njrat | 703dca09e84a98247353b177d81f8b9db8b995a53230e1d78f86418c90d2ed58

General

Target

703dca09e84a98247353b177d81f8b9db8b995a53230e1d78f86418c90d2ed58.exe
Size

55KB
MD5

b1ca74cde30f793a2e4de455ada781e0
SHA1

050f6fdbb2008406b7ce2688ac9c4e8c714e2587
SHA256

703dca09e84a98247353b177d81f8b9db8b995a53230e1d78f86418c90d2ed58
SHA512

66166ead2cad5cf36183f93c0ddca46eb4952f3e1e6cb9f4291c38f92cfb73a65df70ab69bf8198a893b24c983fa05de286b58c331685358fea05c809a002ee9

Score

10^/10

njrat random trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

random

C2

jayayy.ddns.net:58606

Mutex

2074ba7075011291d33a57aa49f7bcaa

Attributes

reg_key
2074ba7075011291d33a57aa49f7bcaa
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

560 AcroRd32.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AcroRd32.exe

pid process

560 AcroRd32.exe
560 AcroRd32.exe
560 AcroRd32.exe

pid	process
560	AcroRd32.exe

pid	process
560	AcroRd32.exe
560	AcroRd32.exe
560	AcroRd32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

703dca09e84a98247353b177d81f8b9db8b995a53230e1d78f86418c90d2ed58.exerundll32.exe

description	pid	process	target process
PID 1964 wrote to memory of 584	1964	703dca09e84a98247353b177d81f8b9db8b995a53230e1d78f86418c90d2ed58.exe	rundll32.exe
PID 1964 wrote to memory of 584	1964	703dca09e84a98247353b177d81f8b9db8b995a53230e1d78f86418c90d2ed58.exe	rundll32.exe
PID 1964 wrote to memory of 584	1964	703dca09e84a98247353b177d81f8b9db8b995a53230e1d78f86418c90d2ed58.exe	rundll32.exe
PID 1964 wrote to memory of 584	1964	703dca09e84a98247353b177d81f8b9db8b995a53230e1d78f86418c90d2ed58.exe	rundll32.exe
PID 1964 wrote to memory of 584	1964	703dca09e84a98247353b177d81f8b9db8b995a53230e1d78f86418c90d2ed58.exe	rundll32.exe
PID 1964 wrote to memory of 584	1964	703dca09e84a98247353b177d81f8b9db8b995a53230e1d78f86418c90d2ed58.exe	rundll32.exe
PID 1964 wrote to memory of 584	1964	703dca09e84a98247353b177d81f8b9db8b995a53230e1d78f86418c90d2ed58.exe	rundll32.exe
PID 584 wrote to memory of 560	584	rundll32.exe	AcroRd32.exe
PID 584 wrote to memory of 560	584	rundll32.exe	AcroRd32.exe
PID 584 wrote to memory of 560	584	rundll32.exe	AcroRd32.exe
PID 584 wrote to memory of 560	584	rundll32.exe	AcroRd32.exe

C:\Users\Admin\AppData\Local\Temp\703dca09e84a98247353b177d81f8b9db8b995a53230e1d78f86418c90d2ed58.exe
"C:\Users\Admin\AppData\Local\Temp\703dca09e84a98247353b177d81f8b9db8b995a53230e1d78f86418c90d2ed58.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:584

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:560

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\
MD5
b1ca74cde30f793a2e4de455ada781e0

SHA1
050f6fdbb2008406b7ce2688ac9c4e8c714e2587

SHA256
703dca09e84a98247353b177d81f8b9db8b995a53230e1d78f86418c90d2ed58

SHA512
66166ead2cad5cf36183f93c0ddca46eb4952f3e1e6cb9f4291c38f92cfb73a65df70ab69bf8198a893b24c983fa05de286b58c331685358fea05c809a002ee9

Download Submit
memory/1964-55-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/1964-56-0x0000000074B21000-0x0000000074B23000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing