Overview

overview

10

Static

static

URLScan

urlscan

1

http://20.7.14.99/se...

windows7-x64

10

http://20.7.14.99/se...

windows10-2004-x64

10

Resubmissions

08-09-2022 17:44

220908-wblklafbe7 3

07-09-2022 00:27

220907-arqnlaafh7 1

05-09-2022 16:52

220905-vdthjsehd3 3

05-09-2022 16:42

220905-t7p7jsegc2 7

05-09-2022 16:37

220905-t49f1sefh3 3

31-08-2022 06:37

220831-hdwlpabhc7 1

31-08-2022 06:32

220831-haw32sabhk 10

31-08-2022 05:40

220831-gcy5rahffl 10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-08-2022 06:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://20.7.14.99/server/

Score
10/10
njrathackedevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

20.7.14.99:5552

Mutex

9636f5e673cfb8069e1ef3d1f8bc784b

Attributes
  • reg_key

    9636f5e673cfb8069e1ef3d1f8bc784b

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
    adwarespyware
  • Modifies registry class 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://20.7.14.99/server/
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3924
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3924 CREDAT:17410 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:4328
    • C:\Users\Admin\Downloads\Server.exe
      "C:\Users\Admin\Downloads\Server.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1456
      • C:\Users\Admin\AppData\Local\Temp\server.exe
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        3⤵
        • Executes dropped EXE
        • Drops startup file
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2816
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          PID:3752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\uzvz31z\imagestore.dat
    Filesize

    30KB

    MD5

    d8c8a36ad71e3f8199cc2ee498e23590

    SHA1

    77ae3123a446dfaba98a68ec15acc9b33c665a68

    SHA256

    020a337c6e70ad5814868c558d6135cfa5d92619fa511733ba9cc2940d6bf730

    SHA512

    a858e59471aaa2df94dc989ac2bc1f70d77ed093814b1edfa810d8c7daa8b42d5e7356c8c82b30a1a66f346603bc4ba2b210d346b565f96e0eff929bb08b2761

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\server.exe
    Filesize

    23KB

    MD5

    4cc52b12b15e02c96fed275defa813af

    SHA1

    a35a727745e25e1b71119968d3f090dfc4c07c18

    SHA256

    db62cd044da6120e08c11b7cc41f9ac0fb160adedd1f7a3a6380713d3a305357

    SHA512

    addaa15db05d0eee7f43715406fc41ebd1dd0dc1b626d473c85c302ff541f7033dd77585912e1630e10474db212aa5d9122bb8527d9383437fba9d56e90c3676

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\server.exe
    Filesize

    23KB

    MD5

    4cc52b12b15e02c96fed275defa813af

    SHA1

    a35a727745e25e1b71119968d3f090dfc4c07c18

    SHA256

    db62cd044da6120e08c11b7cc41f9ac0fb160adedd1f7a3a6380713d3a305357

    SHA512

    addaa15db05d0eee7f43715406fc41ebd1dd0dc1b626d473c85c302ff541f7033dd77585912e1630e10474db212aa5d9122bb8527d9383437fba9d56e90c3676

    Download Submit
  • C:\Users\Admin\Downloads\Server.exe
    Filesize

    23KB

    MD5

    4cc52b12b15e02c96fed275defa813af

    SHA1

    a35a727745e25e1b71119968d3f090dfc4c07c18

    SHA256

    db62cd044da6120e08c11b7cc41f9ac0fb160adedd1f7a3a6380713d3a305357

    SHA512

    addaa15db05d0eee7f43715406fc41ebd1dd0dc1b626d473c85c302ff541f7033dd77585912e1630e10474db212aa5d9122bb8527d9383437fba9d56e90c3676

    Download Submit
  • C:\Users\Admin\Downloads\Server.exe.ootvwke.partial
    Filesize

    23KB

    MD5

    4cc52b12b15e02c96fed275defa813af

    SHA1

    a35a727745e25e1b71119968d3f090dfc4c07c18

    SHA256

    db62cd044da6120e08c11b7cc41f9ac0fb160adedd1f7a3a6380713d3a305357

    SHA512

    addaa15db05d0eee7f43715406fc41ebd1dd0dc1b626d473c85c302ff541f7033dd77585912e1630e10474db212aa5d9122bb8527d9383437fba9d56e90c3676

    Download Submit
  • memory/1456-134-0x0000000000000000-mapping.dmp
    Download
  • memory/1456-136-0x0000000070140000-0x00000000706F1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1456-140-0x0000000070140000-0x00000000706F1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2816-137-0x0000000000000000-mapping.dmp
    Download
  • memory/2816-141-0x0000000070140000-0x00000000706F1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2816-143-0x0000000070140000-0x00000000706F1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3752-142-0x0000000000000000-mapping.dmp
    Download