njrat | 5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4

General

Target

5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe
Size

216KB
MD5

90b1135d0678e51273bdd36523b59f98
SHA1

827ec99df4e10e99e4095a8ddbb95398a90ae728
SHA256

5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4
SHA512

b8b26661053a81eaf9f86109d947ef07f30bbf77113e67bc7e2397dfafeeebd37b279801b0c3edc759dedb68659ec494f963824423a85809c0a4c7aa81167727

Score

10^/10

njrat fifa 2020 persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

FIFA 2020

C2

federa.duckdns.org:1990

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
1990

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe\" .."	RegSvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe\" .."	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe

description	pid	process	target process
PID 964 set thread context of 1136	964	5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

620 schtasks.exe
1640 schtasks.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 1136 RegSvcs.exe
Token: 33 1136 RegSvcs.exe
Token: SeIncBasePriorityPrivilege 1136 RegSvcs.exe

pid	process
620	schtasks.exe
1640	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1136	RegSvcs.exe
Token: 33	1136	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1136	RegSvcs.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exeRegSvcs.exe

description	pid	process	target process
PID 964 wrote to memory of 620	964	5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe	schtasks.exe
PID 964 wrote to memory of 620	964	5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe	schtasks.exe
PID 964 wrote to memory of 620	964	5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe	schtasks.exe
PID 964 wrote to memory of 620	964	5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe	schtasks.exe
PID 964 wrote to memory of 1136	964	5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe	RegSvcs.exe
PID 964 wrote to memory of 1136	964	5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe	RegSvcs.exe
PID 964 wrote to memory of 1136	964	5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe	RegSvcs.exe
PID 964 wrote to memory of 1136	964	5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe	RegSvcs.exe
PID 964 wrote to memory of 1136	964	5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe	RegSvcs.exe
PID 964 wrote to memory of 1136	964	5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe	RegSvcs.exe
PID 964 wrote to memory of 1136	964	5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe	RegSvcs.exe
PID 964 wrote to memory of 1136	964	5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe	RegSvcs.exe
PID 964 wrote to memory of 1136	964	5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe	RegSvcs.exe
PID 964 wrote to memory of 1136	964	5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe	RegSvcs.exe
PID 964 wrote to memory of 1136	964	5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe	RegSvcs.exe
PID 964 wrote to memory of 1136	964	5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe	RegSvcs.exe
PID 1136 wrote to memory of 1744	1136	RegSvcs.exe	schtasks.exe
PID 1136 wrote to memory of 1744	1136	RegSvcs.exe	schtasks.exe
PID 1136 wrote to memory of 1744	1136	RegSvcs.exe	schtasks.exe
PID 1136 wrote to memory of 1744	1136	RegSvcs.exe	schtasks.exe
PID 1136 wrote to memory of 1640	1136	RegSvcs.exe	schtasks.exe
PID 1136 wrote to memory of 1640	1136	RegSvcs.exe	schtasks.exe
PID 1136 wrote to memory of 1640	1136	RegSvcs.exe	schtasks.exe
PID 1136 wrote to memory of 1640	1136	RegSvcs.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe
"C:\Users\Admin\AppData\Local\Temp\5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:964
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fukesTTIeEHYu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1C09.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Delete /tn NYAN /F
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn NYAN /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" /sc minute /mo 1
    3⤵
    - Creates scheduled task(s)
    PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1C09.tmp

MD5
98873a780f1a65a3c8fc1f4c83d77e5e

SHA1
58b341bb7b3bc655690e5d70bfee1bac9005caea

SHA256
d351d497944c5c99f901d7329deaf9a32bdcc7dc792bc55c8dcd9e5bd2c919f8

SHA512
073d3b8a645d88983f94f26b4881353c10d6f415b5d0c55cf365176349859ffc65a042f9ac4f3330dd3c10e6c87f0c8c1c60c607577a2ff5b08c673b971729ee

Download Submit
memory/964-55-0x0000000000C00000-0x0000000000C3C000-memory.dmp

Filesize
240KB

Download
memory/964-56-0x0000000075F91000-0x0000000075F93000-memory.dmp

Filesize
8KB

Download
memory/964-57-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/964-58-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/964-59-0x0000000000750000-0x0000000000772000-memory.dmp

Filesize
136KB

Download
memory/1136-63-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1136-62-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1136-61-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1136-64-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1136-65-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1136-66-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1136-68-0x0000000000380000-0x00000000003F0000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads