njrat | c30250a18d472e5c8379e8eaa939e0bf3cc87cfe991da6deba491a092afb0611

Analysis

max time kernel
30s
max time network
32s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
15-09-2022 08:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Heart-Sender Priv8 Version/Heart-Sender-V1.2.exe
Size

1.5MB
MD5

175d1484e55c5b6f16bff5631b92c171
SHA1

b11901746a8143c558877ea42dfa1221874bfba5
SHA256

7119d9570d888f5ffcb8f3c54d8d962fc87d83fbdd34c96b951acb3d2889777f
SHA512

93fa8f0b5401ef5d6069bfecec897267fae61888d82058973687bb13bcfa684d3c29249703774c889efe5ae91efda0957098f1c3fd4d7a0eccec86184104537c
SSDEEP

12288:+7qKAAwzaQa3lsZtsW2NH8d98AsmZF3ARZ0AsEye7Zm8TPXWP:2xJwzaQa3Pc98pmZFQ3WP

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

newpartyfrmaap.ddns.net:7070

Mutex

fb4647cd59a8f29058f4529d83344fa5

Attributes

reg_key
fb4647cd59a8f29058f4529d83344fa5
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

WindowsApp1.exeHeart-Sender-V1.2.exeJavaUpdate.exe

pid process

944 WindowsApp1.exe
1760 Heart-Sender-V1.2.exe
1564 JavaUpdate.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1592 netsh.exe
Loads dropped DLL 3 IoCs

Processes:

Heart-Sender-V1.2.exeWindowsApp1.exe

pid process

1956 Heart-Sender-V1.2.exe
1956 Heart-Sender-V1.2.exe
944 WindowsApp1.exe

pid	process
944	WindowsApp1.exe
1760	Heart-Sender-V1.2.exe
1564	JavaUpdate.exe

pid	process
1592	netsh.exe

pid	process
1956	Heart-Sender-V1.2.exe
1956	Heart-Sender-V1.2.exe
944	WindowsApp1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

JavaUpdate.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fb4647cd59a8f29058f4529d83344fa5 = "\"C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdate.exe\" .."	JavaUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fb4647cd59a8f29058f4529d83344fa5 = "\"C:\\Users\\Admin\\AppData\\Roaming\\JavaUpdate.exe\" .."	JavaUpdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

JavaUpdate.exe

description pid process

Token: SeDebugPrivilege 1564 JavaUpdate.exe

description	pid	process
Token: SeDebugPrivilege	1564	JavaUpdate.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Heart-Sender-V1.2.exeWindowsApp1.exeJavaUpdate.exe

description	pid	process	target process
PID 1956 wrote to memory of 944	1956	Heart-Sender-V1.2.exe	WindowsApp1.exe
PID 1956 wrote to memory of 944	1956	Heart-Sender-V1.2.exe	WindowsApp1.exe
PID 1956 wrote to memory of 944	1956	Heart-Sender-V1.2.exe	WindowsApp1.exe
PID 1956 wrote to memory of 944	1956	Heart-Sender-V1.2.exe	WindowsApp1.exe
PID 1956 wrote to memory of 1760	1956	Heart-Sender-V1.2.exe	Heart-Sender-V1.2.exe
PID 1956 wrote to memory of 1760	1956	Heart-Sender-V1.2.exe	Heart-Sender-V1.2.exe
PID 1956 wrote to memory of 1760	1956	Heart-Sender-V1.2.exe	Heart-Sender-V1.2.exe
PID 1956 wrote to memory of 1760	1956	Heart-Sender-V1.2.exe	Heart-Sender-V1.2.exe
PID 944 wrote to memory of 1564	944	WindowsApp1.exe	JavaUpdate.exe
PID 944 wrote to memory of 1564	944	WindowsApp1.exe	JavaUpdate.exe
PID 944 wrote to memory of 1564	944	WindowsApp1.exe	JavaUpdate.exe
PID 944 wrote to memory of 1564	944	WindowsApp1.exe	JavaUpdate.exe
PID 944 wrote to memory of 1564	944	WindowsApp1.exe	JavaUpdate.exe
PID 944 wrote to memory of 1564	944	WindowsApp1.exe	JavaUpdate.exe
PID 944 wrote to memory of 1564	944	WindowsApp1.exe	JavaUpdate.exe
PID 1564 wrote to memory of 1592	1564	JavaUpdate.exe	netsh.exe
PID 1564 wrote to memory of 1592	1564	JavaUpdate.exe	netsh.exe
PID 1564 wrote to memory of 1592	1564	JavaUpdate.exe	netsh.exe
PID 1564 wrote to memory of 1592	1564	JavaUpdate.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\Heart-Sender Priv8 Version\Heart-Sender-V1.2.exe
"C:\Users\Admin\AppData\Local\Temp\Heart-Sender Priv8 Version\Heart-Sender-V1.2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Local\Temp\WindowsApp1.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsApp1.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944

C:\Users\Admin\AppData\Roaming\JavaUpdate.exe
"C:\Users\Admin\AppData\Roaming\JavaUpdate.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\JavaUpdate.exe" "JavaUpdate.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:1592

C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2.exe
"C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2.exe"
2⤵
- Executes dropped EXE
PID:1760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2.exe
Filesize
226KB

MD5
9c7691ff597e9efd7f796b31accb78e8

SHA1
81bb289aa37d182b60e86990376a375de7a8decc

SHA256
1624af752c9f85fd117fafb28feb42a079f283dc133cdcc5799810072a95a6cb

SHA512
739f187aaeda13b7ebef3918a965b8da4ee939cd3e60d36802768f52be7b08f5964b121d1e977f4c408ff8ae6aba02df4a4d37785735c2f70d8610551cbab135

Download Submit
C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2.exe
Filesize
226KB

MD5
9c7691ff597e9efd7f796b31accb78e8

SHA1
81bb289aa37d182b60e86990376a375de7a8decc

SHA256
1624af752c9f85fd117fafb28feb42a079f283dc133cdcc5799810072a95a6cb

SHA512
739f187aaeda13b7ebef3918a965b8da4ee939cd3e60d36802768f52be7b08f5964b121d1e977f4c408ff8ae6aba02df4a4d37785735c2f70d8610551cbab135

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsApp1.exe
Filesize
1.0MB

MD5
0f2aa87f7c7e6b11b911f71170ba1104

SHA1
03000e57f78fab7596c4c59aab06fda9c2e9d91d

SHA256
b596ca499b0af2b700d867b976d0d793a98431309f88ef306c62056d0315f857

SHA512
f2e7d5646490ed4cf1b3a8dbaa7490228f744d694c7642f4bd4d22a155235720f2fa5ac65b5e4adcd443139e12a630198dd8d558d977c90bf1802851b7e54fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsApp1.exe
Filesize
1.0MB

MD5
0f2aa87f7c7e6b11b911f71170ba1104

SHA1
03000e57f78fab7596c4c59aab06fda9c2e9d91d

SHA256
b596ca499b0af2b700d867b976d0d793a98431309f88ef306c62056d0315f857

SHA512
f2e7d5646490ed4cf1b3a8dbaa7490228f744d694c7642f4bd4d22a155235720f2fa5ac65b5e4adcd443139e12a630198dd8d558d977c90bf1802851b7e54fb9

Download Submit
C:\Users\Admin\AppData\Roaming\JavaUpdate.exe
Filesize
1.0MB

MD5
0f2aa87f7c7e6b11b911f71170ba1104

SHA1
03000e57f78fab7596c4c59aab06fda9c2e9d91d

SHA256
b596ca499b0af2b700d867b976d0d793a98431309f88ef306c62056d0315f857

SHA512
f2e7d5646490ed4cf1b3a8dbaa7490228f744d694c7642f4bd4d22a155235720f2fa5ac65b5e4adcd443139e12a630198dd8d558d977c90bf1802851b7e54fb9

Download Submit
C:\Users\Admin\AppData\Roaming\JavaUpdate.exe
Filesize
1.0MB

MD5
0f2aa87f7c7e6b11b911f71170ba1104

SHA1
03000e57f78fab7596c4c59aab06fda9c2e9d91d

SHA256
b596ca499b0af2b700d867b976d0d793a98431309f88ef306c62056d0315f857

SHA512
f2e7d5646490ed4cf1b3a8dbaa7490228f744d694c7642f4bd4d22a155235720f2fa5ac65b5e4adcd443139e12a630198dd8d558d977c90bf1802851b7e54fb9

Download Submit
\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2.exe
Filesize
226KB

MD5
9c7691ff597e9efd7f796b31accb78e8

SHA1
81bb289aa37d182b60e86990376a375de7a8decc

SHA256
1624af752c9f85fd117fafb28feb42a079f283dc133cdcc5799810072a95a6cb

SHA512
739f187aaeda13b7ebef3918a965b8da4ee939cd3e60d36802768f52be7b08f5964b121d1e977f4c408ff8ae6aba02df4a4d37785735c2f70d8610551cbab135

Download Submit
\Users\Admin\AppData\Local\Temp\WindowsApp1.exe
Filesize
1.0MB

MD5
0f2aa87f7c7e6b11b911f71170ba1104

SHA1
03000e57f78fab7596c4c59aab06fda9c2e9d91d

SHA256
b596ca499b0af2b700d867b976d0d793a98431309f88ef306c62056d0315f857

SHA512
f2e7d5646490ed4cf1b3a8dbaa7490228f744d694c7642f4bd4d22a155235720f2fa5ac65b5e4adcd443139e12a630198dd8d558d977c90bf1802851b7e54fb9

Download Submit
\Users\Admin\AppData\Roaming\JavaUpdate.exe
Filesize
1.0MB

MD5
0f2aa87f7c7e6b11b911f71170ba1104

SHA1
03000e57f78fab7596c4c59aab06fda9c2e9d91d

SHA256
b596ca499b0af2b700d867b976d0d793a98431309f88ef306c62056d0315f857

SHA512
f2e7d5646490ed4cf1b3a8dbaa7490228f744d694c7642f4bd4d22a155235720f2fa5ac65b5e4adcd443139e12a630198dd8d558d977c90bf1802851b7e54fb9

Download Submit
memory/944-57-0x0000000000000000-mapping.dmp

Download
memory/944-66-0x0000000000100000-0x0000000000210000-memory.dmp

Filesize
1.1MB

Download
memory/944-69-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/1564-75-0x00000000002E0000-0x00000000003F0000-memory.dmp

Filesize
1.1MB

Download
memory/1564-72-0x0000000000000000-mapping.dmp

Download
memory/1592-76-0x0000000000000000-mapping.dmp

Download
memory/1760-70-0x0000000001FE5000-0x0000000001FF6000-memory.dmp

Filesize
68KB

Download
memory/1760-67-0x00000000048A0000-0x0000000004958000-memory.dmp

Filesize
736KB

Download
memory/1760-65-0x00000000000C0000-0x00000000000FE000-memory.dmp

Filesize
248KB

Download
memory/1760-61-0x0000000000000000-mapping.dmp

Download
memory/1760-78-0x0000000001FE5000-0x0000000001FF6000-memory.dmp

Filesize
68KB

Download
memory/1956-54-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/1956-64-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download
memory/1956-55-0x00000000742C0000-0x000000007486B000-memory.dmp

Filesize
5.7MB

Download