80d787283985c8121c

SHA1
2c5a07669e3f0e263b7e4eafe79241e03d2683a1

SHA256
e53485cd1127d2af7d09d0e7d971f92d13ac910ec1124055868107fa9738648c

SHA512
04cae19f1d1720f1e2ff8e88a89fea0bb4d40895968ab48588a3cedc6b0c3158430db9093c99a573eb4937bdb2e3d98c925c29c7226e8df46a8f49d491ac02c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

MD5
a257fb9da7db9e80d787283985c8121c

SHA1
2c5a07669e3f0e263b7e4eafe79241e03d2683a1

SHA256
e53485cd1127d2af7d09d0e7d971f92d13ac910ec1124055868107fa9738648c

SHA512
04cae19f1d1720f1e2ff8e88a89fea0bb4d40895968ab48588a3cedc6b0c3158430db9093c99a573eb4937bdb2e3d98c925c29c7226e8df46a8f49d491ac02c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

MD5
a257fb9da7db9e80d787283985c8121c

SHA1
2c5a07669e3f0e263b7e4eafe79241e03d2683a1

SHA256
e53485cd1127d2af7d09d0e7d971f92d13ac910ec1124055868107fa9738648c

SHA512
04cae19f1d1720f1e2ff8e88a89fea0bb4d40895968ab48588a3cedc6b0c3158430db9093c99a573eb4937bdb2e3d98c925c29c7226e8df46a8f49d491ac02c8

Download Submit
C:\Users\Admin\AppData\Roaming\windows_update.exe

MD5
a257fb9da7db9e80d787283985c8121c

SHA1
2c5a07669e3f0e263b7e4eafe79241e03d2683a1

SHA256
e53485cd1127d2af7d09d0e7d971f92d13ac910ec1124055868107fa9738648c

SHA512
04cae19f1d1720f1e2ff8e88a89fea0bb4d40895968ab48588a3cedc6b0c3158430db9093c99a573eb4937bdb2e3d98c925c29c7226e8df46a8f49d491ac02c8

Download Submit
C:\Users\Admin\AppData\Roaming\windows_update.exe

MD5
a257fb9da7db9e80d787283985c8121c

SHA1
2c5a07669e3f0e263b7e4eafe79241e03d2683a1

SHA256
e53485cd1127d2af7d09d0e7d971f92d13ac910ec1124055868107fa9738648c

SHA512
04cae19f1d1720f1e2ff8e88a89fea0bb4d40895968ab48588a3cedc6b0c3158430db9093c99a573eb4937bdb2e3d98c925c29c7226e8df46a8f49d491ac02c8

Download Submit
memory/1100-65-0x000000001B0F0000-0x000000001B0F2000-memory.dmp

Filesize
8KB

Download
memory/1100-59-0x0000000000000000-mapping.dmp

Download
memory/1100-62-0x0000000000EC0000-0x0000000000EC8000-memory.dmp

Filesize
32KB

Download
memory/1100-64-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/1100-63-0x0000000000EC0000-0x0000000000EC8000-memory.dmp

Filesize
32KB

Download
memory/1412-56-0x0000000000DC0000-0x0000000000DC8000-memory.dmp

Filesize
32KB

Download
memory/1412-55-0x0000000000DC0000-0x0000000000DC8000-memory.dmp

Filesize
32KB

Download
memory/1412-58-0x000000001B200000-0x000000001B202000-memory.dmp

Filesize
8KB

Download
memory/1412-57-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/1708-67-0x0000000000000000-mapping.dmp

Download
memory/1708-70-0x0000000000D10000-0x0000000000D18000-memory.dmp

Filesize
32KB

Download
memory/1708-71-0x0000000000D10000-0x0000000000D18000-memory.dmp

Filesize
32KB

Download
memory/1708-72-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/1708-73-0x000000001B3B0000-0x000000001B3B2000-memory.dmp

Filesize
8KB

Download
memory/1728-66-0x0000000000000000-mapping.dmp

Download
memory/1764-74-0x0000000000000000-mapping.dmp

Download
memory/1764-76-0x0000000000D10000-0x0000000000D18000-memory.dmp

Filesize
32KB

Download
memory/1764-77-0x0000000000D10000-0x0000000000D18000-memory.dmp

Filesize
32KB

Download
memory/1764-78-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/1764-79-0x000000001B200000-0x000000001B202000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads