njrat | 6aeeabaa314635486db2aa5b292f8046cb9fd352405989e45ef94acb53e81f1f

General

Target

6aeeabaa314635486db2aa5b292f8046cb9fd352405989e45ef94acb53e81f1f.exe
Size

43KB
MD5

bc64b8cf2bd62cdb36f1773aeeb35c83
SHA1

4882d4f8d0232db5f09281e1aaed8455c1e9cfee
SHA256

6aeeabaa314635486db2aa5b292f8046cb9fd352405989e45ef94acb53e81f1f
SHA512

e3ae0e07885832ef517c90c49fd6b59a8976bb14a6e9bb8cb6e1533c2d06d6d4cb3e96cc3caf2db484d7a2681a2e3a139790d73b5d5f20aa177316017723adbf

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

0.tcp.ngrok.io:12829

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

Windowst.exeServer.exeServer.exe

pid process

4872 Windowst.exe
1424 Server.exe
4480 Server.exe

pid	process
4872	Windowst.exe
1424	Server.exe
4480	Server.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6aeeabaa314635486db2aa5b292f8046cb9fd352405989e45ef94acb53e81f1f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	6aeeabaa314635486db2aa5b292f8046cb9fd352405989e45ef94acb53e81f1f.exe

Drops startup file 2 IoCs

Processes:

Windowst.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	Windowst.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	Windowst.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Windowst.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windowst.exe\" .."	Windowst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windowst.exe\" .."	Windowst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1840 schtasks.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

6aeeabaa314635486db2aa5b292f8046cb9fd352405989e45ef94acb53e81f1f.exeWindowst.exe

pid process

1148 6aeeabaa314635486db2aa5b292f8046cb9fd352405989e45ef94acb53e81f1f.exe
4872 Windowst.exe

pid	process
1840	schtasks.exe

pid	process
1148	6aeeabaa314635486db2aa5b292f8046cb9fd352405989e45ef94acb53e81f1f.exe
4872	Windowst.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

Windowst.exe

description	pid	process
Token: SeDebugPrivilege	4872	Windowst.exe
Token: 33	4872	Windowst.exe
Token: SeIncBasePriorityPrivilege	4872	Windowst.exe
Token: 33	4872	Windowst.exe
Token: SeIncBasePriorityPrivilege	4872	Windowst.exe
Token: 33	4872	Windowst.exe
Token: SeIncBasePriorityPrivilege	4872	Windowst.exe
Token: 33	4872	Windowst.exe
Token: SeIncBasePriorityPrivilege	4872	Windowst.exe
Token: 33	4872	Windowst.exe
Token: SeIncBasePriorityPrivilege	4872	Windowst.exe
Token: 33	4872	Windowst.exe
Token: SeIncBasePriorityPrivilege	4872	Windowst.exe
Token: 33	4872	Windowst.exe
Token: SeIncBasePriorityPrivilege	4872	Windowst.exe
Token: 33	4872	Windowst.exe
Token: SeIncBasePriorityPrivilege	4872	Windowst.exe
Token: 33	4872	Windowst.exe
Token: SeIncBasePriorityPrivilege	4872	Windowst.exe
Token: 33	4872	Windowst.exe
Token: SeIncBasePriorityPrivilege	4872	Windowst.exe
Token: 33	4872	Windowst.exe
Token: SeIncBasePriorityPrivilege	4872	Windowst.exe
Token: 33	4872	Windowst.exe
Token: SeIncBasePriorityPrivilege	4872	Windowst.exe
Token: 33	4872	Windowst.exe
Token: SeIncBasePriorityPrivilege	4872	Windowst.exe
Token: 33	4872	Windowst.exe
Token: SeIncBasePriorityPrivilege	4872	Windowst.exe
Token: 33	4872	Windowst.exe
Token: SeIncBasePriorityPrivilege	4872	Windowst.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

6aeeabaa314635486db2aa5b292f8046cb9fd352405989e45ef94acb53e81f1f.exeWindowst.exe

description	pid	process	target process
PID 1148 wrote to memory of 4872	1148	6aeeabaa314635486db2aa5b292f8046cb9fd352405989e45ef94acb53e81f1f.exe	Windowst.exe
PID 1148 wrote to memory of 4872	1148	6aeeabaa314635486db2aa5b292f8046cb9fd352405989e45ef94acb53e81f1f.exe	Windowst.exe
PID 1148 wrote to memory of 4872	1148	6aeeabaa314635486db2aa5b292f8046cb9fd352405989e45ef94acb53e81f1f.exe	Windowst.exe
PID 4872 wrote to memory of 1840	4872	Windowst.exe	schtasks.exe
PID 4872 wrote to memory of 1840	4872	Windowst.exe	schtasks.exe
PID 4872 wrote to memory of 1840	4872	Windowst.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\6aeeabaa314635486db2aa5b292f8046cb9fd352405989e45ef94acb53e81f1f.exe
"C:\Users\Admin\AppData\Local\Temp\6aeeabaa314635486db2aa5b292f8046cb9fd352405989e45ef94acb53e81f1f.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1148

C:\Users\Admin\AppData\Roaming\Windowst.exe
"C:\Users\Admin\AppData\Roaming\Windowst.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
3⤵
- Creates scheduled task(s)
PID:1840

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
PID:1424

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
PID:4480

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Server.exe.log
Filesize
507B

MD5
25d1b50e7c0d451f3d850eb54d27ca05

SHA1
a238807715c70a335f54e80d4855644b21a9e870

SHA256
650faa13e983c9046c9030f63a5fa1c33900432ec7cb3762e015da2e7c5b34a5

SHA512
4223a26b2fabefdf1c01443ccc7bd887464d27f02694379895a040c66db472d541218d501f1c01e1bd31012d079a31baf24e20882c32cf652a09a74e3bf385f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
43KB

MD5
bc64b8cf2bd62cdb36f1773aeeb35c83

SHA1
4882d4f8d0232db5f09281e1aaed8455c1e9cfee

SHA256
6aeeabaa314635486db2aa5b292f8046cb9fd352405989e45ef94acb53e81f1f

SHA512
e3ae0e07885832ef517c90c49fd6b59a8976bb14a6e9bb8cb6e1533c2d06d6d4cb3e96cc3caf2db484d7a2681a2e3a139790d73b5d5f20aa177316017723adbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
43KB

MD5
bc64b8cf2bd62cdb36f1773aeeb35c83

SHA1
4882d4f8d0232db5f09281e1aaed8455c1e9cfee

SHA256
6aeeabaa314635486db2aa5b292f8046cb9fd352405989e45ef94acb53e81f1f

SHA512
e3ae0e07885832ef517c90c49fd6b59a8976bb14a6e9bb8cb6e1533c2d06d6d4cb3e96cc3caf2db484d7a2681a2e3a139790d73b5d5f20aa177316017723adbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
43KB

MD5
bc64b8cf2bd62cdb36f1773aeeb35c83

SHA1
4882d4f8d0232db5f09281e1aaed8455c1e9cfee

SHA256
6aeeabaa314635486db2aa5b292f8046cb9fd352405989e45ef94acb53e81f1f

SHA512
e3ae0e07885832ef517c90c49fd6b59a8976bb14a6e9bb8cb6e1533c2d06d6d4cb3e96cc3caf2db484d7a2681a2e3a139790d73b5d5f20aa177316017723adbf

Download Submit
C:\Users\Admin\AppData\Roaming\Windowst.exe
Filesize
43KB

MD5
bc64b8cf2bd62cdb36f1773aeeb35c83

SHA1
4882d4f8d0232db5f09281e1aaed8455c1e9cfee

SHA256
6aeeabaa314635486db2aa5b292f8046cb9fd352405989e45ef94acb53e81f1f

SHA512
e3ae0e07885832ef517c90c49fd6b59a8976bb14a6e9bb8cb6e1533c2d06d6d4cb3e96cc3caf2db484d7a2681a2e3a139790d73b5d5f20aa177316017723adbf

Download Submit
C:\Users\Admin\AppData\Roaming\Windowst.exe
Filesize
43KB

MD5
bc64b8cf2bd62cdb36f1773aeeb35c83

SHA1
4882d4f8d0232db5f09281e1aaed8455c1e9cfee

SHA256
6aeeabaa314635486db2aa5b292f8046cb9fd352405989e45ef94acb53e81f1f

SHA512
e3ae0e07885832ef517c90c49fd6b59a8976bb14a6e9bb8cb6e1533c2d06d6d4cb3e96cc3caf2db484d7a2681a2e3a139790d73b5d5f20aa177316017723adbf

Download Submit
memory/1148-133-0x0000000005420000-0x00000000054B2000-memory.dmp

Filesize
584KB

Download
memory/1148-130-0x0000000000610000-0x0000000000622000-memory.dmp

Filesize
72KB

Download
memory/1148-132-0x0000000005930000-0x0000000005ED4000-memory.dmp

Filesize
5.6MB

Download
memory/1148-131-0x0000000004FA0000-0x000000000503C000-memory.dmp

Filesize
624KB

Download
memory/1840-137-0x0000000000000000-mapping.dmp

Download
memory/4872-138-0x0000000004CE0000-0x0000000004CEA000-memory.dmp

Filesize
40KB

Download
memory/4872-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads