njrat | 97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9

General

Target

97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exe
Size

255KB
MD5

692cc299413a63e12db0be146ad906e0
SHA1

6f2c1dc4b26c21784f9ee4fb850abad30d4e0850
SHA256

97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9
SHA512

674c4c9502b91ed9d445e058c6ce69eb301ece610b99d73fbce9ba143fde2d862b3677ab378a319cbbdc8fb3000ae3996a0f64c329e4dbc3ed44e79504cfd505
SSDEEP

6144:bvAEij0W9CjZKtA547QBrdrpw6Eqt1pNJP:bvADjojU6WUdrqzKJP

Score

10^/10

njrat yahoo evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

yahoo

C2

aseel123.ddns.net:5552

Mutex

36553d30eb61b8600f25930b74bb73c4

Attributes

reg_key
36553d30eb61b8600f25930b74bb73c4
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

yahoo.exeyahoo.exe

pid process

1164 yahoo.exe
552 yahoo.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2036 netsh.exe

pid	process
1164	yahoo.exe
552	yahoo.exe

pid	process
2036	netsh.exe

Drops startup file 2 IoCs

Processes:

yahoo.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36553d30eb61b8600f25930b74bb73c4.exe	yahoo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36553d30eb61b8600f25930b74bb73c4.exe	yahoo.exe

Loads dropped DLL 2 IoCs

Processes:

97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exeyahoo.exe

pid process

1252 97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exe
1164 yahoo.exe

pid	process
1252	97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exe
1164	yahoo.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

yahoo.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\36553d30eb61b8600f25930b74bb73c4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\yahoo.exe\" .."	yahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\36553d30eb61b8600f25930b74bb73c4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\yahoo.exe\" .."	yahoo.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exeyahoo.exe

description	pid	process	target process
PID 2020 set thread context of 1252	2020	97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exe	97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exe
PID 1164 set thread context of 552	1164	yahoo.exe	yahoo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exeyahoo.exe

pid	process
2020	97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exe
2020	97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exe
2020	97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exe
1164	yahoo.exe
1164	yahoo.exe
1164	yahoo.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exeyahoo.exeyahoo.exe

description	pid	process
Token: SeDebugPrivilege	2020	97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exe
Token: SeDebugPrivilege	1164	yahoo.exe
Token: SeDebugPrivilege	552	yahoo.exe
Token: 33	552	yahoo.exe
Token: SeIncBasePriorityPrivilege	552	yahoo.exe
Token: 33	552	yahoo.exe
Token: SeIncBasePriorityPrivilege	552	yahoo.exe
Token: 33	552	yahoo.exe
Token: SeIncBasePriorityPrivilege	552	yahoo.exe
Token: 33	552	yahoo.exe
Token: SeIncBasePriorityPrivilege	552	yahoo.exe
Token: 33	552	yahoo.exe
Token: SeIncBasePriorityPrivilege	552	yahoo.exe
Token: 33	552	yahoo.exe
Token: SeIncBasePriorityPrivilege	552	yahoo.exe
Token: 33	552	yahoo.exe
Token: SeIncBasePriorityPrivilege	552	yahoo.exe
Token: 33	552	yahoo.exe
Token: SeIncBasePriorityPrivilege	552	yahoo.exe
Token: 33	552	yahoo.exe
Token: SeIncBasePriorityPrivilege	552	yahoo.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exe97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exeyahoo.exeyahoo.exe

description	pid	process	target process
PID 2020 wrote to memory of 1252	2020	97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exe	97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exe
PID 2020 wrote to memory of 1252	2020	97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exe	97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exe
PID 2020 wrote to memory of 1252	2020	97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exe	97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exe
PID 2020 wrote to memory of 1252	2020	97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exe	97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exe
PID 2020 wrote to memory of 1252	2020	97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exe	97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exe
PID 2020 wrote to memory of 1252	2020	97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exe	97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exe
PID 1252 wrote to memory of 1164	1252	97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exe	yahoo.exe
PID 1252 wrote to memory of 1164	1252	97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exe	yahoo.exe
PID 1252 wrote to memory of 1164	1252	97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exe	yahoo.exe
PID 1252 wrote to memory of 1164	1252	97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exe	yahoo.exe
PID 1164 wrote to memory of 552	1164	yahoo.exe	yahoo.exe
PID 1164 wrote to memory of 552	1164	yahoo.exe	yahoo.exe
PID 1164 wrote to memory of 552	1164	yahoo.exe	yahoo.exe
PID 1164 wrote to memory of 552	1164	yahoo.exe	yahoo.exe
PID 1164 wrote to memory of 552	1164	yahoo.exe	yahoo.exe
PID 1164 wrote to memory of 552	1164	yahoo.exe	yahoo.exe
PID 552 wrote to memory of 2036	552	yahoo.exe	netsh.exe
PID 552 wrote to memory of 2036	552	yahoo.exe	netsh.exe
PID 552 wrote to memory of 2036	552	yahoo.exe	netsh.exe
PID 552 wrote to memory of 2036	552	yahoo.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exe
"C:\Users\Admin\AppData\Local\Temp\97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exe
C:\Users\Admin\AppData\Local\Temp\97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252

C:\Users\Admin\AppData\Local\Temp\yahoo.exe
"C:\Users\Admin\AppData\Local\Temp\yahoo.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164

C:\Users\Admin\AppData\Local\Temp\yahoo.exe
C:\Users\Admin\AppData\Local\Temp\yahoo.exe
4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\yahoo.exe" "yahoo.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yahoo.exe
Filesize
255KB

MD5
692cc299413a63e12db0be146ad906e0

SHA1
6f2c1dc4b26c21784f9ee4fb850abad30d4e0850

SHA256
97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9

SHA512
674c4c9502b91ed9d445e058c6ce69eb301ece610b99d73fbce9ba143fde2d862b3677ab378a319cbbdc8fb3000ae3996a0f64c329e4dbc3ed44e79504cfd505

Download Submit
C:\Users\Admin\AppData\Local\Temp\yahoo.exe
Filesize
255KB

MD5
692cc299413a63e12db0be146ad906e0

SHA1
6f2c1dc4b26c21784f9ee4fb850abad30d4e0850

SHA256
97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9

SHA512
674c4c9502b91ed9d445e058c6ce69eb301ece610b99d73fbce9ba143fde2d862b3677ab378a319cbbdc8fb3000ae3996a0f64c329e4dbc3ed44e79504cfd505

Download Submit
C:\Users\Admin\AppData\Local\Temp\yahoo.exe
Filesize
255KB

MD5
692cc299413a63e12db0be146ad906e0

SHA1
6f2c1dc4b26c21784f9ee4fb850abad30d4e0850

SHA256
97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9

SHA512
674c4c9502b91ed9d445e058c6ce69eb301ece610b99d73fbce9ba143fde2d862b3677ab378a319cbbdc8fb3000ae3996a0f64c329e4dbc3ed44e79504cfd505

Download Submit
\Users\Admin\AppData\Local\Temp\yahoo.exe
Filesize
255KB

MD5
692cc299413a63e12db0be146ad906e0

SHA1
6f2c1dc4b26c21784f9ee4fb850abad30d4e0850

SHA256
97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9

SHA512
674c4c9502b91ed9d445e058c6ce69eb301ece610b99d73fbce9ba143fde2d862b3677ab378a319cbbdc8fb3000ae3996a0f64c329e4dbc3ed44e79504cfd505

Download Submit
\Users\Admin\AppData\Local\Temp\yahoo.exe
Filesize
255KB

MD5
692cc299413a63e12db0be146ad906e0

SHA1
6f2c1dc4b26c21784f9ee4fb850abad30d4e0850

SHA256
97af4157796dfb09c3bd51c4988c4bac1b0a6210256e266cc2f4236bccc9f5d9

SHA512
674c4c9502b91ed9d445e058c6ce69eb301ece610b99d73fbce9ba143fde2d862b3677ab378a319cbbdc8fb3000ae3996a0f64c329e4dbc3ed44e79504cfd505

Download Submit
memory/552-76-0x000000000040747E-mapping.dmp

Download
memory/1164-69-0x0000000000000000-mapping.dmp

Download
memory/1164-83-0x0000000004885000-0x0000000004896000-memory.dmp

Filesize
68KB

Download
memory/1164-82-0x0000000004885000-0x0000000004896000-memory.dmp

Filesize
68KB

Download
memory/1164-72-0x0000000000C10000-0x0000000000C56000-memory.dmp

Filesize
280KB

Download
memory/1252-59-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1252-62-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1252-64-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1252-60-0x000000000040747E-mapping.dmp

Download
memory/2020-66-0x0000000004AD5000-0x0000000004AE6000-memory.dmp

Filesize
68KB

Download
memory/2020-65-0x0000000004AD5000-0x0000000004AE6000-memory.dmp

Filesize
68KB

Download
memory/2020-54-0x0000000000B00000-0x0000000000B46000-memory.dmp

Filesize
280KB

Download
memory/2020-58-0x0000000000670000-0x000000000067A000-memory.dmp

Filesize
40KB

Download
memory/2020-57-0x0000000002280000-0x00000000022FA000-memory.dmp

Filesize
488KB

Download
memory/2020-56-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download
memory/2020-55-0x0000000000420000-0x0000000000446000-memory.dmp

Filesize
152KB

Download
memory/2036-84-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads