njrat | 5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4

General

Target

5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe
Size

216KB
MD5

90b1135d0678e51273bdd36523b59f98
SHA1

827ec99df4e10e99e4095a8ddbb95398a90ae728
SHA256

5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4
SHA512

b8b26661053a81eaf9f86109d947ef07f30bbf77113e67bc7e2397dfafeeebd37b279801b0c3edc759dedb68659ec494f963824423a85809c0a4c7aa81167727

Score

10^/10

njrat fifa 2020 persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

FIFA 2020

C2

federa.duckdns.org:1990

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
1990

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe\" .."	RegSvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe\" .."	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe

description	pid	process	target process
PID 948 set thread context of 3504	948	5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

856 schtasks.exe
1728 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe

pid process

948 5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe

pid	process
856	schtasks.exe
1728	schtasks.exe

pid	process
948	5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	948	5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe
Token: SeDebugPrivilege	3504	RegSvcs.exe
Token: 33	3504	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3504	RegSvcs.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exeRegSvcs.exe

description	pid	process	target process
PID 948 wrote to memory of 856	948	5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe	schtasks.exe
PID 948 wrote to memory of 856	948	5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe	schtasks.exe
PID 948 wrote to memory of 856	948	5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe	schtasks.exe
PID 948 wrote to memory of 3504	948	5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe	RegSvcs.exe
PID 948 wrote to memory of 3504	948	5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe	RegSvcs.exe
PID 948 wrote to memory of 3504	948	5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe	RegSvcs.exe
PID 948 wrote to memory of 3504	948	5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe	RegSvcs.exe
PID 948 wrote to memory of 3504	948	5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe	RegSvcs.exe
PID 948 wrote to memory of 3504	948	5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe	RegSvcs.exe
PID 948 wrote to memory of 3504	948	5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe	RegSvcs.exe
PID 948 wrote to memory of 3504	948	5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe	RegSvcs.exe
PID 3504 wrote to memory of 1548	3504	RegSvcs.exe	schtasks.exe
PID 3504 wrote to memory of 1548	3504	RegSvcs.exe	schtasks.exe
PID 3504 wrote to memory of 1548	3504	RegSvcs.exe	schtasks.exe
PID 3504 wrote to memory of 1728	3504	RegSvcs.exe	schtasks.exe
PID 3504 wrote to memory of 1728	3504	RegSvcs.exe	schtasks.exe
PID 3504 wrote to memory of 1728	3504	RegSvcs.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe
"C:\Users\Admin\AppData\Local\Temp\5aeabf6af7ec72e14269699ca9c32c42b278b620c523efacd06316b09764acb4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fukesTTIeEHYu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEEF6.tmp"
2⤵
- Creates scheduled task(s)
PID:856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3504

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:1548

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:1728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEEF6.tmp
MD5
5fb0a076ec20aab775f6b44ef5f3dfc5

SHA1
5c5a5ce49a5f7e4a0ed0a55b12c708aceeaa4f2a

SHA256
bfe9e6b92ebec26694560a77cb6a82d0db284ac23664ed51352baf0c765361dd

SHA512
ceca017ae6c05b8df942dc3f95c42ee747cfca1be4ecbad9ed7d8e93cdc986235276b5871935f3d4a599af6c4b0d4a3c85aebe31888fbb708caa527d829e5368

Download Submit
memory/948-115-0x0000000000DC0000-0x0000000000DFC000-memory.dmp

Filesize
240KB

Download
memory/948-116-0x0000000005C50000-0x000000000614E000-memory.dmp

Filesize
5.0MB

Download
memory/948-117-0x00000000057F0000-0x0000000005882000-memory.dmp

Filesize
584KB

Download
memory/948-118-0x0000000005750000-0x0000000005C4E000-memory.dmp

Filesize
5.0MB

Download
memory/948-119-0x0000000005960000-0x000000000596A000-memory.dmp

Filesize
40KB

Download
memory/948-120-0x0000000001800000-0x0000000001810000-memory.dmp

Filesize
64KB

Download
memory/948-121-0x0000000005BF0000-0x0000000005C12000-memory.dmp

Filesize
136KB

Download
memory/948-122-0x0000000007DB0000-0x0000000007E4C000-memory.dmp

Filesize
624KB

Download
memory/3504-124-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3504-125-0x0000000004D60000-0x000000000525E000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads