njrat | 792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79

General

Target

792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79.exe
Size

93KB
MD5

618baf8e7c20ee01ebddec4d8830ab71
SHA1

5006da7e81c4b1b20607f1a201f92526c0861238
SHA256

792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79
SHA512

1d02345297c0fe5243674024934be9beca6cc2108bd83eb594cc82054dea117823d5f6940245438cf65e8078cdc1d64daac2b81d954e9666b84d0c4bdc7530e4

Score

10^/10

njrat hacker evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Hacker

C2

aGFja2hvc3RuYW1lLmhvcHRvLm9yZwStrikStrik:MTk4NA==

Mutex

c6941743bce17ae335bca7d6739b33d7

Attributes

reg_key
c6941743bce17ae335bca7d6739b33d7
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Disables Task Manager via registry modification
evasion
Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

964 server.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
964	server.exe

Drops startup file 4 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6941743bce17ae335bca7d6739b33d7Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6941743bce17ae335bca7d6739b33d7Windows Update.exe	server.exe

Loads dropped DLL 2 IoCs

Processes:

792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79.exe

pid	process
1984	792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79.exe
1984	792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

964 server.exe

pid	process
964	server.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	964	server.exe
Token: 33	964	server.exe
Token: SeIncBasePriorityPrivilege	964	server.exe
Token: 33	964	server.exe
Token: SeIncBasePriorityPrivilege	964	server.exe
Token: 33	964	server.exe
Token: SeIncBasePriorityPrivilege	964	server.exe
Token: 33	964	server.exe
Token: SeIncBasePriorityPrivilege	964	server.exe
Token: 33	964	server.exe
Token: SeIncBasePriorityPrivilege	964	server.exe
Token: 33	964	server.exe
Token: SeIncBasePriorityPrivilege	964	server.exe
Token: 33	964	server.exe
Token: SeIncBasePriorityPrivilege	964	server.exe
Token: 33	964	server.exe
Token: SeIncBasePriorityPrivilege	964	server.exe
Token: 33	964	server.exe
Token: SeIncBasePriorityPrivilege	964	server.exe
Token: 33	964	server.exe
Token: SeIncBasePriorityPrivilege	964	server.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79.exeserver.exe

description	pid	process	target process
PID 1984 wrote to memory of 964	1984	792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79.exe	server.exe
PID 1984 wrote to memory of 964	1984	792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79.exe	server.exe
PID 1984 wrote to memory of 964	1984	792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79.exe	server.exe
PID 1984 wrote to memory of 964	1984	792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79.exe	server.exe
PID 964 wrote to memory of 1524	964	server.exe	netsh.exe
PID 964 wrote to memory of 1524	964	server.exe	netsh.exe
PID 964 wrote to memory of 1524	964	server.exe	netsh.exe
PID 964 wrote to memory of 1524	964	server.exe	netsh.exe
PID 964 wrote to memory of 1228	964	server.exe	netsh.exe
PID 964 wrote to memory of 1228	964	server.exe	netsh.exe
PID 964 wrote to memory of 1228	964	server.exe	netsh.exe
PID 964 wrote to memory of 1228	964	server.exe	netsh.exe
PID 964 wrote to memory of 688	964	server.exe	netsh.exe
PID 964 wrote to memory of 688	964	server.exe	netsh.exe
PID 964 wrote to memory of 688	964	server.exe	netsh.exe
PID 964 wrote to memory of 688	964	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79.exe
"C:\Users\Admin\AppData\Local\Temp\792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
3⤵
PID:1524

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
3⤵
PID:1228

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
3⤵
PID:688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\app
Filesize
5B

MD5
8fc22f973bec7f0525710dcf02f05edf

SHA1
418f88fe2c59f8d9579994aec4034d785e8ac00c

SHA256
ba0e21ceb11b1ec62709b0141373ce65de5a156b822c9b6d3c3f9ed9ab224a46

SHA512
ac280118b4b0ee9643ecc464bfc91682ccccd530efa81dcc3d9471044305d59de661f865560206f089822299cb431dbad9f81a16ad667251375746d406f2b44d

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
618baf8e7c20ee01ebddec4d8830ab71

SHA1
5006da7e81c4b1b20607f1a201f92526c0861238

SHA256
792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79

SHA512
1d02345297c0fe5243674024934be9beca6cc2108bd83eb594cc82054dea117823d5f6940245438cf65e8078cdc1d64daac2b81d954e9666b84d0c4bdc7530e4

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
618baf8e7c20ee01ebddec4d8830ab71

SHA1
5006da7e81c4b1b20607f1a201f92526c0861238

SHA256
792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79

SHA512
1d02345297c0fe5243674024934be9beca6cc2108bd83eb594cc82054dea117823d5f6940245438cf65e8078cdc1d64daac2b81d954e9666b84d0c4bdc7530e4

Download Submit
\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
618baf8e7c20ee01ebddec4d8830ab71

SHA1
5006da7e81c4b1b20607f1a201f92526c0861238

SHA256
792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79

SHA512
1d02345297c0fe5243674024934be9beca6cc2108bd83eb594cc82054dea117823d5f6940245438cf65e8078cdc1d64daac2b81d954e9666b84d0c4bdc7530e4

Download Submit
\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
618baf8e7c20ee01ebddec4d8830ab71

SHA1
5006da7e81c4b1b20607f1a201f92526c0861238

SHA256
792d4d7a1a0c7b192b231f03ef1b2c905f382a152bfc145702f2902c9e8efc79

SHA512
1d02345297c0fe5243674024934be9beca6cc2108bd83eb594cc82054dea117823d5f6940245438cf65e8078cdc1d64daac2b81d954e9666b84d0c4bdc7530e4

Download Submit
memory/688-67-0x0000000000000000-mapping.dmp

Download
memory/964-58-0x0000000000000000-mapping.dmp

Download
memory/964-63-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download
memory/1228-66-0x0000000000000000-mapping.dmp

Download
memory/1524-64-0x0000000000000000-mapping.dmp

Download
memory/1984-54-0x00000000752D1000-0x00000000752D3000-memory.dmp

Filesize
8KB

Download
memory/1984-55-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads