njrat | 28d9c94fe4df6182e2a59cd806837ea242dd7971a44cc6f132220ab45e3ec27c

General

Target

28d9c94fe4df6182e2a59cd806837ea242dd7971a44cc6f132220ab45e3ec27c.exe
Size

93KB
MD5

ad5ffd5268a01b519b539f1233b52fee
SHA1

1dde3b4a1c4b9b1ac753d649bf16f14744331e39
SHA256

28d9c94fe4df6182e2a59cd806837ea242dd7971a44cc6f132220ab45e3ec27c
SHA512

f73539047ac22ec1e3c1dd73401116b35cb43d305229f2c3bbc1ba89f1129fd05db8cb8db4bda7c8ac4970bc07fdb578568d80aa4e1bdaec319530f31ea32bd1

Score

10^/10

njrat hacker evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

hacker

C2

FRANSESCOTI3LjAuFRANSESCOC4x:MTYwNA==

Mutex

dfd6ed83b13338db2ca4f209d9a7474f

Attributes

reg_key
dfd6ed83b13338db2ca4f209d9a7474f
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

4992 server.exe
Modifies Windows Firewall 1 TTPs 3 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exe

pid process

1928 netsh.exe
4508 netsh.exe
4440 netsh.exe

pid	process
1928	netsh.exe
4508	netsh.exe
4440	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

28d9c94fe4df6182e2a59cd806837ea242dd7971a44cc6f132220ab45e3ec27c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	28d9c94fe4df6182e2a59cd806837ea242dd7971a44cc6f132220ab45e3ec27c.exe

Drops startup file 4 IoCs

Processes:

server.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dfd6ed83b13338db2ca4f209d9a7474fWindows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dfd6ed83b13338db2ca4f209d9a7474fWindows Update.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

server.exe

pid	process
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe
4992	server.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

28d9c94fe4df6182e2a59cd806837ea242dd7971a44cc6f132220ab45e3ec27c.exeserver.exe

pid process

2348 28d9c94fe4df6182e2a59cd806837ea242dd7971a44cc6f132220ab45e3ec27c.exe
4992 server.exe

pid	process
2348	28d9c94fe4df6182e2a59cd806837ea242dd7971a44cc6f132220ab45e3ec27c.exe
4992	server.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	4992	server.exe
Token: 33	4992	server.exe
Token: SeIncBasePriorityPrivilege	4992	server.exe
Token: 33	4992	server.exe
Token: SeIncBasePriorityPrivilege	4992	server.exe
Token: 33	4992	server.exe
Token: SeIncBasePriorityPrivilege	4992	server.exe
Token: 33	4992	server.exe
Token: SeIncBasePriorityPrivilege	4992	server.exe
Token: 33	4992	server.exe
Token: SeIncBasePriorityPrivilege	4992	server.exe
Token: 33	4992	server.exe
Token: SeIncBasePriorityPrivilege	4992	server.exe
Token: 33	4992	server.exe
Token: SeIncBasePriorityPrivilege	4992	server.exe
Token: 33	4992	server.exe
Token: SeIncBasePriorityPrivilege	4992	server.exe
Token: 33	4992	server.exe
Token: SeIncBasePriorityPrivilege	4992	server.exe
Token: 33	4992	server.exe
Token: SeIncBasePriorityPrivilege	4992	server.exe
Token: 33	4992	server.exe
Token: SeIncBasePriorityPrivilege	4992	server.exe
Token: 33	4992	server.exe
Token: SeIncBasePriorityPrivilege	4992	server.exe
Token: 33	4992	server.exe
Token: SeIncBasePriorityPrivilege	4992	server.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

28d9c94fe4df6182e2a59cd806837ea242dd7971a44cc6f132220ab45e3ec27c.exeserver.exe

description	pid	process	target process
PID 2348 wrote to memory of 4992	2348	28d9c94fe4df6182e2a59cd806837ea242dd7971a44cc6f132220ab45e3ec27c.exe	server.exe
PID 2348 wrote to memory of 4992	2348	28d9c94fe4df6182e2a59cd806837ea242dd7971a44cc6f132220ab45e3ec27c.exe	server.exe
PID 2348 wrote to memory of 4992	2348	28d9c94fe4df6182e2a59cd806837ea242dd7971a44cc6f132220ab45e3ec27c.exe	server.exe
PID 4992 wrote to memory of 1928	4992	server.exe	netsh.exe
PID 4992 wrote to memory of 1928	4992	server.exe	netsh.exe
PID 4992 wrote to memory of 1928	4992	server.exe	netsh.exe
PID 4992 wrote to memory of 4508	4992	server.exe	netsh.exe
PID 4992 wrote to memory of 4508	4992	server.exe	netsh.exe
PID 4992 wrote to memory of 4508	4992	server.exe	netsh.exe
PID 4992 wrote to memory of 4440	4992	server.exe	netsh.exe
PID 4992 wrote to memory of 4440	4992	server.exe	netsh.exe
PID 4992 wrote to memory of 4440	4992	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\28d9c94fe4df6182e2a59cd806837ea242dd7971a44cc6f132220ab45e3ec27c.exe
"C:\Users\Admin\AppData\Local\Temp\28d9c94fe4df6182e2a59cd806837ea242dd7971a44cc6f132220ab45e3ec27c.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2348

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1928

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
3⤵
- Modifies Windows Firewall
PID:4508

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:4440

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\app
Filesize
4B

MD5
5fa01e3399c29de16299d5f4ac743fb2

SHA1
04e29a03c4a56cf097701f34d6d2999b93035327

SHA256
6918b0e9f3af6051db0828a0ec9b353222b84164dab5ed3c85310eefce166223

SHA512
5492642165fb12e782f71ba84e8a673ecc047a8a8b3f2f59b64fa8200212326d36ed576fd119ffd0134f1daa03d14069ead81f0e29c2d59de10cdf4bbf2dc90c

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
ad5ffd5268a01b519b539f1233b52fee

SHA1
1dde3b4a1c4b9b1ac753d649bf16f14744331e39

SHA256
28d9c94fe4df6182e2a59cd806837ea242dd7971a44cc6f132220ab45e3ec27c

SHA512
f73539047ac22ec1e3c1dd73401116b35cb43d305229f2c3bbc1ba89f1129fd05db8cb8db4bda7c8ac4970bc07fdb578568d80aa4e1bdaec319530f31ea32bd1

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
ad5ffd5268a01b519b539f1233b52fee

SHA1
1dde3b4a1c4b9b1ac753d649bf16f14744331e39

SHA256
28d9c94fe4df6182e2a59cd806837ea242dd7971a44cc6f132220ab45e3ec27c

SHA512
f73539047ac22ec1e3c1dd73401116b35cb43d305229f2c3bbc1ba89f1129fd05db8cb8db4bda7c8ac4970bc07fdb578568d80aa4e1bdaec319530f31ea32bd1

Download Submit
memory/1928-137-0x0000000000000000-mapping.dmp

Download
memory/2348-130-0x0000000075400000-0x00000000759B1000-memory.dmp

Filesize
5.7MB

Download
memory/2348-134-0x0000000075400000-0x00000000759B1000-memory.dmp

Filesize
5.7MB

Download
memory/4440-139-0x0000000000000000-mapping.dmp

Download
memory/4508-138-0x0000000000000000-mapping.dmp

Download
memory/4992-131-0x0000000000000000-mapping.dmp

Download
memory/4992-136-0x0000000075400000-0x00000000759B1000-memory.dmp

Filesize
5.7MB

Download
memory/4992-140-0x0000000075400000-0x00000000759B1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads