njrat | e53485cd1127d2af7d09d0e7d971f92d13ac910ec1124055868107fa9738648c

General

Target

a257fb9da7db9e80d787283985c8121c.exe
Size

25KB
MD5

a257fb9da7db9e80d787283985c8121c
SHA1

2c5a07669e3f0e263b7e4eafe79241e03d2683a1
SHA256

e53485cd1127d2af7d09d0e7d971f92d13ac910ec1124055868107fa9738648c
SHA512

04cae19f1d1720f1e2ff8e88a89fea0bb4d40895968ab48588a3cedc6b0c3158430db9093c99a573eb4937bdb2e3d98c925c29c7226e8df46a8f49d491ac02c8

Score

10^/10

njrat pc trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

PC

C2

8.tcp.ngrok.io:17931

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

windows_update.exeServer.exeServer.exe

pid process

3956 windows_update.exe
856 Server.exe
1836 Server.exe

pid	process
3956	windows_update.exe
856	Server.exe
1836	Server.exe

Drops startup file 2 IoCs

Processes:

windows_update.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	windows_update.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	windows_update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4360 schtasks.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

a257fb9da7db9e80d787283985c8121c.exewindows_update.exe

pid process

3604 a257fb9da7db9e80d787283985c8121c.exe
3956 windows_update.exe

pid	process
4360	schtasks.exe

pid	process
3604	a257fb9da7db9e80d787283985c8121c.exe
3956	windows_update.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

windows_update.exe

description	pid	process
Token: SeDebugPrivilege	3956	windows_update.exe
Token: 33	3956	windows_update.exe
Token: SeIncBasePriorityPrivilege	3956	windows_update.exe
Token: 33	3956	windows_update.exe
Token: SeIncBasePriorityPrivilege	3956	windows_update.exe
Token: 33	3956	windows_update.exe
Token: SeIncBasePriorityPrivilege	3956	windows_update.exe
Token: 33	3956	windows_update.exe
Token: SeIncBasePriorityPrivilege	3956	windows_update.exe
Token: 33	3956	windows_update.exe
Token: SeIncBasePriorityPrivilege	3956	windows_update.exe
Token: 33	3956	windows_update.exe
Token: SeIncBasePriorityPrivilege	3956	windows_update.exe
Token: 33	3956	windows_update.exe
Token: SeIncBasePriorityPrivilege	3956	windows_update.exe
Token: 33	3956	windows_update.exe
Token: SeIncBasePriorityPrivilege	3956	windows_update.exe
Token: 33	3956	windows_update.exe
Token: SeIncBasePriorityPrivilege	3956	windows_update.exe
Token: 33	3956	windows_update.exe
Token: SeIncBasePriorityPrivilege	3956	windows_update.exe
Token: 33	3956	windows_update.exe
Token: SeIncBasePriorityPrivilege	3956	windows_update.exe
Token: 33	3956	windows_update.exe
Token: SeIncBasePriorityPrivilege	3956	windows_update.exe
Token: 33	3956	windows_update.exe
Token: SeIncBasePriorityPrivilege	3956	windows_update.exe
Token: 33	3956	windows_update.exe
Token: SeIncBasePriorityPrivilege	3956	windows_update.exe
Token: 33	3956	windows_update.exe
Token: SeIncBasePriorityPrivilege	3956	windows_update.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

a257fb9da7db9e80d787283985c8121c.exewindows_update.exe

description	pid	process	target process
PID 3604 wrote to memory of 3956	3604	a257fb9da7db9e80d787283985c8121c.exe	windows_update.exe
PID 3604 wrote to memory of 3956	3604	a257fb9da7db9e80d787283985c8121c.exe	windows_update.exe
PID 3956 wrote to memory of 4360	3956	windows_update.exe	schtasks.exe
PID 3956 wrote to memory of 4360	3956	windows_update.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\a257fb9da7db9e80d787283985c8121c.exe
"C:\Users\Admin\AppData\Local\Temp\a257fb9da7db9e80d787283985c8121c.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3604

C:\Users\Admin\AppData\Roaming\windows_update.exe
"C:\Users\Admin\AppData\Roaming\windows_update.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
3⤵
- Creates scheduled task(s)
PID:4360

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
PID:856

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
PID:1836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Server.exe.log
MD5
ada37846cea22757d6153e65b720a367

SHA1
d9c9e33987d095b32c364fe40dd6f054feaf7ea9

SHA256
7daa4e8a6296b9e3df9669f6a574cbe481f2df9c751affbeb41a541173264520

SHA512
592640e40ad0c6bcd8719f2cdbf828f2e322ad729c23ac3b44dd252a9c0b08d370a1cfcbcb9038cdffed0866ae4d2f8762c421f5e1a89c8d9273f482d9d2662f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
MD5
a257fb9da7db9e80d787283985c8121c

SHA1
2c5a07669e3f0e263b7e4eafe79241e03d2683a1

SHA256
e53485cd1127d2af7d09d0e7d971f92d13ac910ec1124055868107fa9738648c

SHA512
04cae19f1d1720f1e2ff8e88a89fea0bb4d40895968ab48588a3cedc6b0c3158430db9093c99a573eb4937bdb2e3d98c925c29c7226e8df46a8f49d491ac02c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
MD5
a257fb9da7db9e80d787283985c8121c

SHA1
2c5a07669e3f0e263b7e4eafe79241e03d2683a1

SHA256
e53485cd1127d2af7d09d0e7d971f92d13ac910ec1124055868107fa9738648c

SHA512
04cae19f1d1720f1e2ff8e88a89fea0bb4d40895968ab48588a3cedc6b0c3158430db9093c99a573eb4937bdb2e3d98c925c29c7226e8df46a8f49d491ac02c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
MD5
a257fb9da7db9e80d787283985c8121c

SHA1
2c5a07669e3f0e263b7e4eafe79241e03d2683a1

SHA256
e53485cd1127d2af7d09d0e7d971f92d13ac910ec1124055868107fa9738648c

SHA512
04cae19f1d1720f1e2ff8e88a89fea0bb4d40895968ab48588a3cedc6b0c3158430db9093c99a573eb4937bdb2e3d98c925c29c7226e8df46a8f49d491ac02c8

Download Submit
C:\Users\Admin\AppData\Roaming\windows_update.exe
MD5
a257fb9da7db9e80d787283985c8121c

SHA1
2c5a07669e3f0e263b7e4eafe79241e03d2683a1

SHA256
e53485cd1127d2af7d09d0e7d971f92d13ac910ec1124055868107fa9738648c

SHA512
04cae19f1d1720f1e2ff8e88a89fea0bb4d40895968ab48588a3cedc6b0c3158430db9093c99a573eb4937bdb2e3d98c925c29c7226e8df46a8f49d491ac02c8

Download Submit
C:\Users\Admin\AppData\Roaming\windows_update.exe
MD5
a257fb9da7db9e80d787283985c8121c

SHA1
2c5a07669e3f0e263b7e4eafe79241e03d2683a1

SHA256
e53485cd1127d2af7d09d0e7d971f92d13ac910ec1124055868107fa9738648c

SHA512
04cae19f1d1720f1e2ff8e88a89fea0bb4d40895968ab48588a3cedc6b0c3158430db9093c99a573eb4937bdb2e3d98c925c29c7226e8df46a8f49d491ac02c8

Download Submit
memory/856-129-0x0000000000150000-0x0000000000158000-memory.dmp

Filesize
32KB

Download
memory/856-132-0x0000000000660000-0x0000000000662000-memory.dmp

Filesize
8KB

Download
memory/856-131-0x0000000000650000-0x0000000000662000-memory.dmp

Filesize
72KB

Download
memory/856-130-0x0000000000150000-0x0000000000158000-memory.dmp

Filesize
32KB

Download
memory/1836-138-0x000000001B550000-0x000000001B552000-memory.dmp

Filesize
8KB

Download
memory/1836-137-0x0000000000B10000-0x0000000000B22000-memory.dmp

Filesize
72KB

Download
memory/1836-136-0x0000000000620000-0x0000000000628000-memory.dmp

Filesize
32KB

Download
memory/1836-135-0x0000000000620000-0x0000000000628000-memory.dmp

Filesize
32KB

Download
memory/3604-116-0x0000000000F90000-0x0000000000F98000-memory.dmp

Filesize
32KB

Download
memory/3604-117-0x0000000003040000-0x0000000003052000-memory.dmp

Filesize
72KB

Download
memory/3604-118-0x000000001BB90000-0x000000001BB92000-memory.dmp

Filesize
8KB

Download
memory/3604-115-0x0000000000F90000-0x0000000000F98000-memory.dmp

Filesize
32KB

Download
memory/3956-125-0x0000000000EB0000-0x0000000000EB2000-memory.dmp

Filesize
8KB

Download
memory/3956-124-0x0000000000E50000-0x0000000000E62000-memory.dmp

Filesize
72KB

Download
memory/3956-123-0x0000000000750000-0x0000000000758000-memory.dmp

Filesize
32KB

Download
memory/3956-122-0x0000000000750000-0x0000000000758000-memory.dmp

Filesize
32KB

Download
memory/3956-119-0x0000000000000000-mapping.dmp

Download
memory/4360-126-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads