njrat | dfe4b6b4f1bda60e6870666e6e4809a8e3ee4827db737525c9313bfbc87bf5c1

Analysis

max time kernel
152s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
04-07-2022 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ja.exe
Size

93KB
MD5

f2321adc190e7db9b1f3b85e88f7ae54
SHA1

0b6126aaab291e1dbe0006411eff27789994aa78
SHA256

dfe4b6b4f1bda60e6870666e6e4809a8e3ee4827db737525c9313bfbc87bf5c1
SHA512

e07182b6653cbe64c8c1b9d533adc2a476e9490d8cecf0281f12c0187a2915301337bf3f2d96880706f9369e2adf7cb32538c1852e73ce53e1b236515569b830

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

FRANSESCOTI3LjAuFRANSESCOC4x:NTU1Mg==

Mutex

fb116b75140ecc0173c4ba46bdb8d155

Attributes

reg_key
fb116b75140ecc0173c4ba46bdb8d155
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Disables Task Manager via registry modification
evasion
Executes dropped EXE 3 IoCs

Processes:

svchost.exeStUpdate.exeStUpdate.exe

pid process

4360 svchost.exe
4692 StUpdate.exe
2400 StUpdate.exe
Modifies Windows Firewall 1 TTPs 6 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

4660 netsh.exe
5032 netsh.exe
2556 netsh.exe
800 netsh.exe
4248 netsh.exe
4820 netsh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

ja.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation ja.exe
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

ja.exe

description ioc process

File created C:\autorun.inf ja.exe
File opened for modification C:\autorun.inf ja.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4696 schtasks.exe

pid	process
4360	svchost.exe
4692	StUpdate.exe
2400	StUpdate.exe

pid	process
4660	netsh.exe
5032	netsh.exe
2556	netsh.exe
800	netsh.exe
4248	netsh.exe
4820	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	ja.exe

description	ioc	process
File created	C:\autorun.inf	ja.exe
File opened for modification	C:\autorun.inf	ja.exe

pid	process
4696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ja.exe

pid	process
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe
4948	ja.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

ja.exesvchost.exe

pid process

4948 ja.exe
4360 svchost.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

ja.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4948	ja.exe
Token: SeDebugPrivilege	4360	svchost.exe
Token: 33	4360	svchost.exe
Token: SeIncBasePriorityPrivilege	4360	svchost.exe
Token: 33	4360	svchost.exe
Token: SeIncBasePriorityPrivilege	4360	svchost.exe
Token: 33	4360	svchost.exe
Token: SeIncBasePriorityPrivilege	4360	svchost.exe
Token: 33	4360	svchost.exe
Token: SeIncBasePriorityPrivilege	4360	svchost.exe
Token: 33	4360	svchost.exe
Token: SeIncBasePriorityPrivilege	4360	svchost.exe
Token: 33	4360	svchost.exe
Token: SeIncBasePriorityPrivilege	4360	svchost.exe
Token: 33	4360	svchost.exe
Token: SeIncBasePriorityPrivilege	4360	svchost.exe
Token: 33	4360	svchost.exe
Token: SeIncBasePriorityPrivilege	4360	svchost.exe
Token: 33	4360	svchost.exe
Token: SeIncBasePriorityPrivilege	4360	svchost.exe
Token: 33	4360	svchost.exe
Token: SeIncBasePriorityPrivilege	4360	svchost.exe
Token: 33	4360	svchost.exe
Token: SeIncBasePriorityPrivilege	4360	svchost.exe
Token: 33	4360	svchost.exe
Token: SeIncBasePriorityPrivilege	4360	svchost.exe
Token: 33	4360	svchost.exe
Token: SeIncBasePriorityPrivilege	4360	svchost.exe
Token: 33	4360	svchost.exe
Token: SeIncBasePriorityPrivilege	4360	svchost.exe
Token: 33	4360	svchost.exe
Token: SeIncBasePriorityPrivilege	4360	svchost.exe
Token: 33	4360	svchost.exe
Token: SeIncBasePriorityPrivilege	4360	svchost.exe
Token: 33	4360	svchost.exe
Token: SeIncBasePriorityPrivilege	4360	svchost.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

ja.exesvchost.exe

description	pid	process	target process
PID 4948 wrote to memory of 4660	4948	ja.exe	netsh.exe
PID 4948 wrote to memory of 4660	4948	ja.exe	netsh.exe
PID 4948 wrote to memory of 4660	4948	ja.exe	netsh.exe
PID 4948 wrote to memory of 5032	4948	ja.exe	netsh.exe
PID 4948 wrote to memory of 5032	4948	ja.exe	netsh.exe
PID 4948 wrote to memory of 5032	4948	ja.exe	netsh.exe
PID 4948 wrote to memory of 2556	4948	ja.exe	netsh.exe
PID 4948 wrote to memory of 2556	4948	ja.exe	netsh.exe
PID 4948 wrote to memory of 2556	4948	ja.exe	netsh.exe
PID 4948 wrote to memory of 4360	4948	ja.exe	svchost.exe
PID 4948 wrote to memory of 4360	4948	ja.exe	svchost.exe
PID 4948 wrote to memory of 4360	4948	ja.exe	svchost.exe
PID 4360 wrote to memory of 800	4360	svchost.exe	netsh.exe
PID 4360 wrote to memory of 800	4360	svchost.exe	netsh.exe
PID 4360 wrote to memory of 800	4360	svchost.exe	netsh.exe
PID 4360 wrote to memory of 4248	4360	svchost.exe	netsh.exe
PID 4360 wrote to memory of 4248	4360	svchost.exe	netsh.exe
PID 4360 wrote to memory of 4248	4360	svchost.exe	netsh.exe
PID 4360 wrote to memory of 4820	4360	svchost.exe	netsh.exe
PID 4360 wrote to memory of 4820	4360	svchost.exe	netsh.exe
PID 4360 wrote to memory of 4820	4360	svchost.exe	netsh.exe
PID 4360 wrote to memory of 4696	4360	svchost.exe	schtasks.exe
PID 4360 wrote to memory of 4696	4360	svchost.exe	schtasks.exe
PID 4360 wrote to memory of 4696	4360	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\ja.exe
"C:\Users\Admin\AppData\Local\Temp\ja.exe"
1⤵
- Checks computer location settings
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\ja.exe" "ja.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:4660

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\ja.exe"
2⤵
- Modifies Windows Firewall
PID:5032

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\ja.exe" "ja.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:2556

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4360

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe" "svchost.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:800

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
3⤵
- Modifies Windows Firewall
PID:4248

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe" "svchost.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:4820

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
3⤵
- Creates scheduled task(s)
PID:4696

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
1⤵
- Executes dropped EXE
PID:4692

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
1⤵
- Executes dropped EXE
PID:2400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\StUpdate.exe.log
Filesize
408B

MD5
661cab77d3b907e8057f2e689e995af3

SHA1
5d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c

SHA256
8f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2

SHA512
2523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67

Download Submit
C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
Filesize
93KB

MD5
f2321adc190e7db9b1f3b85e88f7ae54

SHA1
0b6126aaab291e1dbe0006411eff27789994aa78

SHA256
dfe4b6b4f1bda60e6870666e6e4809a8e3ee4827db737525c9313bfbc87bf5c1

SHA512
e07182b6653cbe64c8c1b9d533adc2a476e9490d8cecf0281f12c0187a2915301337bf3f2d96880706f9369e2adf7cb32538c1852e73ce53e1b236515569b830

Download Submit
C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
Filesize
93KB

MD5
f2321adc190e7db9b1f3b85e88f7ae54

SHA1
0b6126aaab291e1dbe0006411eff27789994aa78

SHA256
dfe4b6b4f1bda60e6870666e6e4809a8e3ee4827db737525c9313bfbc87bf5c1

SHA512
e07182b6653cbe64c8c1b9d533adc2a476e9490d8cecf0281f12c0187a2915301337bf3f2d96880706f9369e2adf7cb32538c1852e73ce53e1b236515569b830

Download Submit
C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
Filesize
93KB

MD5
f2321adc190e7db9b1f3b85e88f7ae54

SHA1
0b6126aaab291e1dbe0006411eff27789994aa78

SHA256
dfe4b6b4f1bda60e6870666e6e4809a8e3ee4827db737525c9313bfbc87bf5c1

SHA512
e07182b6653cbe64c8c1b9d533adc2a476e9490d8cecf0281f12c0187a2915301337bf3f2d96880706f9369e2adf7cb32538c1852e73ce53e1b236515569b830

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.txt
Filesize
40B

MD5
9af3649bf2ea74a73f8f775ece772dd6

SHA1
85227138070bdcb7a49c79509d5d0c0b8df85afe

SHA256
fdb18cbf795a63a4a5678a707e24adb18b91ac50b99e8e6f685bd61f4f4a8816

SHA512
c77d8d336ad72a62633b2694455f33b76da452019623d3da7378d0e73f6504044b20db22230597c00a7cb6ec100cc55187541c9688cf3bbc112fb49ff3e4fa5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
93KB

MD5
f2321adc190e7db9b1f3b85e88f7ae54

SHA1
0b6126aaab291e1dbe0006411eff27789994aa78

SHA256
dfe4b6b4f1bda60e6870666e6e4809a8e3ee4827db737525c9313bfbc87bf5c1

SHA512
e07182b6653cbe64c8c1b9d533adc2a476e9490d8cecf0281f12c0187a2915301337bf3f2d96880706f9369e2adf7cb32538c1852e73ce53e1b236515569b830

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
93KB

MD5
f2321adc190e7db9b1f3b85e88f7ae54

SHA1
0b6126aaab291e1dbe0006411eff27789994aa78

SHA256
dfe4b6b4f1bda60e6870666e6e4809a8e3ee4827db737525c9313bfbc87bf5c1

SHA512
e07182b6653cbe64c8c1b9d533adc2a476e9490d8cecf0281f12c0187a2915301337bf3f2d96880706f9369e2adf7cb32538c1852e73ce53e1b236515569b830

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
4B

MD5
047dda8d29bbbf2b6e1c3f4212189eba

SHA1
eb10217bbf887b1ad9b984cb7a559b177e2c762a

SHA256
afd43463eba279dc102afa66f3ef7173885c540c02776217638de34e03486125

SHA512
84c38a784fa77686de5be91738fffd0371ca667eff0e117c87e8e2d676ef29b7defe21c7bfa83f00ef967d73d3983fb038bd07b93fde963ec5ae10a2f569a822

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
4B

MD5
047dda8d29bbbf2b6e1c3f4212189eba

SHA1
eb10217bbf887b1ad9b984cb7a559b177e2c762a

SHA256
afd43463eba279dc102afa66f3ef7173885c540c02776217638de34e03486125

SHA512
84c38a784fa77686de5be91738fffd0371ca667eff0e117c87e8e2d676ef29b7defe21c7bfa83f00ef967d73d3983fb038bd07b93fde963ec5ae10a2f569a822

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
4B

MD5
047dda8d29bbbf2b6e1c3f4212189eba

SHA1
eb10217bbf887b1ad9b984cb7a559b177e2c762a

SHA256
afd43463eba279dc102afa66f3ef7173885c540c02776217638de34e03486125

SHA512
84c38a784fa77686de5be91738fffd0371ca667eff0e117c87e8e2d676ef29b7defe21c7bfa83f00ef967d73d3983fb038bd07b93fde963ec5ae10a2f569a822

Download Submit
memory/800-140-0x0000000000000000-mapping.dmp

Download
memory/2400-154-0x0000000075150000-0x0000000075701000-memory.dmp

Filesize
5.7MB

Download
memory/2556-133-0x0000000000000000-mapping.dmp

Download
memory/4248-141-0x0000000000000000-mapping.dmp

Download
memory/4360-145-0x0000000075150000-0x0000000075701000-memory.dmp

Filesize
5.7MB

Download
memory/4360-134-0x0000000000000000-mapping.dmp

Download
memory/4360-139-0x0000000075150000-0x0000000075701000-memory.dmp

Filesize
5.7MB

Download
memory/4660-131-0x0000000000000000-mapping.dmp

Download
memory/4692-148-0x0000000075150000-0x0000000075701000-memory.dmp

Filesize
5.7MB

Download
memory/4692-150-0x0000000075150000-0x0000000075701000-memory.dmp

Filesize
5.7MB

Download
memory/4696-144-0x0000000000000000-mapping.dmp

Download
memory/4820-142-0x0000000000000000-mapping.dmp

Download
memory/4948-130-0x0000000075150000-0x0000000075701000-memory.dmp

Filesize
5.7MB

Download
memory/4948-138-0x0000000075150000-0x0000000075701000-memory.dmp

Filesize
5.7MB

Download
memory/5032-132-0x0000000000000000-mapping.dmp

Download