njrat | fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a

General

Target

fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a.exe
Size

205KB
MD5

6b817df19fb115997b8f6601a8aae600
SHA1

bd099f7e50b762c62bf4e8196b11fa30f209cc85
SHA256

fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a
SHA512

f7d8298aec68e43e6b0c309c7e633f3465020b697adfcd25c2fa619f9483bf2c4cb309aecba10d480d03cc50ff6e706f5423a911c36857bb127c14c781afc47a
SSDEEP

3072:N0g1eTQqYQW7idRF1MzdTxNbtF3/CGaqW8GurHKnTMPbcpp:N0gbHwF1udlZT6G1Wbuzy6bq

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

emew.no-ip.info:9696

Mutex

90cd23ba67e7e9682670983e066df085

Attributes

reg_key
90cd23ba67e7e9682670983e066df085
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

jsBcaMh2iiLEo8GtPrFK.exeIDmanger.exe

pid process

1288 jsBcaMh2iiLEo8GtPrFK.exe
1216 IDmanger.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

536 netsh.exe

pid	process
1288	jsBcaMh2iiLEo8GtPrFK.exe
1216	IDmanger.exe

pid	process
536	netsh.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

IDmanger.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\90cd23ba67e7e9682670983e066df085 = "\"C:\\Windows\\IDmanger.exe\" .."	IDmanger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\90cd23ba67e7e9682670983e066df085 = "\"C:\\Windows\\IDmanger.exe\" .."	IDmanger.exe

Drops file in Windows directory 4 IoCs

Processes:

fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a.exejsBcaMh2iiLEo8GtPrFK.exe

description	ioc	process
File created	C:\Windows\jsBcaMh2iiLEo8GtPrFK.exe	fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a.exe
File created	C:\Windows\IDmanger.exe	jsBcaMh2iiLEo8GtPrFK.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

IDmanger.exe

description	pid	process
Token: SeDebugPrivilege	1216	IDmanger.exe
Token: 33	1216	IDmanger.exe
Token: SeIncBasePriorityPrivilege	1216	IDmanger.exe
Token: 33	1216	IDmanger.exe
Token: SeIncBasePriorityPrivilege	1216	IDmanger.exe
Token: 33	1216	IDmanger.exe
Token: SeIncBasePriorityPrivilege	1216	IDmanger.exe
Token: 33	1216	IDmanger.exe
Token: SeIncBasePriorityPrivilege	1216	IDmanger.exe
Token: 33	1216	IDmanger.exe
Token: SeIncBasePriorityPrivilege	1216	IDmanger.exe
Token: 33	1216	IDmanger.exe
Token: SeIncBasePriorityPrivilege	1216	IDmanger.exe
Token: 33	1216	IDmanger.exe
Token: SeIncBasePriorityPrivilege	1216	IDmanger.exe
Token: 33	1216	IDmanger.exe
Token: SeIncBasePriorityPrivilege	1216	IDmanger.exe
Token: 33	1216	IDmanger.exe
Token: SeIncBasePriorityPrivilege	1216	IDmanger.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a.exejsBcaMh2iiLEo8GtPrFK.exeIDmanger.exe

description	pid	process	target process
PID 996 wrote to memory of 1288	996	fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a.exe	jsBcaMh2iiLEo8GtPrFK.exe
PID 996 wrote to memory of 1288	996	fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a.exe	jsBcaMh2iiLEo8GtPrFK.exe
PID 996 wrote to memory of 1288	996	fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a.exe	jsBcaMh2iiLEo8GtPrFK.exe
PID 996 wrote to memory of 1288	996	fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a.exe	jsBcaMh2iiLEo8GtPrFK.exe
PID 1288 wrote to memory of 1216	1288	jsBcaMh2iiLEo8GtPrFK.exe	IDmanger.exe
PID 1288 wrote to memory of 1216	1288	jsBcaMh2iiLEo8GtPrFK.exe	IDmanger.exe
PID 1288 wrote to memory of 1216	1288	jsBcaMh2iiLEo8GtPrFK.exe	IDmanger.exe
PID 1288 wrote to memory of 1216	1288	jsBcaMh2iiLEo8GtPrFK.exe	IDmanger.exe
PID 1216 wrote to memory of 536	1216	IDmanger.exe	netsh.exe
PID 1216 wrote to memory of 536	1216	IDmanger.exe	netsh.exe
PID 1216 wrote to memory of 536	1216	IDmanger.exe	netsh.exe
PID 1216 wrote to memory of 536	1216	IDmanger.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a.exe
"C:\Users\Admin\AppData\Local\Temp\fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:996
- C:\Windows\jsBcaMh2iiLEo8GtPrFK.exe
  "C:\Windows\jsBcaMh2iiLEo8GtPrFK.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\IDmanger.exe
    "C:\Windows\IDmanger.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1216
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\IDmanger.exe" "IDmanger.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\IDmanger.exe

Filesize
23KB

MD5
3dfd56fb7f8d40f2fc84616bddd40c57

SHA1
84cb83ed25f7a8f1293be9881ba364a0bb7a8b96

SHA256
664760472f473628e2d3e87b7c2a1560072e3afe1dc9c3703df5656d3c3c2a98

SHA512
e313a31de0dca0b75d6db870481225672e0e27694de6fb9f0ec3f6a0b62f23e9e94efbc1ce24480b9ec5e9b5247e8a1c40a0b671fbe36d75705dc2c789563e9b

Download Submit
C:\Windows\IDmanger.exe

Filesize
23KB

MD5
3dfd56fb7f8d40f2fc84616bddd40c57

SHA1
84cb83ed25f7a8f1293be9881ba364a0bb7a8b96

SHA256
664760472f473628e2d3e87b7c2a1560072e3afe1dc9c3703df5656d3c3c2a98

SHA512
e313a31de0dca0b75d6db870481225672e0e27694de6fb9f0ec3f6a0b62f23e9e94efbc1ce24480b9ec5e9b5247e8a1c40a0b671fbe36d75705dc2c789563e9b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch

Filesize
694B

MD5
5684b040b9e7fc5cbffb54b202cb85c4

SHA1
1ff6677c483c8b009958800d66929d672d061a5e

SHA256
447a3d397d7c5940050a6ab98daac2de9c4fea4fbbbcc4e7c9c19e4dfb733ffd

SHA512
bd8c26a85c161702d20c8eb7b09135276d35d22c8779c8b17b923d04629613d230fc8466cd53bbea51e5e45b78255c03c106fc449eaaba970b01c697412da05e

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch

Filesize
694B

MD5
5684b040b9e7fc5cbffb54b202cb85c4

SHA1
1ff6677c483c8b009958800d66929d672d061a5e

SHA256
447a3d397d7c5940050a6ab98daac2de9c4fea4fbbbcc4e7c9c19e4dfb733ffd

SHA512
bd8c26a85c161702d20c8eb7b09135276d35d22c8779c8b17b923d04629613d230fc8466cd53bbea51e5e45b78255c03c106fc449eaaba970b01c697412da05e

Download Submit
C:\Windows\jsBcaMh2iiLEo8GtPrFK.exe

Filesize
23KB

MD5
3dfd56fb7f8d40f2fc84616bddd40c57

SHA1
84cb83ed25f7a8f1293be9881ba364a0bb7a8b96

SHA256
664760472f473628e2d3e87b7c2a1560072e3afe1dc9c3703df5656d3c3c2a98

SHA512
e313a31de0dca0b75d6db870481225672e0e27694de6fb9f0ec3f6a0b62f23e9e94efbc1ce24480b9ec5e9b5247e8a1c40a0b671fbe36d75705dc2c789563e9b

Download Submit
C:\Windows\jsBcaMh2iiLEo8GtPrFK.exe

Filesize
23KB

MD5
3dfd56fb7f8d40f2fc84616bddd40c57

SHA1
84cb83ed25f7a8f1293be9881ba364a0bb7a8b96

SHA256
664760472f473628e2d3e87b7c2a1560072e3afe1dc9c3703df5656d3c3c2a98

SHA512
e313a31de0dca0b75d6db870481225672e0e27694de6fb9f0ec3f6a0b62f23e9e94efbc1ce24480b9ec5e9b5247e8a1c40a0b671fbe36d75705dc2c789563e9b

Download Submit
memory/536-70-0x0000000000000000-mapping.dmp

Download
memory/996-60-0x0000000074720000-0x0000000074CCB000-memory.dmp

Filesize
5.7MB

Download
memory/996-62-0x0000000074720000-0x0000000074CCB000-memory.dmp

Filesize
5.7MB

Download
memory/996-54-0x00000000760E1000-0x00000000760E3000-memory.dmp

Filesize
8KB

Download
memory/1216-63-0x0000000000000000-mapping.dmp

Download
memory/1216-69-0x0000000074720000-0x0000000074CCB000-memory.dmp

Filesize
5.7MB

Download
memory/1216-72-0x0000000074720000-0x0000000074CCB000-memory.dmp

Filesize
5.7MB

Download
memory/1288-61-0x0000000074720000-0x0000000074CCB000-memory.dmp

Filesize
5.7MB

Download
memory/1288-68-0x0000000074720000-0x0000000074CCB000-memory.dmp

Filesize
5.7MB

Download
memory/1288-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads