njrat | c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3 | Triage

Analysis

max time kernel
170s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
01-07-2022 03:11

Sharing

Report Analysis Logs

General

Target

c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe
Size

579KB
MD5

4c4bde75b118d7db7df062e12a71a601
SHA1

57446c07b6893592a2dcea4ffa4e80bb52fdfb53
SHA256

c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3
SHA512

f94d8f0dec04713a183d70860f6f90637fd0b14a14b78893df1ab99dcf70f582b1533a8569015800bebf855b09959693a332052dbe115706921f95aa12bf7bba

Score

10^/10

njrat xmasmoney evasion persistence trojan upx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

XmasMoney

C2

185.244.30.248:4040

Mutex

65846043dcc7fda8dafdf43614eb84ef

Attributes

reg_key
65846043dcc7fda8dafdf43614eb84ef
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4756 netsh.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral2/memory/2080-132-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\65846043dcc7fda8dafdf43614eb84ef = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe\" .."	c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\65846043dcc7fda8dafdf43614eb84ef = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe\" .."	c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe

description	pid	process	target process
PID 1136 set thread context of 2080	1136	c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe	c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe

pid	process
1136	c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe
1136	c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe

pid	process
1136	c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe
1136	c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe

description	pid	process
Token: SeDebugPrivilege	2080	c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe
Token: 33	2080	c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe
Token: SeIncBasePriorityPrivilege	2080	c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exec3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe

description	pid	process	target process
PID 1136 wrote to memory of 2080	1136	c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe	c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe
PID 1136 wrote to memory of 2080	1136	c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe	c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe
PID 1136 wrote to memory of 2080	1136	c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe	c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe
PID 2080 wrote to memory of 4756	2080	c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe	netsh.exe
PID 2080 wrote to memory of 4756	2080	c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe	netsh.exe
PID 2080 wrote to memory of 4756	2080	c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe
"C:\Users\Admin\AppData\Local\Temp\c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1136

C:\Users\Admin\AppData\Local\Temp\c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe
"C:\Users\Admin\AppData\Local\Temp\c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe"
2⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe" "c3daf76ae9091d522b94c3ce01b14b1472abf14cacb10123804b72bd7dbb99b3.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:4756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1136-130-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2080-131-0x0000000000000000-mapping.dmp

Download
memory/2080-132-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2080-134-0x0000000000510000-0x000000000051A000-memory.dmp

Filesize
40KB

Download
memory/2080-133-0x0000000000510000-0x000000000051A000-memory.dmp

Filesize
40KB

Download
memory/2080-135-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2080-136-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/2080-138-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/4756-137-0x0000000000000000-mapping.dmp

Download