njrat | ff8f477d7ff5e9ae54c5ba80be1f1884773e7da8dccb737508adba85413326cc

General

Target

ff8f477d7ff5e9ae54c5ba80be1f1884773e7da8dccb737508adba85413326cc.exe
Size

29KB
MD5

536d55f94c3a53510b6f088ac62c0980
SHA1

32ef91c30f8cde0426781761c0b4d86768e82ae4
SHA256

ff8f477d7ff5e9ae54c5ba80be1f1884773e7da8dccb737508adba85413326cc
SHA512

22f892cc91a83cc5a3c80830eb50d7baff7ac053f4ec491de7e0871d89457c4a53b7804a76cb7850133b10ed9e4f2772dbf199e22fb982d25dfcad20c2b28cee
SSDEEP

768:yj77ucYfKQTtzjAqc3eUBKh0p29SgRMy6:y7hWVUJZKhG29j96

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

setokaiba.no-ip.biz:1177

Mutex

08f4dc96bbb7af09d1a37fe35c75a42f

Attributes

reg_key
08f4dc96bbb7af09d1a37fe35c75a42f
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

explorer.exe

pid process

4916 explorer.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

4892 netsh.exe

pid	process
4892	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ff8f477d7ff5e9ae54c5ba80be1f1884773e7da8dccb737508adba85413326cc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	ff8f477d7ff5e9ae54c5ba80be1f1884773e7da8dccb737508adba85413326cc.exe

Drops startup file 2 IoCs

Processes:

explorer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\08f4dc96bbb7af09d1a37fe35c75a42f.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\08f4dc96bbb7af09d1a37fe35c75a42f.exe	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\08f4dc96bbb7af09d1a37fe35c75a42f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe\" .."	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\08f4dc96bbb7af09d1a37fe35c75a42f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe\" .."	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

explorer.exe

pid	process
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe
4916	explorer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

explorer.exe

description pid process

Token: SeDebugPrivilege 4916 explorer.exe

description	pid	process
Token: SeDebugPrivilege	4916	explorer.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ff8f477d7ff5e9ae54c5ba80be1f1884773e7da8dccb737508adba85413326cc.exeexplorer.exe

description	pid	process	target process
PID 1132 wrote to memory of 4916	1132	ff8f477d7ff5e9ae54c5ba80be1f1884773e7da8dccb737508adba85413326cc.exe	explorer.exe
PID 1132 wrote to memory of 4916	1132	ff8f477d7ff5e9ae54c5ba80be1f1884773e7da8dccb737508adba85413326cc.exe	explorer.exe
PID 1132 wrote to memory of 4916	1132	ff8f477d7ff5e9ae54c5ba80be1f1884773e7da8dccb737508adba85413326cc.exe	explorer.exe
PID 4916 wrote to memory of 4892	4916	explorer.exe	netsh.exe
PID 4916 wrote to memory of 4892	4916	explorer.exe	netsh.exe
PID 4916 wrote to memory of 4892	4916	explorer.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\ff8f477d7ff5e9ae54c5ba80be1f1884773e7da8dccb737508adba85413326cc.exe
"C:\Users\Admin\AppData\Local\Temp\ff8f477d7ff5e9ae54c5ba80be1f1884773e7da8dccb737508adba85413326cc.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1132

C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\explorer.exe" "explorer.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:4892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\explorer.exe
Filesize
29KB

MD5
536d55f94c3a53510b6f088ac62c0980

SHA1
32ef91c30f8cde0426781761c0b4d86768e82ae4

SHA256
ff8f477d7ff5e9ae54c5ba80be1f1884773e7da8dccb737508adba85413326cc

SHA512
22f892cc91a83cc5a3c80830eb50d7baff7ac053f4ec491de7e0871d89457c4a53b7804a76cb7850133b10ed9e4f2772dbf199e22fb982d25dfcad20c2b28cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe
Filesize
29KB

MD5
536d55f94c3a53510b6f088ac62c0980

SHA1
32ef91c30f8cde0426781761c0b4d86768e82ae4

SHA256
ff8f477d7ff5e9ae54c5ba80be1f1884773e7da8dccb737508adba85413326cc

SHA512
22f892cc91a83cc5a3c80830eb50d7baff7ac053f4ec491de7e0871d89457c4a53b7804a76cb7850133b10ed9e4f2772dbf199e22fb982d25dfcad20c2b28cee

Download Submit
memory/1132-132-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/1132-136-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/4892-137-0x0000000000000000-mapping.dmp

Download
memory/4916-133-0x0000000000000000-mapping.dmp

Download
memory/4916-138-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download
memory/4916-139-0x0000000075580000-0x0000000075B31000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads