njrat | fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a

General

Target

fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a.exe
Size

205KB
MD5

6b817df19fb115997b8f6601a8aae600
SHA1

bd099f7e50b762c62bf4e8196b11fa30f209cc85
SHA256

fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a
SHA512

f7d8298aec68e43e6b0c309c7e633f3465020b697adfcd25c2fa619f9483bf2c4cb309aecba10d480d03cc50ff6e706f5423a911c36857bb127c14c781afc47a
SSDEEP

3072:N0g1eTQqYQW7idRF1MzdTxNbtF3/CGaqW8GurHKnTMPbcpp:N0gbHwF1udlZT6G1Wbuzy6bq

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

emew.no-ip.info:9696

Mutex

90cd23ba67e7e9682670983e066df085

Attributes

reg_key
90cd23ba67e7e9682670983e066df085
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

jsBcaMh2iiLEo8GtPrFK.exeIDmanger.exe

pid process

4972 jsBcaMh2iiLEo8GtPrFK.exe
4324 IDmanger.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1676 netsh.exe

pid	process
4972	jsBcaMh2iiLEo8GtPrFK.exe
4324	IDmanger.exe

pid	process
1676	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jsBcaMh2iiLEo8GtPrFK.exefe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	jsBcaMh2iiLEo8GtPrFK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

IDmanger.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\90cd23ba67e7e9682670983e066df085 = "\"C:\\Windows\\IDmanger.exe\" .."	IDmanger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\90cd23ba67e7e9682670983e066df085 = "\"C:\\Windows\\IDmanger.exe\" .."	IDmanger.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a.exe

Drops file in Windows directory 7 IoCs

Processes:

fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a.exejsBcaMh2iiLEo8GtPrFK.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a.exe
File created	C:\Windows\IDmanger.exe	jsBcaMh2iiLEo8GtPrFK.exe
File opened for modification	C:\Windows\assembly	fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a.exe
File created	C:\Windows\assembly\Desktop.ini	fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a.exe
File created	C:\Windows\jsBcaMh2iiLEo8GtPrFK.exe	fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

IDmanger.exe

description	pid	process
Token: SeDebugPrivilege	4324	IDmanger.exe
Token: 33	4324	IDmanger.exe
Token: SeIncBasePriorityPrivilege	4324	IDmanger.exe
Token: 33	4324	IDmanger.exe
Token: SeIncBasePriorityPrivilege	4324	IDmanger.exe
Token: 33	4324	IDmanger.exe
Token: SeIncBasePriorityPrivilege	4324	IDmanger.exe
Token: 33	4324	IDmanger.exe
Token: SeIncBasePriorityPrivilege	4324	IDmanger.exe
Token: 33	4324	IDmanger.exe
Token: SeIncBasePriorityPrivilege	4324	IDmanger.exe
Token: 33	4324	IDmanger.exe
Token: SeIncBasePriorityPrivilege	4324	IDmanger.exe
Token: 33	4324	IDmanger.exe
Token: SeIncBasePriorityPrivilege	4324	IDmanger.exe
Token: 33	4324	IDmanger.exe
Token: SeIncBasePriorityPrivilege	4324	IDmanger.exe
Token: 33	4324	IDmanger.exe
Token: SeIncBasePriorityPrivilege	4324	IDmanger.exe
Token: 33	4324	IDmanger.exe
Token: SeIncBasePriorityPrivilege	4324	IDmanger.exe
Token: 33	4324	IDmanger.exe
Token: SeIncBasePriorityPrivilege	4324	IDmanger.exe
Token: 33	4324	IDmanger.exe
Token: SeIncBasePriorityPrivilege	4324	IDmanger.exe
Token: 33	4324	IDmanger.exe
Token: SeIncBasePriorityPrivilege	4324	IDmanger.exe
Token: 33	4324	IDmanger.exe
Token: SeIncBasePriorityPrivilege	4324	IDmanger.exe
Token: 33	4324	IDmanger.exe
Token: SeIncBasePriorityPrivilege	4324	IDmanger.exe
Token: 33	4324	IDmanger.exe
Token: SeIncBasePriorityPrivilege	4324	IDmanger.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a.exejsBcaMh2iiLEo8GtPrFK.exeIDmanger.exe

description	pid	process	target process
PID 1660 wrote to memory of 4972	1660	fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a.exe	jsBcaMh2iiLEo8GtPrFK.exe
PID 1660 wrote to memory of 4972	1660	fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a.exe	jsBcaMh2iiLEo8GtPrFK.exe
PID 1660 wrote to memory of 4972	1660	fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a.exe	jsBcaMh2iiLEo8GtPrFK.exe
PID 4972 wrote to memory of 4324	4972	jsBcaMh2iiLEo8GtPrFK.exe	IDmanger.exe
PID 4972 wrote to memory of 4324	4972	jsBcaMh2iiLEo8GtPrFK.exe	IDmanger.exe
PID 4972 wrote to memory of 4324	4972	jsBcaMh2iiLEo8GtPrFK.exe	IDmanger.exe
PID 4324 wrote to memory of 1676	4324	IDmanger.exe	netsh.exe
PID 4324 wrote to memory of 1676	4324	IDmanger.exe	netsh.exe
PID 4324 wrote to memory of 1676	4324	IDmanger.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a.exe
"C:\Users\Admin\AppData\Local\Temp\fe9fc2ade7b749dd526e675e318e95963a3ecf856689458edf0ed37f29d78d4a.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\jsBcaMh2iiLEo8GtPrFK.exe
  "C:\Windows\jsBcaMh2iiLEo8GtPrFK.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\IDmanger.exe
    "C:\Windows\IDmanger.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4324
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\IDmanger.exe" "IDmanger.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:1676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\IDmanger.exe

Filesize
23KB

MD5
3dfd56fb7f8d40f2fc84616bddd40c57

SHA1
84cb83ed25f7a8f1293be9881ba364a0bb7a8b96

SHA256
664760472f473628e2d3e87b7c2a1560072e3afe1dc9c3703df5656d3c3c2a98

SHA512
e313a31de0dca0b75d6db870481225672e0e27694de6fb9f0ec3f6a0b62f23e9e94efbc1ce24480b9ec5e9b5247e8a1c40a0b671fbe36d75705dc2c789563e9b

Download Submit
C:\Windows\IDmanger.exe

Filesize
23KB

MD5
3dfd56fb7f8d40f2fc84616bddd40c57

SHA1
84cb83ed25f7a8f1293be9881ba364a0bb7a8b96

SHA256
664760472f473628e2d3e87b7c2a1560072e3afe1dc9c3703df5656d3c3c2a98

SHA512
e313a31de0dca0b75d6db870481225672e0e27694de6fb9f0ec3f6a0b62f23e9e94efbc1ce24480b9ec5e9b5247e8a1c40a0b671fbe36d75705dc2c789563e9b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch

Filesize
694B

MD5
351441c42e43f2d90ae21577d219fde5

SHA1
fba24814f169e1167b4288d4a11d31e587c0996f

SHA256
bd5574453e4af2602fd7537e5bdfa5e7456031aea2b731f989eaaef8c3900fa6

SHA512
9d6f8d348d7e33f6b864e59162cb8c95a45af0dd2ce77da81f6694258cb474a469c8a7da042cb791ef8b56abf233e4aa6f83c0871bcb504978ea494a9b7ccf03

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch

Filesize
694B

MD5
351441c42e43f2d90ae21577d219fde5

SHA1
fba24814f169e1167b4288d4a11d31e587c0996f

SHA256
bd5574453e4af2602fd7537e5bdfa5e7456031aea2b731f989eaaef8c3900fa6

SHA512
9d6f8d348d7e33f6b864e59162cb8c95a45af0dd2ce77da81f6694258cb474a469c8a7da042cb791ef8b56abf233e4aa6f83c0871bcb504978ea494a9b7ccf03

Download Submit
C:\Windows\jsBcaMh2iiLEo8GtPrFK.exe

Filesize
23KB

MD5
3dfd56fb7f8d40f2fc84616bddd40c57

SHA1
84cb83ed25f7a8f1293be9881ba364a0bb7a8b96

SHA256
664760472f473628e2d3e87b7c2a1560072e3afe1dc9c3703df5656d3c3c2a98

SHA512
e313a31de0dca0b75d6db870481225672e0e27694de6fb9f0ec3f6a0b62f23e9e94efbc1ce24480b9ec5e9b5247e8a1c40a0b671fbe36d75705dc2c789563e9b

Download Submit
C:\Windows\jsBcaMh2iiLEo8GtPrFK.exe

Filesize
23KB

MD5
3dfd56fb7f8d40f2fc84616bddd40c57

SHA1
84cb83ed25f7a8f1293be9881ba364a0bb7a8b96

SHA256
664760472f473628e2d3e87b7c2a1560072e3afe1dc9c3703df5656d3c3c2a98

SHA512
e313a31de0dca0b75d6db870481225672e0e27694de6fb9f0ec3f6a0b62f23e9e94efbc1ce24480b9ec5e9b5247e8a1c40a0b671fbe36d75705dc2c789563e9b

Download Submit
memory/1660-136-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/1660-132-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/1676-145-0x0000000000000000-mapping.dmp

Download
memory/4324-138-0x0000000000000000-mapping.dmp

Download
memory/4324-144-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/4324-146-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/4972-137-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download
memory/4972-133-0x0000000000000000-mapping.dmp

Download
memory/4972-143-0x00000000747D0000-0x0000000074D81000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads