njrat | 7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2

General

Target

7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe
Size

43KB
MD5

b52b066ef534b240de3eb73cf67b7963
SHA1

4e3e84e546d30a8fc1c2d89e68559110a3a65b2b
SHA256

7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2
SHA512

d87d044384f3ff53f2d3f56d6e796d11f767f1d20697d826c3ef91a0ba082c0ab8ba159cf023080b85e0fcf5564870828cd02e19d5185d57de1c5b545593e469

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

127.0.0.1:5552

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 2 IoCs

Processes:

7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe\" .."	7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe\" .."	7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe

pid process

1280 7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe

pid	process
1280	7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe

description	pid	process
Token: SeDebugPrivilege	1280	7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe
Token: 33	1280	7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe
Token: SeIncBasePriorityPrivilege	1280	7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe
Token: 33	1280	7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe
Token: SeIncBasePriorityPrivilege	1280	7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe
Token: 33	1280	7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe
Token: SeIncBasePriorityPrivilege	1280	7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe
Token: 33	1280	7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe
Token: SeIncBasePriorityPrivilege	1280	7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe
Token: 33	1280	7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe
Token: SeIncBasePriorityPrivilege	1280	7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe
Token: 33	1280	7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe
Token: SeIncBasePriorityPrivilege	1280	7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe
Token: 33	1280	7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe
Token: SeIncBasePriorityPrivilege	1280	7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe
Token: 33	1280	7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe
Token: SeIncBasePriorityPrivilege	1280	7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe
Token: 33	1280	7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe
Token: SeIncBasePriorityPrivilege	1280	7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe
Token: 33	1280	7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe
Token: SeIncBasePriorityPrivilege	1280	7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe

C:\Users\Admin\AppData\Local\Temp\7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe
"C:\Users\Admin\AppData\Local\Temp\7a019c12b2b672db61681744636bac0ebbf001f578f1115779fdab694f3860e2.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1280-54-0x0000000000A00000-0x0000000000A12000-memory.dmp

Filesize
72KB

Download
memory/1280-55-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads