njrat | 078e63578cd61942f85311134a4edf3978070b26577b612ffc4ef1de2a179615

Analysis

max time kernel
150s
max time network
50s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

078e63578cd61942f85311134a4edf3978070b26577b612ffc4ef1de2a179615.exe
Size

350KB
MD5

5d06ee3b0572ce04a5e53e25233dc693
SHA1

0aad02d7f40c706876c82bec8a2b67a1b81b678c
SHA256

078e63578cd61942f85311134a4edf3978070b26577b612ffc4ef1de2a179615
SHA512

7ac400882991331e077af57cad5ebdd7d0614c5c1f24ca397865a9f80c3bfe8d4f68e0a00ca807a05196a0d1acef95f3fce0cc2d4efe8e9a21e9f71e61415787

Score

10^/10

njrat hack persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

hack

gazik500.ddns.net:4444

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

Dannie.exeserver.exesvchost.exe

pid process

948 Dannie.exe
1692 server.exe
1936 svchost.exe

pid	process
948	Dannie.exe
1692	server.exe
1936	svchost.exe

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	svchost.exe

Loads dropped DLL 3 IoCs

Processes:

078e63578cd61942f85311134a4edf3978070b26577b612ffc4ef1de2a179615.exeDannie.exeserver.exe

pid process

1904 078e63578cd61942f85311134a4edf3978070b26577b612ffc4ef1de2a179615.exe
948 Dannie.exe
1692 server.exe

pid	process
1904	078e63578cd61942f85311134a4edf3978070b26577b612ffc4ef1de2a179615.exe
948	Dannie.exe
1692	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .."	svchost.exe

Drops file in Program Files directory 6 IoCs

Processes:

Dannie.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\d;	Dannie.exe
File created	C:\Program Files (x86)\d;\__tmp_rar_sfx_access_check_7079044	Dannie.exe
File created	C:\Program Files (x86)\d;\11.jpg	Dannie.exe
File opened for modification	C:\Program Files (x86)\d;\11.jpg	Dannie.exe
File created	C:\Program Files (x86)\d;\Server.exe	Dannie.exe
File opened for modification	C:\Program Files (x86)\d;\Server.exe	Dannie.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid process

1936 svchost.exe

pid	process
1936	svchost.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeDebugPrivilege	1936	svchost.exe
Token: 33	1936	svchost.exe
Token: SeIncBasePriorityPrivilege	1936	svchost.exe
Token: 33	1936	svchost.exe
Token: SeIncBasePriorityPrivilege	1936	svchost.exe
Token: 33	1936	svchost.exe
Token: SeIncBasePriorityPrivilege	1936	svchost.exe
Token: 33	1936	svchost.exe
Token: SeIncBasePriorityPrivilege	1936	svchost.exe
Token: 33	1936	svchost.exe
Token: SeIncBasePriorityPrivilege	1936	svchost.exe
Token: 33	1936	svchost.exe
Token: SeIncBasePriorityPrivilege	1936	svchost.exe
Token: 33	1936	svchost.exe
Token: SeIncBasePriorityPrivilege	1936	svchost.exe
Token: 33	1936	svchost.exe
Token: SeIncBasePriorityPrivilege	1936	svchost.exe
Token: 33	1936	svchost.exe
Token: SeIncBasePriorityPrivilege	1936	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

DllHost.exe

pid process

2044 DllHost.exe
2044 DllHost.exe

pid	process
2044	DllHost.exe
2044	DllHost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

078e63578cd61942f85311134a4edf3978070b26577b612ffc4ef1de2a179615.exeDannie.exeserver.exe

description	pid	process	target process
PID 1904 wrote to memory of 948	1904	078e63578cd61942f85311134a4edf3978070b26577b612ffc4ef1de2a179615.exe	Dannie.exe
PID 1904 wrote to memory of 948	1904	078e63578cd61942f85311134a4edf3978070b26577b612ffc4ef1de2a179615.exe	Dannie.exe
PID 1904 wrote to memory of 948	1904	078e63578cd61942f85311134a4edf3978070b26577b612ffc4ef1de2a179615.exe	Dannie.exe
PID 1904 wrote to memory of 948	1904	078e63578cd61942f85311134a4edf3978070b26577b612ffc4ef1de2a179615.exe	Dannie.exe
PID 948 wrote to memory of 1692	948	Dannie.exe	server.exe
PID 948 wrote to memory of 1692	948	Dannie.exe	server.exe
PID 948 wrote to memory of 1692	948	Dannie.exe	server.exe
PID 948 wrote to memory of 1692	948	Dannie.exe	server.exe
PID 1692 wrote to memory of 1936	1692	server.exe	svchost.exe
PID 1692 wrote to memory of 1936	1692	server.exe	svchost.exe
PID 1692 wrote to memory of 1936	1692	server.exe	svchost.exe
PID 1692 wrote to memory of 1936	1692	server.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\078e63578cd61942f85311134a4edf3978070b26577b612ffc4ef1de2a179615.exe
"C:\Users\Admin\AppData\Local\Temp\078e63578cd61942f85311134a4edf3978070b26577b612ffc4ef1de2a179615.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1904

C:\Users\Admin\AppData\Local\Temp\Dannie.exe
"C:\Users\Admin\AppData\Local\Temp\Dannie.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:948

C:\Program Files (x86)\d;\server.exe
"C:\Program Files (x86)\d;\server.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\d;\11.jpg
Filesize
2KB

MD5
0a2a9ddec329aaa6ed47a7d4f109f99d

SHA1
735dc8517bdc9244c0b35f5479b20f16620da4cc

SHA256
d5051d42b16dc69e6d16aaa8db6d6e83446a879571c376f96902404f0b5ff513

SHA512
e9c59dbce92a045a8e4e3f0ec44eea53582efba1510447dfdd6f86c2ff8ad161891f0c88c7310513d54263de7d6c64839e53705773d08d065c59370340a61653

Download Submit
C:\Program Files (x86)\d;\Server.exe
Filesize
43KB

MD5
4890d2eb768ec17a3a6ee2ab12209d74

SHA1
9bc2b46e4760e26bf95541b13a39348dfa0b2680

SHA256
1110e17ee226f56a7f3feed52e8b69fc4d8b3a5edc018f20af96d199009c3d64

SHA512
78d0b1024b2d0d14184934db2b45d29fff083e52fd665b28f7776ea01d2fe0196452961a2cb16f4658751a5c01a3f64dab2436ff47786b2de1a3a7724aa828e1

Download Submit
C:\Program Files (x86)\d;\server.exe
Filesize
43KB

MD5
4890d2eb768ec17a3a6ee2ab12209d74

SHA1
9bc2b46e4760e26bf95541b13a39348dfa0b2680

SHA256
1110e17ee226f56a7f3feed52e8b69fc4d8b3a5edc018f20af96d199009c3d64

SHA512
78d0b1024b2d0d14184934db2b45d29fff083e52fd665b28f7776ea01d2fe0196452961a2cb16f4658751a5c01a3f64dab2436ff47786b2de1a3a7724aa828e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\166740_after.png
Filesize
28KB

MD5
7851d21cc91c3f497a475f9a21973ba4

SHA1
70d13fe57f545c82e22e233267fc56d617d84595

SHA256
63a5ee6b1fceadc7ece7f59fc131f65d7df99f9026237dceeffba79aca4d73fc

SHA512
c4dd28d8a3805ff99501bb8f00f54f8a6ec967c12006d8ed7b4ba8c6ff92c4ef96ea0f9ba14ca35ef57600944c972d17e96823bf3bb2927884668cae93367cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dannie.exe
Filesize
304KB

MD5
58c9d12aa7923001d6811467593d9f3a

SHA1
006c7e47c382a2699fcbc1acc55b4b2b280a3397

SHA256
eceb366ff2ee65642c96dcba00b02c22888b5b99a64ff3edf2d6ecbc69ef630b

SHA512
34e511548c34b184cc13be67bf73a6e3dbc588698522567313871645870f99ff16b686a8be65cb01cebbc07e47a3edadd013b894647d646d6e25086ea9ef8e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dannie.exe
Filesize
304KB

MD5
58c9d12aa7923001d6811467593d9f3a

SHA1
006c7e47c382a2699fcbc1acc55b4b2b280a3397

SHA256
eceb366ff2ee65642c96dcba00b02c22888b5b99a64ff3edf2d6ecbc69ef630b

SHA512
34e511548c34b184cc13be67bf73a6e3dbc588698522567313871645870f99ff16b686a8be65cb01cebbc07e47a3edadd013b894647d646d6e25086ea9ef8e5c

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
43KB

MD5
4890d2eb768ec17a3a6ee2ab12209d74

SHA1
9bc2b46e4760e26bf95541b13a39348dfa0b2680

SHA256
1110e17ee226f56a7f3feed52e8b69fc4d8b3a5edc018f20af96d199009c3d64

SHA512
78d0b1024b2d0d14184934db2b45d29fff083e52fd665b28f7776ea01d2fe0196452961a2cb16f4658751a5c01a3f64dab2436ff47786b2de1a3a7724aa828e1

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
43KB

MD5
4890d2eb768ec17a3a6ee2ab12209d74

SHA1
9bc2b46e4760e26bf95541b13a39348dfa0b2680

SHA256
1110e17ee226f56a7f3feed52e8b69fc4d8b3a5edc018f20af96d199009c3d64

SHA512
78d0b1024b2d0d14184934db2b45d29fff083e52fd665b28f7776ea01d2fe0196452961a2cb16f4658751a5c01a3f64dab2436ff47786b2de1a3a7724aa828e1

Download Submit
\Program Files (x86)\d;\Server.exe
Filesize
43KB

MD5
4890d2eb768ec17a3a6ee2ab12209d74

SHA1
9bc2b46e4760e26bf95541b13a39348dfa0b2680

SHA256
1110e17ee226f56a7f3feed52e8b69fc4d8b3a5edc018f20af96d199009c3d64

SHA512
78d0b1024b2d0d14184934db2b45d29fff083e52fd665b28f7776ea01d2fe0196452961a2cb16f4658751a5c01a3f64dab2436ff47786b2de1a3a7724aa828e1

Download Submit
\Users\Admin\AppData\Local\Temp\Dannie.exe
Filesize
304KB

MD5
58c9d12aa7923001d6811467593d9f3a

SHA1
006c7e47c382a2699fcbc1acc55b4b2b280a3397

SHA256
eceb366ff2ee65642c96dcba00b02c22888b5b99a64ff3edf2d6ecbc69ef630b

SHA512
34e511548c34b184cc13be67bf73a6e3dbc588698522567313871645870f99ff16b686a8be65cb01cebbc07e47a3edadd013b894647d646d6e25086ea9ef8e5c

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe
Filesize
43KB

MD5
4890d2eb768ec17a3a6ee2ab12209d74

SHA1
9bc2b46e4760e26bf95541b13a39348dfa0b2680

SHA256
1110e17ee226f56a7f3feed52e8b69fc4d8b3a5edc018f20af96d199009c3d64

SHA512
78d0b1024b2d0d14184934db2b45d29fff083e52fd665b28f7776ea01d2fe0196452961a2cb16f4658751a5c01a3f64dab2436ff47786b2de1a3a7724aa828e1

Download Submit
memory/948-56-0x0000000000000000-mapping.dmp

Download
memory/1692-62-0x0000000000000000-mapping.dmp

Download
memory/1692-65-0x0000000000200000-0x0000000000212000-memory.dmp

Filesize
72KB

Download
memory/1904-54-0x00000000763B1000-0x00000000763B3000-memory.dmp

Filesize
8KB

Download
memory/1936-70-0x0000000000000000-mapping.dmp

Download
memory/1936-73-0x0000000000970000-0x0000000000982000-memory.dmp

Filesize
72KB

Download