njrat | 577b92a3a23917f55b1156d87ae4d4824894a3b15ae687ffa8b8af125a10438c

General

Target

Cirular-18April2017/Circular.exe
Size

264KB
MD5

695c5d19dc3c3c5cc39182e09d9274e6
SHA1

bc0aa3fce44b7d252919d820860709a0052cb76c
SHA256

6ee76407efa8157b7f2b80a3a7ccc41581851aca58ab10cb8caf0243ce6fa436
SHA512

a20bf0b073c43f55f9a8797e093422b2aea58949fa23e625e20ce9786421c120253cd4f988aa3b2f877d9cc7f6c472e8daabe58489d7b7ea2bec5c339e855e4b

Score

10^/10

njrat zalupa180417 evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

zalupa180417

C2

808080.ddns.net:5555

Mutex

4cb72bb7475074f5af41f3e5e189ee3f

Attributes

reg_key
4cb72bb7475074f5af41f3e5e189ee3f
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 2 IoCs

Processes:

Circular.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FlashUpdate.exe	Circular.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FlashUpdate.exe	Circular.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Circular.exe

description pid process target process

PID 2196 set thread context of 2312 2196 Circular.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Circular.exe

pid process

2196 Circular.exe
2196 Circular.exe

description	pid	process	target process
PID 2196 set thread context of 2312	2196	Circular.exe	RegAsm.exe

pid	process
2196	Circular.exe
2196	Circular.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

Circular.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2196	Circular.exe
Token: SeDebugPrivilege	2312	RegAsm.exe
Token: 33	2312	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2312	RegAsm.exe
Token: 33	2312	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2312	RegAsm.exe
Token: 33	2312	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2312	RegAsm.exe
Token: 33	2312	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2312	RegAsm.exe
Token: 33	2312	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2312	RegAsm.exe
Token: 33	2312	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2312	RegAsm.exe
Token: 33	2312	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2312	RegAsm.exe
Token: 33	2312	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2312	RegAsm.exe
Token: 33	2312	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2312	RegAsm.exe
Token: 33	2312	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2312	RegAsm.exe
Token: 33	2312	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2312	RegAsm.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Circular.exeRegAsm.exe

description	pid	process	target process
PID 2196 wrote to memory of 2312	2196	Circular.exe	RegAsm.exe
PID 2196 wrote to memory of 2312	2196	Circular.exe	RegAsm.exe
PID 2196 wrote to memory of 2312	2196	Circular.exe	RegAsm.exe
PID 2196 wrote to memory of 2312	2196	Circular.exe	RegAsm.exe
PID 2196 wrote to memory of 2312	2196	Circular.exe	RegAsm.exe
PID 2196 wrote to memory of 2312	2196	Circular.exe	RegAsm.exe
PID 2196 wrote to memory of 2312	2196	Circular.exe	RegAsm.exe
PID 2196 wrote to memory of 2312	2196	Circular.exe	RegAsm.exe
PID 2312 wrote to memory of 996	2312	RegAsm.exe	netsh.exe
PID 2312 wrote to memory of 996	2312	RegAsm.exe	netsh.exe
PID 2312 wrote to memory of 996	2312	RegAsm.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\Cirular-18April2017\Circular.exe
"C:\Users\Admin\AppData\Local\Temp\Cirular-18April2017\Circular.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE
3⤵
PID:996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2196-115-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/2196-116-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/2196-117-0x0000000004EA0000-0x0000000004F61000-memory.dmp

Filesize
772KB

Download
memory/2312-118-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2312-119-0x0000000000C00000-0x0000000000CAE000-memory.dmp

Filesize
696KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads