njrat | 5cf17f3d1a5b7713a357bcd0473986e575733fdee5f10e390272793aeea92700

General

Target

0x000a0000000122f5-56.exe
Size

23KB
MD5

ffa4d67e73388d5573b9e55a029800ab
SHA1

929760e8f38433556280bc348609273e1d2d25e1
SHA256

5cf17f3d1a5b7713a357bcd0473986e575733fdee5f10e390272793aeea92700
SHA512

e50f469dc6ac8ed96d7f1a363823202319439e196b3689caf0a53ee4a31aab26b44c0c543e7f879b0268c9f2e6a9bc21797a3af28bb696a68f830ff9dc7dd81c
SSDEEP

384:2sqS+ER6vRKXGYKRWVSujUtX9w6Dglo61Z5DVmRvR6JZlbw8hqIusZzZNHhy:Bf65K2Yf1jKRpcnumo

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

0.tcp.ngrok.io:17413

Mutex

ed0dbeeaea86b7db8fabde04117ddf70

Attributes

reg_key
ed0dbeeaea86b7db8fabde04117ddf70
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

1000 server.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1988 netsh.exe
Loads dropped DLL 1 IoCs

Processes:

0x000a0000000122f5-56.exe

pid process

768 0x000a0000000122f5-56.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1000	server.exe

pid	process
1988	netsh.exe

pid	process
768	0x000a0000000122f5-56.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	1000	server.exe
Token: 33	1000	server.exe
Token: SeIncBasePriorityPrivilege	1000	server.exe
Token: 33	1000	server.exe
Token: SeIncBasePriorityPrivilege	1000	server.exe
Token: 33	1000	server.exe
Token: SeIncBasePriorityPrivilege	1000	server.exe
Token: 33	1000	server.exe
Token: SeIncBasePriorityPrivilege	1000	server.exe
Token: 33	1000	server.exe
Token: SeIncBasePriorityPrivilege	1000	server.exe
Token: 33	1000	server.exe
Token: SeIncBasePriorityPrivilege	1000	server.exe
Token: 33	1000	server.exe
Token: SeIncBasePriorityPrivilege	1000	server.exe
Token: 33	1000	server.exe
Token: SeIncBasePriorityPrivilege	1000	server.exe
Token: 33	1000	server.exe
Token: SeIncBasePriorityPrivilege	1000	server.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0x000a0000000122f5-56.exeserver.exe

description	pid	process	target process
PID 768 wrote to memory of 1000	768	0x000a0000000122f5-56.exe	server.exe
PID 768 wrote to memory of 1000	768	0x000a0000000122f5-56.exe	server.exe
PID 768 wrote to memory of 1000	768	0x000a0000000122f5-56.exe	server.exe
PID 768 wrote to memory of 1000	768	0x000a0000000122f5-56.exe	server.exe
PID 1000 wrote to memory of 1988	1000	server.exe	netsh.exe
PID 1000 wrote to memory of 1988	1000	server.exe	netsh.exe
PID 1000 wrote to memory of 1988	1000	server.exe	netsh.exe
PID 1000 wrote to memory of 1988	1000	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\0x000a0000000122f5-56.exe
"C:\Users\Admin\AppData\Local\Temp\0x000a0000000122f5-56.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:768

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
23KB

MD5
ffa4d67e73388d5573b9e55a029800ab

SHA1
929760e8f38433556280bc348609273e1d2d25e1

SHA256
5cf17f3d1a5b7713a357bcd0473986e575733fdee5f10e390272793aeea92700

SHA512
e50f469dc6ac8ed96d7f1a363823202319439e196b3689caf0a53ee4a31aab26b44c0c543e7f879b0268c9f2e6a9bc21797a3af28bb696a68f830ff9dc7dd81c

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
23KB

MD5
ffa4d67e73388d5573b9e55a029800ab

SHA1
929760e8f38433556280bc348609273e1d2d25e1

SHA256
5cf17f3d1a5b7713a357bcd0473986e575733fdee5f10e390272793aeea92700

SHA512
e50f469dc6ac8ed96d7f1a363823202319439e196b3689caf0a53ee4a31aab26b44c0c543e7f879b0268c9f2e6a9bc21797a3af28bb696a68f830ff9dc7dd81c

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
23KB

MD5
ffa4d67e73388d5573b9e55a029800ab

SHA1
929760e8f38433556280bc348609273e1d2d25e1

SHA256
5cf17f3d1a5b7713a357bcd0473986e575733fdee5f10e390272793aeea92700

SHA512
e50f469dc6ac8ed96d7f1a363823202319439e196b3689caf0a53ee4a31aab26b44c0c543e7f879b0268c9f2e6a9bc21797a3af28bb696a68f830ff9dc7dd81c

Download Submit
memory/768-54-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download
memory/768-55-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/768-61-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/1000-57-0x0000000000000000-mapping.dmp

Download
memory/1000-62-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/1000-65-0x0000000074EE0000-0x000000007548B000-memory.dmp

Filesize
5.7MB

Download
memory/1988-63-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing