njrat | c9e8a120268308c6f2392fdb2fa65dee5f2cd48b8bb3433d5de9842ea1d987da

General

Target

a258fbc6346a5c5fcc28480a601d284c.exe
Size

27KB
MD5

a258fbc6346a5c5fcc28480a601d284c
SHA1

d579a1a2d1e79885ad80d4b3eb4d1a294f205399
SHA256

c9e8a120268308c6f2392fdb2fa65dee5f2cd48b8bb3433d5de9842ea1d987da
SHA512

7733d6836ceba7467d4925449297c69732e2ec5da9a6c93089deb2cecf2053726c6a91588a5255a71fbfd76bd8af89c74dab1a4ee19ee09ed6f88c3ff333582a
SSDEEP

384:2LuFFWP0CDZwnXmIQXkj90jEwmFterkSuldsP3NBa6Ml7AQk93vmhm7UMKmIEec1:wnRICol7A/vMHTi9bD

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

nomorelife15.ddns.net:9999

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 1 IoCs

pid	Process
1196	Payload.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	a258fbc6346a5c5fcc28480a601d284c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Payload.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Payload.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Windows\\Payload.exe"	a258fbc6346a5c5fcc28480a601d284c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Payload.exe	a258fbc6346a5c5fcc28480a601d284c.exe
File opened for modification	C:\Windows\Payload.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	1196	Payload.exe
Token: 33	1196	Payload.exe
Token: SeIncBasePriorityPrivilege	1196	Payload.exe
Token: 33	1196	Payload.exe
Token: SeIncBasePriorityPrivilege	1196	Payload.exe
Token: 33	1196	Payload.exe
Token: SeIncBasePriorityPrivilege	1196	Payload.exe
Token: 33	1196	Payload.exe
Token: SeIncBasePriorityPrivilege	1196	Payload.exe
Token: 33	1196	Payload.exe
Token: SeIncBasePriorityPrivilege	1196	Payload.exe
Token: 33	1196	Payload.exe
Token: SeIncBasePriorityPrivilege	1196	Payload.exe
Token: 33	1196	Payload.exe
Token: SeIncBasePriorityPrivilege	1196	Payload.exe
Token: 33	1196	Payload.exe
Token: SeIncBasePriorityPrivilege	1196	Payload.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1196	1996	a258fbc6346a5c5fcc28480a601d284c.exe	27
PID 1996 wrote to memory of 1196	1996	a258fbc6346a5c5fcc28480a601d284c.exe	27
PID 1996 wrote to memory of 1196	1996	a258fbc6346a5c5fcc28480a601d284c.exe	27
PID 1996 wrote to memory of 1196	1996	a258fbc6346a5c5fcc28480a601d284c.exe	27
PID 1996 wrote to memory of 1800	1996	a258fbc6346a5c5fcc28480a601d284c.exe	28
PID 1996 wrote to memory of 1800	1996	a258fbc6346a5c5fcc28480a601d284c.exe	28
PID 1996 wrote to memory of 1800	1996	a258fbc6346a5c5fcc28480a601d284c.exe	28
PID 1996 wrote to memory of 1800	1996	a258fbc6346a5c5fcc28480a601d284c.exe	28

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1800	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a258fbc6346a5c5fcc28480a601d284c.exe
"C:\Users\Admin\AppData\Local\Temp\a258fbc6346a5c5fcc28480a601d284c.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\Payload.exe
  "C:\Windows\Payload.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:1196
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +r +s "C:\Windows\Payload.exe"
  2⤵
  - Drops file in Windows directory
  - Views/modifies file attributes
  PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Filesize
1KB

MD5
8c85f2dfe8e56c8c5b4fd081873a985b

SHA1
93637c5c22106b35a2595f52bb32fcd655d046d9

SHA256
a1f4fa7b2e83f8c1fe5933b1e5b20e3f985d4583e715edc6a96d8123f171b440

SHA512
5e5b7c35221a842774f320f3690e699bde307eaf9ed2fadbe7143b9bfbead0fac05eba15992ae5f7ead7625672eeb130f3d615666d47aa55e010c132c0a47758

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Filesize
1014B

MD5
266a48cd8f9ff6e13decb003c0743c4b

SHA1
b42aa3e1114f210215ec73293d27fd1598476a21

SHA256
67e393c4e1ff5627534023421f5db1e8c30b40412de14df5b24c1bfb7ec648ee

SHA512
9b9acc6f39006a4369b6b84ec9ec1af4c82f2bb3540f9b8c0fc930beccdbff3b1e45025d8b268146afd655547af170452e22a4318dd3bc9a87a53d2888cf2546

Download Submit
C:\Windows\Payload.exe

Filesize
27KB

MD5
a258fbc6346a5c5fcc28480a601d284c

SHA1
d579a1a2d1e79885ad80d4b3eb4d1a294f205399

SHA256
c9e8a120268308c6f2392fdb2fa65dee5f2cd48b8bb3433d5de9842ea1d987da

SHA512
7733d6836ceba7467d4925449297c69732e2ec5da9a6c93089deb2cecf2053726c6a91588a5255a71fbfd76bd8af89c74dab1a4ee19ee09ed6f88c3ff333582a

Download Submit
C:\Windows\Payload.exe

Filesize
27KB

MD5
a258fbc6346a5c5fcc28480a601d284c

SHA1
d579a1a2d1e79885ad80d4b3eb4d1a294f205399

SHA256
c9e8a120268308c6f2392fdb2fa65dee5f2cd48b8bb3433d5de9842ea1d987da

SHA512
7733d6836ceba7467d4925449297c69732e2ec5da9a6c93089deb2cecf2053726c6a91588a5255a71fbfd76bd8af89c74dab1a4ee19ee09ed6f88c3ff333582a

Download Submit
memory/1196-64-0x0000000073EB0000-0x000000007445B000-memory.dmp

Filesize
5.7MB

Download
memory/1196-65-0x0000000073EB0000-0x000000007445B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-54-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/1996-55-0x0000000073EB0000-0x000000007445B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-63-0x0000000073EB0000-0x000000007445B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads