njrat | 306437a282f51a0c6ecd6e3eaab2ef9fc376973da40ae0972bee7ea3839d0909

General

Target

306437A282F51A0C6ECD6E3EAAB2EF9FC376973DA40AE.exe
Size

27KB
MD5

03aaaf240a48f950913695178125016a
SHA1

b7fe1523b02d05539f769f4beead332e5f0e18bc
SHA256

306437a282f51a0c6ecd6e3eaab2ef9fc376973da40ae0972bee7ea3839d0909
SHA512

6af11725e06efd01ca1429e567ca93d608436b165a23229eea623e25291967ce3f057af5c596974d86a5e0c55b38a27a0b121471f2b49cd25c543e77ce09460d

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

zaki-botnet.portmap.host:5222

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

Payload.exe

pid process

1344 Payload.exe

pid	process
1344	Payload.exe

Drops startup file 2 IoCs

Processes:

306437A282F51A0C6ECD6E3EAAB2EF9FC376973DA40AE.exePayload.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	306437A282F51A0C6ECD6E3EAAB2EF9FC376973DA40AE.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

306437A282F51A0C6ECD6E3EAAB2EF9FC376973DA40AE.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe"	306437A282F51A0C6ECD6E3EAAB2EF9FC376973DA40AE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

Payload.exe

description	pid	process
Token: SeDebugPrivilege	1344	Payload.exe
Token: 33	1344	Payload.exe
Token: SeIncBasePriorityPrivilege	1344	Payload.exe
Token: 33	1344	Payload.exe
Token: SeIncBasePriorityPrivilege	1344	Payload.exe
Token: 33	1344	Payload.exe
Token: SeIncBasePriorityPrivilege	1344	Payload.exe
Token: 33	1344	Payload.exe
Token: SeIncBasePriorityPrivilege	1344	Payload.exe
Token: 33	1344	Payload.exe
Token: SeIncBasePriorityPrivilege	1344	Payload.exe
Token: 33	1344	Payload.exe
Token: SeIncBasePriorityPrivilege	1344	Payload.exe
Token: 33	1344	Payload.exe
Token: SeIncBasePriorityPrivilege	1344	Payload.exe
Token: 33	1344	Payload.exe
Token: SeIncBasePriorityPrivilege	1344	Payload.exe
Token: 33	1344	Payload.exe
Token: SeIncBasePriorityPrivilege	1344	Payload.exe
Token: 33	1344	Payload.exe
Token: SeIncBasePriorityPrivilege	1344	Payload.exe
Token: 33	1344	Payload.exe
Token: SeIncBasePriorityPrivilege	1344	Payload.exe
Token: 33	1344	Payload.exe
Token: SeIncBasePriorityPrivilege	1344	Payload.exe
Token: 33	1344	Payload.exe
Token: SeIncBasePriorityPrivilege	1344	Payload.exe
Token: 33	1344	Payload.exe
Token: SeIncBasePriorityPrivilege	1344	Payload.exe
Token: 33	1344	Payload.exe
Token: SeIncBasePriorityPrivilege	1344	Payload.exe
Token: 33	1344	Payload.exe
Token: SeIncBasePriorityPrivilege	1344	Payload.exe
Token: 33	1344	Payload.exe
Token: SeIncBasePriorityPrivilege	1344	Payload.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

306437A282F51A0C6ECD6E3EAAB2EF9FC376973DA40AE.exe

description	pid	process	target process
PID 2668 wrote to memory of 1344	2668	306437A282F51A0C6ECD6E3EAAB2EF9FC376973DA40AE.exe	Payload.exe
PID 2668 wrote to memory of 1344	2668	306437A282F51A0C6ECD6E3EAAB2EF9FC376973DA40AE.exe	Payload.exe
PID 2668 wrote to memory of 1344	2668	306437A282F51A0C6ECD6E3EAAB2EF9FC376973DA40AE.exe	Payload.exe
PID 2668 wrote to memory of 1188	2668	306437A282F51A0C6ECD6E3EAAB2EF9FC376973DA40AE.exe	attrib.exe
PID 2668 wrote to memory of 1188	2668	306437A282F51A0C6ECD6E3EAAB2EF9FC376973DA40AE.exe	attrib.exe
PID 2668 wrote to memory of 1188	2668	306437A282F51A0C6ECD6E3EAAB2EF9FC376973DA40AE.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1188 attrib.exe

pid	process
1188	attrib.exe

C:\Users\Admin\AppData\Local\Temp\306437A282F51A0C6ECD6E3EAAB2EF9FC376973DA40AE.exe
"C:\Users\Admin\AppData\Local\Temp\306437A282F51A0C6ECD6E3EAAB2EF9FC376973DA40AE.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2668

C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
2⤵
- Views/modifies file attributes
PID:1188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Payload.exe
MD5
03aaaf240a48f950913695178125016a

SHA1
b7fe1523b02d05539f769f4beead332e5f0e18bc

SHA256
306437a282f51a0c6ecd6e3eaab2ef9fc376973da40ae0972bee7ea3839d0909

SHA512
6af11725e06efd01ca1429e567ca93d608436b165a23229eea623e25291967ce3f057af5c596974d86a5e0c55b38a27a0b121471f2b49cd25c543e77ce09460d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payload.exe
MD5
03aaaf240a48f950913695178125016a

SHA1
b7fe1523b02d05539f769f4beead332e5f0e18bc

SHA256
306437a282f51a0c6ecd6e3eaab2ef9fc376973da40ae0972bee7ea3839d0909

SHA512
6af11725e06efd01ca1429e567ca93d608436b165a23229eea623e25291967ce3f057af5c596974d86a5e0c55b38a27a0b121471f2b49cd25c543e77ce09460d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
MD5
1991f10d1bb9587a4dcc25f2bb8c8f9e

SHA1
5c9df522aed5a83549ac696e199db82a566bdd85

SHA256
d357a14dee540d8f10bad73521e229b86a7789a4e9932724c526de1ff3df38c1

SHA512
5d92dccecb7bf44e60a5b75d5add092e986aaccfc65a64a837d90cb10a38afb398bd1494061808e92ecd6c1cdb55202dcb6fbe688cd51b61433959ffeae7cb29

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
MD5
30a1e8d4c1d5393b551df0bd30231068

SHA1
acd37b0c5e64b705e6184a184d11fa7856997cb3

SHA256
43bc7531c86a8ae4933a6f1d36032a42ca7ef4afb37d25a6c8637712c01176a5

SHA512
fd7bd945b17e45317e82de7b5110078fc76db4652d63b83d51b183c1b6ca4f42bf22d1415f070274d33865cbc01466f89221cbb25496455512b7041b6f2b889c

Download Submit
memory/1188-118-0x0000000000000000-mapping.dmp

Download
memory/1344-116-0x0000000000000000-mapping.dmp

Download
memory/1344-122-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/2668-115-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads