Overview

overview

10

Static

static

njRAT.exe

windows7_x64

10

njRAT.exe

windows10_x64

10

Resubmissions

25-01-2022 09:50

220125-ltxepsdee4 10

Analysis

  • max time kernel
    211s
  • max time network
    210s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    25-01-2022 09:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    njRAT.exe

  • Size

    959KB

  • MD5

    0431311b5f024d6e66b90d59491f2563

  • SHA1

    e9ff4da7e3f2199cbc16d37d8935cb1b0567ac2a

  • SHA256

    fd624aa205517580e83fad7a4ce4d64863e95f62b34ac72647b1974a52822199

  • SHA512

    d44b14e4b24e6e2d506ec32098488a16ebd5df57499ecd85e8878b8af2a3e1f9ed20d4125836417b702d0571f992aeac07af051dbf9268f48954556d17f51ee2

Score
10/10
njratevasionpersistencetrojan

Malware Config

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 3 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 13 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\njRAT.exe
    "C:\Users\Admin\AppData\Local\Temp\njRAT.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1296
    • C:\njRAT.exe
      "C:\njRAT.exe"
      2⤵
      • Executes dropped EXE
      PID:1036
    • C:\njq8.exe
      "C:\njq8.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1892
      • C:\Users\Admin\AppData\Local\Temp\windows.exe
        "C:\Users\Admin\AppData\Local\Temp\windows.exe"
        3⤵
        • Executes dropped EXE
        • Drops startup file
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3224
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\windows.exe" "windows.exe" ENABLE
          4⤵
            PID:2824
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1668
      • C:\Windows\system32\ipconfig.exe
        ipconfig
        2⤵
        • Gathers network information
        PID:2176
      • C:\Windows\system32\format.com
        format c
        2⤵
        • Enumerates connected drives
        PID:2196
      • C:\Windows\system32\format.com
        format c:
        2⤵
          PID:2072
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:2616
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\ConvertMerge.xhtml
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4040
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4040 CREDAT:82945 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1560

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Command-Line Interface

        1
        T1059

        Persistence

        Modify Existing Service

        1
        T1031

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        Peripheral Device Discovery

        1
        T1120

        System Information Discovery

        3
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\windows.exe
          MD5

          edc4f10a5e164db64bf79eca207f2749

          SHA1

          d08eb761a5446a4409a72f3af3fb8dd60eec7c92

          SHA256

          ce6421107031175f39e61d3bcc5a98d1d94190e250034e27cdbebbadcba084a4

          SHA512

          e974a32096cc58c1a78c7aa8714b8b8b7a202859905a28d5ce61fd9a563382a7577825e8c9ee612d7ba708f3efef01a43d07df03e7c1e3e52d0cb32240d5d15d

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\windows.exe
          MD5

          edc4f10a5e164db64bf79eca207f2749

          SHA1

          d08eb761a5446a4409a72f3af3fb8dd60eec7c92

          SHA256

          ce6421107031175f39e61d3bcc5a98d1d94190e250034e27cdbebbadcba084a4

          SHA512

          e974a32096cc58c1a78c7aa8714b8b8b7a202859905a28d5ce61fd9a563382a7577825e8c9ee612d7ba708f3efef01a43d07df03e7c1e3e52d0cb32240d5d15d

          Download Submit
        • C:\njRAT.exe
          MD5

          08f223ac15e2e92561ed310ae71415c1

          SHA1

          0a871a4b376bd8771188b96a9a1bb6fe1205160d

          SHA256

          51f2aec8b6de1e49b1ca74203afd380484932b07067a91f027548bc20b8967ec

          SHA512

          9acc7b4976c23fa019361b52eb22dcdfbf0bb1039aa8c8e74507f0501709616757a2d762d0478956a03bfadecdee812c9aa2360655891ab4ed1de96f35e23cd4

          Download Submit
        • C:\njRAT.exe
          MD5

          08f223ac15e2e92561ed310ae71415c1

          SHA1

          0a871a4b376bd8771188b96a9a1bb6fe1205160d

          SHA256

          51f2aec8b6de1e49b1ca74203afd380484932b07067a91f027548bc20b8967ec

          SHA512

          9acc7b4976c23fa019361b52eb22dcdfbf0bb1039aa8c8e74507f0501709616757a2d762d0478956a03bfadecdee812c9aa2360655891ab4ed1de96f35e23cd4

          Download Submit
        • C:\njq8.exe
          MD5

          edc4f10a5e164db64bf79eca207f2749

          SHA1

          d08eb761a5446a4409a72f3af3fb8dd60eec7c92

          SHA256

          ce6421107031175f39e61d3bcc5a98d1d94190e250034e27cdbebbadcba084a4

          SHA512

          e974a32096cc58c1a78c7aa8714b8b8b7a202859905a28d5ce61fd9a563382a7577825e8c9ee612d7ba708f3efef01a43d07df03e7c1e3e52d0cb32240d5d15d

          Download Submit
        • C:\njq8.exe
          MD5

          edc4f10a5e164db64bf79eca207f2749

          SHA1

          d08eb761a5446a4409a72f3af3fb8dd60eec7c92

          SHA256

          ce6421107031175f39e61d3bcc5a98d1d94190e250034e27cdbebbadcba084a4

          SHA512

          e974a32096cc58c1a78c7aa8714b8b8b7a202859905a28d5ce61fd9a563382a7577825e8c9ee612d7ba708f3efef01a43d07df03e7c1e3e52d0cb32240d5d15d

          Download Submit
        • memory/1036-132-0x0000000003254000-0x0000000003256000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1036-131-0x0000000003251000-0x0000000003252000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1036-127-0x0000000003250000-0x0000000003251000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1296-119-0x00000000054D0000-0x00000000054DA000-memory.dmp
          Filesize

          40KB

          Download
        • memory/1296-121-0x0000000005590000-0x0000000005A8E000-memory.dmp
          Filesize

          5.0MB

          Download
        • memory/1296-120-0x0000000005790000-0x00000000057E6000-memory.dmp
          Filesize

          344KB

          Download
        • memory/1296-115-0x0000000000A80000-0x0000000000B78000-memory.dmp
          Filesize

          992KB

          Download
        • memory/1296-118-0x0000000005630000-0x00000000056C2000-memory.dmp
          Filesize

          584KB

          Download
        • memory/1296-117-0x0000000005A90000-0x0000000005F8E000-memory.dmp
          Filesize

          5.0MB

          Download
        • memory/1296-116-0x00000000054E0000-0x000000000557C000-memory.dmp
          Filesize

          624KB

          Download
        • memory/1892-126-0x00000000029B0000-0x00000000029B1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3224-130-0x0000000002890000-0x0000000002891000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3224-133-0x0000000002893000-0x0000000002895000-memory.dmp
          Filesize

          8KB

          Download