njrat | f5a8f1480e481826d465cdd310435b4756c77a42660262d6cd76f7bb7f5a68a3

General

Target

f5a8f1480e481826d465cdd310435b4756c77a42660262d6cd76f7bb7f5a68a3.exe
Size

160KB
MD5

6f0b2e081e03994f35365d8040d39440
SHA1

14a26c7b04e8355e1952a375ee6aae73bcf266cb
SHA256

f5a8f1480e481826d465cdd310435b4756c77a42660262d6cd76f7bb7f5a68a3
SHA512

27c2ea8dba91140e68e05aabfec580d415f0c155d0b9ea814b3415c25c29966dd81d521a1f3bcebe905954f0a2b2c8a0379325f7da53833532bf088ae8991cc1
SSDEEP

1536:yDl78bpZ//n1aG9IvMWfjSFWfOo57Eapn3wGxK7n3S7/j5rQyKhG29jH/A0OA8Fm:yebDOMWeFWGyjtwGYjaVsdA29M2B

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

tigano.no-ip.biz:1177

Mutex

5cd8f17f4086744065eb0992a09e05a2

Attributes

reg_key
5cd8f17f4086744065eb0992a09e05a2
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

Tempserver.exeTrojan.exe

pid process

1564 Tempserver.exe
1580 Trojan.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1032 netsh.exe

pid	process
1564	Tempserver.exe
1580	Trojan.exe

pid	process
1032	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f5a8f1480e481826d465cdd310435b4756c77a42660262d6cd76f7bb7f5a68a3.exeTempserver.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	f5a8f1480e481826d465cdd310435b4756c77a42660262d6cd76f7bb7f5a68a3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Tempserver.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Trojan.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 45 IoCs

Processes:

Trojan.exe

pid	process
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe
1580	Trojan.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Trojan.exe

description pid process

Token: SeDebugPrivilege 1580 Trojan.exe

description	pid	process
Token: SeDebugPrivilege	1580	Trojan.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

f5a8f1480e481826d465cdd310435b4756c77a42660262d6cd76f7bb7f5a68a3.exeTempserver.exeTrojan.exe

description	pid	process	target process
PID 1608 wrote to memory of 1564	1608	f5a8f1480e481826d465cdd310435b4756c77a42660262d6cd76f7bb7f5a68a3.exe	Tempserver.exe
PID 1608 wrote to memory of 1564	1608	f5a8f1480e481826d465cdd310435b4756c77a42660262d6cd76f7bb7f5a68a3.exe	Tempserver.exe
PID 1608 wrote to memory of 1564	1608	f5a8f1480e481826d465cdd310435b4756c77a42660262d6cd76f7bb7f5a68a3.exe	Tempserver.exe
PID 1564 wrote to memory of 1580	1564	Tempserver.exe	Trojan.exe
PID 1564 wrote to memory of 1580	1564	Tempserver.exe	Trojan.exe
PID 1564 wrote to memory of 1580	1564	Tempserver.exe	Trojan.exe
PID 1580 wrote to memory of 1032	1580	Trojan.exe	netsh.exe
PID 1580 wrote to memory of 1032	1580	Trojan.exe	netsh.exe
PID 1580 wrote to memory of 1032	1580	Trojan.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\f5a8f1480e481826d465cdd310435b4756c77a42660262d6cd76f7bb7f5a68a3.exe
"C:\Users\Admin\AppData\Local\Temp\f5a8f1480e481826d465cdd310435b4756c77a42660262d6cd76f7bb7f5a68a3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Local\Tempserver.exe
"C:\Users\Admin\AppData\Local\Tempserver.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1564

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:1032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
29KB

MD5
4f9b9308709cb4a1d375106fef21b3f9

SHA1
0db654095ff7b7f3e7a48279824f89542f1e412d

SHA256
2568ed7705ad3707b2209f5e028a3b25b20883fce050df699cbb527dd72bc56b

SHA512
ed838f1763a6cbbad2b8642caa5454613ef1f8be4758b18e2a393357d22d2b02be9a5f042d3af080d6bbbcc78aa9c049fad989788833def6a23034c222127b81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
29KB

MD5
4f9b9308709cb4a1d375106fef21b3f9

SHA1
0db654095ff7b7f3e7a48279824f89542f1e412d

SHA256
2568ed7705ad3707b2209f5e028a3b25b20883fce050df699cbb527dd72bc56b

SHA512
ed838f1763a6cbbad2b8642caa5454613ef1f8be4758b18e2a393357d22d2b02be9a5f042d3af080d6bbbcc78aa9c049fad989788833def6a23034c222127b81

Download Submit
C:\Users\Admin\AppData\Local\Tempserver.exe
Filesize
29KB

MD5
4f9b9308709cb4a1d375106fef21b3f9

SHA1
0db654095ff7b7f3e7a48279824f89542f1e412d

SHA256
2568ed7705ad3707b2209f5e028a3b25b20883fce050df699cbb527dd72bc56b

SHA512
ed838f1763a6cbbad2b8642caa5454613ef1f8be4758b18e2a393357d22d2b02be9a5f042d3af080d6bbbcc78aa9c049fad989788833def6a23034c222127b81

Download Submit
C:\Users\Admin\AppData\Local\Tempserver.exe
Filesize
29KB

MD5
4f9b9308709cb4a1d375106fef21b3f9

SHA1
0db654095ff7b7f3e7a48279824f89542f1e412d

SHA256
2568ed7705ad3707b2209f5e028a3b25b20883fce050df699cbb527dd72bc56b

SHA512
ed838f1763a6cbbad2b8642caa5454613ef1f8be4758b18e2a393357d22d2b02be9a5f042d3af080d6bbbcc78aa9c049fad989788833def6a23034c222127b81

Download Submit
memory/1032-144-0x0000000000000000-mapping.dmp

Download
memory/1564-137-0x0000000000000000-mapping.dmp

Download
memory/1564-143-0x000000006F760000-0x000000006FD11000-memory.dmp

Filesize
5.7MB

Download
memory/1580-140-0x0000000000000000-mapping.dmp

Download
memory/1580-145-0x000000006F760000-0x000000006FD11000-memory.dmp

Filesize
5.7MB

Download
memory/1580-146-0x000000006F760000-0x000000006FD11000-memory.dmp

Filesize
5.7MB

Download
memory/1608-132-0x0000000000210000-0x000000000023E000-memory.dmp

Filesize
184KB

Download
memory/1608-136-0x0000000004AA0000-0x0000000004AAA000-memory.dmp

Filesize
40KB

Download
memory/1608-135-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

Filesize
624KB

Download
memory/1608-134-0x0000000004B20000-0x0000000004BB2000-memory.dmp

Filesize
584KB

Download
memory/1608-133-0x0000000005190000-0x0000000005734000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads