njrat | e80b7525c04cf98d2bb872559472d9d98f803cb43d02dd45c219c8b2f69ad02f

General

Target

cc579df05cc94213fa649e5e6a7bb249.exe
Size

37KB
MD5

cc579df05cc94213fa649e5e6a7bb249
SHA1

231683a72b0a4406b177ea62a45b2b06c37acfb9
SHA256

e80b7525c04cf98d2bb872559472d9d98f803cb43d02dd45c219c8b2f69ad02f
SHA512

dc63ba9c154fad079f6ef9d5de9a0b1ee5919d1cf64dcd54f2563069efd56685d374aacc9d197a9ac69494781e492133f7459e87516e3827c3eb6c944756c0dc

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

80.64.80.233:8007

Mutex

abbc667e1c50def29b48feb179075d94

Attributes

reg_key
abbc667e1c50def29b48feb179075d94
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

1892 server.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Loads dropped DLL 1 IoCs

Processes:

cc579df05cc94213fa649e5e6a7bb249.exe

pid process

604 cc579df05cc94213fa649e5e6a7bb249.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1892	server.exe

pid	process
604	cc579df05cc94213fa649e5e6a7bb249.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	1892	server.exe
Token: 33	1892	server.exe
Token: SeIncBasePriorityPrivilege	1892	server.exe
Token: 33	1892	server.exe
Token: SeIncBasePriorityPrivilege	1892	server.exe
Token: 33	1892	server.exe
Token: SeIncBasePriorityPrivilege	1892	server.exe
Token: 33	1892	server.exe
Token: SeIncBasePriorityPrivilege	1892	server.exe
Token: 33	1892	server.exe
Token: SeIncBasePriorityPrivilege	1892	server.exe
Token: 33	1892	server.exe
Token: SeIncBasePriorityPrivilege	1892	server.exe
Token: 33	1892	server.exe
Token: SeIncBasePriorityPrivilege	1892	server.exe
Token: 33	1892	server.exe
Token: SeIncBasePriorityPrivilege	1892	server.exe
Token: 33	1892	server.exe
Token: SeIncBasePriorityPrivilege	1892	server.exe
Token: 33	1892	server.exe
Token: SeIncBasePriorityPrivilege	1892	server.exe
Token: 33	1892	server.exe
Token: SeIncBasePriorityPrivilege	1892	server.exe
Token: 33	1892	server.exe
Token: SeIncBasePriorityPrivilege	1892	server.exe
Token: 33	1892	server.exe
Token: SeIncBasePriorityPrivilege	1892	server.exe
Token: 33	1892	server.exe
Token: SeIncBasePriorityPrivilege	1892	server.exe
Token: 33	1892	server.exe
Token: SeIncBasePriorityPrivilege	1892	server.exe
Token: 33	1892	server.exe
Token: SeIncBasePriorityPrivilege	1892	server.exe
Token: 33	1892	server.exe
Token: SeIncBasePriorityPrivilege	1892	server.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cc579df05cc94213fa649e5e6a7bb249.exeserver.exe

description	pid	process	target process
PID 604 wrote to memory of 1892	604	cc579df05cc94213fa649e5e6a7bb249.exe	server.exe
PID 604 wrote to memory of 1892	604	cc579df05cc94213fa649e5e6a7bb249.exe	server.exe
PID 604 wrote to memory of 1892	604	cc579df05cc94213fa649e5e6a7bb249.exe	server.exe
PID 604 wrote to memory of 1892	604	cc579df05cc94213fa649e5e6a7bb249.exe	server.exe
PID 1892 wrote to memory of 1224	1892	server.exe	netsh.exe
PID 1892 wrote to memory of 1224	1892	server.exe	netsh.exe
PID 1892 wrote to memory of 1224	1892	server.exe	netsh.exe
PID 1892 wrote to memory of 1224	1892	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\cc579df05cc94213fa649e5e6a7bb249.exe
"C:\Users\Admin\AppData\Local\Temp\cc579df05cc94213fa649e5e6a7bb249.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:604

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
3⤵
PID:1224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5
cc579df05cc94213fa649e5e6a7bb249

SHA1
231683a72b0a4406b177ea62a45b2b06c37acfb9

SHA256
e80b7525c04cf98d2bb872559472d9d98f803cb43d02dd45c219c8b2f69ad02f

SHA512
dc63ba9c154fad079f6ef9d5de9a0b1ee5919d1cf64dcd54f2563069efd56685d374aacc9d197a9ac69494781e492133f7459e87516e3827c3eb6c944756c0dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

MD5
cc579df05cc94213fa649e5e6a7bb249

SHA1
231683a72b0a4406b177ea62a45b2b06c37acfb9

SHA256
e80b7525c04cf98d2bb872559472d9d98f803cb43d02dd45c219c8b2f69ad02f

SHA512
dc63ba9c154fad079f6ef9d5de9a0b1ee5919d1cf64dcd54f2563069efd56685d374aacc9d197a9ac69494781e492133f7459e87516e3827c3eb6c944756c0dc

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

MD5
cc579df05cc94213fa649e5e6a7bb249

SHA1
231683a72b0a4406b177ea62a45b2b06c37acfb9

SHA256
e80b7525c04cf98d2bb872559472d9d98f803cb43d02dd45c219c8b2f69ad02f

SHA512
dc63ba9c154fad079f6ef9d5de9a0b1ee5919d1cf64dcd54f2563069efd56685d374aacc9d197a9ac69494781e492133f7459e87516e3827c3eb6c944756c0dc

Download Submit
memory/604-54-0x0000000076C91000-0x0000000076C93000-memory.dmp

Filesize
8KB

Download
memory/604-55-0x0000000001F50000-0x0000000001F51000-memory.dmp

Filesize
4KB

Download
memory/1224-62-0x0000000000000000-mapping.dmp

Download
memory/1892-57-0x0000000000000000-mapping.dmp

Download
memory/1892-61-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing