njrat | 77995f9bc0c2cee84b02ebcca1e74714574b0decf6aa80c788fb5d553c8c0efb

Analysis

max time kernel
4294219s
max time network
151s
platform
windows7_x64
resource
win7-20220223-en
submitted
09-03-2022 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77995f9bc0c2cee84b02ebcca1e74714574b0decf6aa80c788fb5d553c8c0efb.exe
Size

539KB
MD5

c6f6dbd9cc541857159b379ed0b52e9a
SHA1

9fb25d597eae11b3867e8dd532d536872197782e
SHA256

77995f9bc0c2cee84b02ebcca1e74714574b0decf6aa80c788fb5d553c8c0efb
SHA512

10fa08450a72c59dbb9c18d5ffd8eb156b75e6b67f487fa02765bab7a05e781f028d068f08c823d2a2fd3fd5ce6e06dc48be9f4f3005996ac6ee636be6ed9e52

Score

10^/10

njrat topher persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

topher

denemedarkdarkxxa.duckdns.org:1604

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

Desktop.exenjCrypted.exe

pid process

1652 Desktop.exe
980 njCrypted.exe

pid	process
1652	Desktop.exe
980	njCrypted.exe

Drops startup file 2 IoCs

Processes:

njCrypted.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	njCrypted.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	njCrypted.exe

Loads dropped DLL 7 IoCs

Processes:

cmd.exeDesktop.exenjCrypted.exe

pid process

1824 cmd.exe
1652 Desktop.exe
1652 Desktop.exe
1652 Desktop.exe
1652 Desktop.exe
980 njCrypted.exe
980 njCrypted.exe

pid	process
1824	cmd.exe
1652	Desktop.exe
1652	Desktop.exe
1652	Desktop.exe
1652	Desktop.exe
980	njCrypted.exe
980	njCrypted.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

njCrypted.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\njCrypted.exe\" .."	njCrypted.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\njCrypted.exe\" .."	njCrypted.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

njCrypted.exe

pid process

980 njCrypted.exe

pid	process
980	njCrypted.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

njCrypted.exe

description	pid	process
Token: SeDebugPrivilege	980	njCrypted.exe
Token: 33	980	njCrypted.exe
Token: SeIncBasePriorityPrivilege	980	njCrypted.exe
Token: 33	980	njCrypted.exe
Token: SeIncBasePriorityPrivilege	980	njCrypted.exe
Token: 33	980	njCrypted.exe
Token: SeIncBasePriorityPrivilege	980	njCrypted.exe
Token: 33	980	njCrypted.exe
Token: SeIncBasePriorityPrivilege	980	njCrypted.exe
Token: 33	980	njCrypted.exe
Token: SeIncBasePriorityPrivilege	980	njCrypted.exe
Token: 33	980	njCrypted.exe
Token: SeIncBasePriorityPrivilege	980	njCrypted.exe
Token: 33	980	njCrypted.exe
Token: SeIncBasePriorityPrivilege	980	njCrypted.exe
Token: 33	980	njCrypted.exe
Token: SeIncBasePriorityPrivilege	980	njCrypted.exe
Token: 33	980	njCrypted.exe
Token: SeIncBasePriorityPrivilege	980	njCrypted.exe
Token: 33	980	njCrypted.exe
Token: SeIncBasePriorityPrivilege	980	njCrypted.exe
Token: 33	980	njCrypted.exe
Token: SeIncBasePriorityPrivilege	980	njCrypted.exe
Token: 33	980	njCrypted.exe
Token: SeIncBasePriorityPrivilege	980	njCrypted.exe
Token: 33	980	njCrypted.exe
Token: SeIncBasePriorityPrivilege	980	njCrypted.exe
Token: 33	980	njCrypted.exe
Token: SeIncBasePriorityPrivilege	980	njCrypted.exe
Token: 33	980	njCrypted.exe
Token: SeIncBasePriorityPrivilege	980	njCrypted.exe
Token: 33	980	njCrypted.exe
Token: SeIncBasePriorityPrivilege	980	njCrypted.exe
Token: 33	980	njCrypted.exe
Token: SeIncBasePriorityPrivilege	980	njCrypted.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

77995f9bc0c2cee84b02ebcca1e74714574b0decf6aa80c788fb5d553c8c0efb.execmd.exeDesktop.exe

description	pid	process	target process
PID 960 wrote to memory of 1824	960	77995f9bc0c2cee84b02ebcca1e74714574b0decf6aa80c788fb5d553c8c0efb.exe	cmd.exe
PID 960 wrote to memory of 1824	960	77995f9bc0c2cee84b02ebcca1e74714574b0decf6aa80c788fb5d553c8c0efb.exe	cmd.exe
PID 960 wrote to memory of 1824	960	77995f9bc0c2cee84b02ebcca1e74714574b0decf6aa80c788fb5d553c8c0efb.exe	cmd.exe
PID 960 wrote to memory of 1824	960	77995f9bc0c2cee84b02ebcca1e74714574b0decf6aa80c788fb5d553c8c0efb.exe	cmd.exe
PID 1824 wrote to memory of 1652	1824	cmd.exe	Desktop.exe
PID 1824 wrote to memory of 1652	1824	cmd.exe	Desktop.exe
PID 1824 wrote to memory of 1652	1824	cmd.exe	Desktop.exe
PID 1824 wrote to memory of 1652	1824	cmd.exe	Desktop.exe
PID 1652 wrote to memory of 980	1652	Desktop.exe	njCrypted.exe
PID 1652 wrote to memory of 980	1652	Desktop.exe	njCrypted.exe
PID 1652 wrote to memory of 980	1652	Desktop.exe	njCrypted.exe
PID 1652 wrote to memory of 980	1652	Desktop.exe	njCrypted.exe

C:\Users\Admin\AppData\Local\Temp\77995f9bc0c2cee84b02ebcca1e74714574b0decf6aa80c788fb5d553c8c0efb.exe
"C:\Users\Admin\AppData\Local\Temp\77995f9bc0c2cee84b02ebcca1e74714574b0decf6aa80c788fb5d553c8c0efb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Run.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1824

C:\Users\Admin\AppData\Local\Temp\Desktop.exe
Desktop.exe -p123
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Local\Temp\njCrypted.exe
"C:\Users\Admin\AppData\Local\Temp\njCrypted.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Desktop.exe
MD5
8bb1f98c7477ad78f791fdd456fe2379

SHA1
247056c9eb9741bb383bf056371e0634c94d6e01

SHA256
52c33bcf87e73c6a9c7845a1e6402c3ac092e846735cba1e02f8ef21476abd6c

SHA512
8129a02dcf88a20a94ad174455de28c7b66aa89a4e15e79253d5b52b5c2db26c1ae93405d140aef067ece48ff2bc3dd7747b6d91d7411606962ee3d4b8ecc420

Download Submit
C:\Users\Admin\AppData\Local\Temp\Desktop.exe
MD5
8bb1f98c7477ad78f791fdd456fe2379

SHA1
247056c9eb9741bb383bf056371e0634c94d6e01

SHA256
52c33bcf87e73c6a9c7845a1e6402c3ac092e846735cba1e02f8ef21476abd6c

SHA512
8129a02dcf88a20a94ad174455de28c7b66aa89a4e15e79253d5b52b5c2db26c1ae93405d140aef067ece48ff2bc3dd7747b6d91d7411606962ee3d4b8ecc420

Download Submit
C:\Users\Admin\AppData\Local\Temp\EntryPoint.dll
MD5
1a7b936836035d21ebd2294f574b6eea

SHA1
d0e1ff21f91ec7bc9c57899c051c6c9c98b9cfef

SHA256
52b168751f25a4c68ff6cac2035a8554e35a609eca4f70831592ab02a1fa8ba2

SHA512
5ff43920f0936171252364b5347049941cae7232e80b43b53e1908933fcfb9aefa8141b8f7d00b7a21f42c90e803780bdfc2ddb7182e9017b5294aa8e0ccfe71

Download Submit
C:\Users\Admin\AppData\Local\Temp\Run.bat
MD5
33aac93bbfac6285ee2343af52e67951

SHA1
b878552b521d0b8f0031b07749221b6d310217d3

SHA256
d81716d88ad01dd36b74fe8b6fbf194f108e8e05f136a5e3e82b68764c414d8f

SHA512
58a7bd40077d4442e79ecc9cb9295cfea3ff9333ff906c6c7a512872ee168acbec7c358213036f2404073cc1bf4b07ec18c454047d47b320f94e528272bdf90f

Download Submit
C:\Users\Admin\AppData\Local\Temp\njCrypted.exe
MD5
6038ae65dfbd99b83ff4d7b85cb29d3d

SHA1
4b44d8ba4d51222af49f1e700857715094b9faa8

SHA256
46819d84fca655adff31af8b787177fa0d31a8cba30a5cf75f8e7f32a9c95946

SHA512
cb7c048f163bbf266afb2c53972a965b2e548e178315178afe85b89508a11cc6f9605f67674fe7efde7aab1b05e66ce22915e7f0dc2c5350b46879f4dfcfb715

Download Submit
C:\Users\Admin\AppData\Local\Temp\njCrypted.exe
MD5
6038ae65dfbd99b83ff4d7b85cb29d3d

SHA1
4b44d8ba4d51222af49f1e700857715094b9faa8

SHA256
46819d84fca655adff31af8b787177fa0d31a8cba30a5cf75f8e7f32a9c95946

SHA512
cb7c048f163bbf266afb2c53972a965b2e548e178315178afe85b89508a11cc6f9605f67674fe7efde7aab1b05e66ce22915e7f0dc2c5350b46879f4dfcfb715

Download Submit
\Users\Admin\AppData\Local\Temp\Desktop.exe
MD5
8bb1f98c7477ad78f791fdd456fe2379

SHA1
247056c9eb9741bb383bf056371e0634c94d6e01

SHA256
52c33bcf87e73c6a9c7845a1e6402c3ac092e846735cba1e02f8ef21476abd6c

SHA512
8129a02dcf88a20a94ad174455de28c7b66aa89a4e15e79253d5b52b5c2db26c1ae93405d140aef067ece48ff2bc3dd7747b6d91d7411606962ee3d4b8ecc420

Download Submit
\Users\Admin\AppData\Local\Temp\EntryPoint.dll
MD5
1a7b936836035d21ebd2294f574b6eea

SHA1
d0e1ff21f91ec7bc9c57899c051c6c9c98b9cfef

SHA256
52b168751f25a4c68ff6cac2035a8554e35a609eca4f70831592ab02a1fa8ba2

SHA512
5ff43920f0936171252364b5347049941cae7232e80b43b53e1908933fcfb9aefa8141b8f7d00b7a21f42c90e803780bdfc2ddb7182e9017b5294aa8e0ccfe71

Download Submit
\Users\Admin\AppData\Local\Temp\EntryPoint.dll
MD5
1a7b936836035d21ebd2294f574b6eea

SHA1
d0e1ff21f91ec7bc9c57899c051c6c9c98b9cfef

SHA256
52b168751f25a4c68ff6cac2035a8554e35a609eca4f70831592ab02a1fa8ba2

SHA512
5ff43920f0936171252364b5347049941cae7232e80b43b53e1908933fcfb9aefa8141b8f7d00b7a21f42c90e803780bdfc2ddb7182e9017b5294aa8e0ccfe71

Download Submit
\Users\Admin\AppData\Local\Temp\njCrypted.exe
MD5
6038ae65dfbd99b83ff4d7b85cb29d3d

SHA1
4b44d8ba4d51222af49f1e700857715094b9faa8

SHA256
46819d84fca655adff31af8b787177fa0d31a8cba30a5cf75f8e7f32a9c95946

SHA512
cb7c048f163bbf266afb2c53972a965b2e548e178315178afe85b89508a11cc6f9605f67674fe7efde7aab1b05e66ce22915e7f0dc2c5350b46879f4dfcfb715

Download Submit
\Users\Admin\AppData\Local\Temp\njCrypted.exe
MD5
6038ae65dfbd99b83ff4d7b85cb29d3d

SHA1
4b44d8ba4d51222af49f1e700857715094b9faa8

SHA256
46819d84fca655adff31af8b787177fa0d31a8cba30a5cf75f8e7f32a9c95946

SHA512
cb7c048f163bbf266afb2c53972a965b2e548e178315178afe85b89508a11cc6f9605f67674fe7efde7aab1b05e66ce22915e7f0dc2c5350b46879f4dfcfb715

Download Submit
\Users\Admin\AppData\Local\Temp\njCrypted.exe
MD5
6038ae65dfbd99b83ff4d7b85cb29d3d

SHA1
4b44d8ba4d51222af49f1e700857715094b9faa8

SHA256
46819d84fca655adff31af8b787177fa0d31a8cba30a5cf75f8e7f32a9c95946

SHA512
cb7c048f163bbf266afb2c53972a965b2e548e178315178afe85b89508a11cc6f9605f67674fe7efde7aab1b05e66ce22915e7f0dc2c5350b46879f4dfcfb715

Download Submit
\Users\Admin\AppData\Local\Temp\njCrypted.exe
MD5
6038ae65dfbd99b83ff4d7b85cb29d3d

SHA1
4b44d8ba4d51222af49f1e700857715094b9faa8

SHA256
46819d84fca655adff31af8b787177fa0d31a8cba30a5cf75f8e7f32a9c95946

SHA512
cb7c048f163bbf266afb2c53972a965b2e548e178315178afe85b89508a11cc6f9605f67674fe7efde7aab1b05e66ce22915e7f0dc2c5350b46879f4dfcfb715

Download Submit
memory/960-54-0x0000000075131000-0x0000000075133000-memory.dmp

Filesize
8KB

Download
memory/980-70-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/980-66-0x0000000001340000-0x0000000001352000-memory.dmp

Filesize
72KB

Download
memory/980-71-0x0000000000290000-0x00000000002A2000-memory.dmp

Filesize
72KB

Download
memory/980-72-0x0000000073D50000-0x000000007443E000-memory.dmp

Filesize
6.9MB

Download
memory/980-73-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download