njrat | 69a1f9fb95247f6decf04d817a6c0715c86aa09f7fadf6902b6292f0d49918d0

General

Target

69a1f9fb95247f6decf04d817a6c0715c86aa09f7fadf6902b6292f0d49918d0.exe
Size

905KB
MD5

9298a561a8fb25ecd82623decf63e030
SHA1

0e55af8d345123d46bd7df3ce18f55fa5e100447
SHA256

69a1f9fb95247f6decf04d817a6c0715c86aa09f7fadf6902b6292f0d49918d0
SHA512

2b073f29bad7d1dda19d87b26f118e8aa1a19892e0152efe0b697374122f08bec2feb56474fc1a5afff9bf2cec7c9338243865f70560b5f11fb3f8e0292e693d
SSDEEP

12288:9BhsH/rtR2Rr6ioMPZtsonyAHnFJCSEwf+zPRzkvFrrSH+VfGCdRvME9AjHehhy/:+jtRynGMc82xouP

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

joker111111.no-ip.biz:1177

Mutex

5cd8f17f4086744065eb0992a09e05a2

Attributes

reg_key
5cd8f17f4086744065eb0992a09e05a2
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 2 IoCs

pid	Process
4964	Trojan.exe
2352	Trojan.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4348	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	69a1f9fb95247f6decf04d817a6c0715c86aa09f7fadf6902b6292f0d49918d0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4900 set thread context of 4656	4900	69a1f9fb95247f6decf04d817a6c0715c86aa09f7fadf6902b6292f0d49918d0.exe	84
PID 4964 set thread context of 2352	4964	Trojan.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
4900	69a1f9fb95247f6decf04d817a6c0715c86aa09f7fadf6902b6292f0d49918d0.exe
4900	69a1f9fb95247f6decf04d817a6c0715c86aa09f7fadf6902b6292f0d49918d0.exe
4900	69a1f9fb95247f6decf04d817a6c0715c86aa09f7fadf6902b6292f0d49918d0.exe
4964	Trojan.exe
4964	Trojan.exe
4964	Trojan.exe
2352	Trojan.exe
2352	Trojan.exe
2352	Trojan.exe
2352	Trojan.exe
2352	Trojan.exe
2352	Trojan.exe
2352	Trojan.exe
2352	Trojan.exe
2352	Trojan.exe
2352	Trojan.exe
2352	Trojan.exe
2352	Trojan.exe
2352	Trojan.exe
2352	Trojan.exe
2352	Trojan.exe
2352	Trojan.exe
2352	Trojan.exe
2352	Trojan.exe
2352	Trojan.exe
2352	Trojan.exe
2352	Trojan.exe
2352	Trojan.exe
2352	Trojan.exe
2352	Trojan.exe
2352	Trojan.exe
2352	Trojan.exe
2352	Trojan.exe
2352	Trojan.exe
2352	Trojan.exe
2352	Trojan.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4900	69a1f9fb95247f6decf04d817a6c0715c86aa09f7fadf6902b6292f0d49918d0.exe
Token: SeDebugPrivilege	4964	Trojan.exe
Token: SeDebugPrivilege	2352	Trojan.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 4656	4900	69a1f9fb95247f6decf04d817a6c0715c86aa09f7fadf6902b6292f0d49918d0.exe	84
PID 4900 wrote to memory of 4656	4900	69a1f9fb95247f6decf04d817a6c0715c86aa09f7fadf6902b6292f0d49918d0.exe	84
PID 4900 wrote to memory of 4656	4900	69a1f9fb95247f6decf04d817a6c0715c86aa09f7fadf6902b6292f0d49918d0.exe	84
PID 4900 wrote to memory of 4656	4900	69a1f9fb95247f6decf04d817a6c0715c86aa09f7fadf6902b6292f0d49918d0.exe	84
PID 4900 wrote to memory of 4656	4900	69a1f9fb95247f6decf04d817a6c0715c86aa09f7fadf6902b6292f0d49918d0.exe	84
PID 4656 wrote to memory of 4964	4656	69a1f9fb95247f6decf04d817a6c0715c86aa09f7fadf6902b6292f0d49918d0.exe	85
PID 4656 wrote to memory of 4964	4656	69a1f9fb95247f6decf04d817a6c0715c86aa09f7fadf6902b6292f0d49918d0.exe	85
PID 4656 wrote to memory of 4964	4656	69a1f9fb95247f6decf04d817a6c0715c86aa09f7fadf6902b6292f0d49918d0.exe	85
PID 4964 wrote to memory of 2352	4964	Trojan.exe	86
PID 4964 wrote to memory of 2352	4964	Trojan.exe	86
PID 4964 wrote to memory of 2352	4964	Trojan.exe	86
PID 4964 wrote to memory of 2352	4964	Trojan.exe	86
PID 4964 wrote to memory of 2352	4964	Trojan.exe	86
PID 2352 wrote to memory of 4348	2352	Trojan.exe	87
PID 2352 wrote to memory of 4348	2352	Trojan.exe	87
PID 2352 wrote to memory of 4348	2352	Trojan.exe	87

C:\Users\Admin\AppData\Local\Temp\69a1f9fb95247f6decf04d817a6c0715c86aa09f7fadf6902b6292f0d49918d0.exe
"C:\Users\Admin\AppData\Local\Temp\69a1f9fb95247f6decf04d817a6c0715c86aa09f7fadf6902b6292f0d49918d0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Users\Admin\AppData\Local\Temp\69a1f9fb95247f6decf04d817a6c0715c86aa09f7fadf6902b6292f0d49918d0.exe
  C:\Users\Admin\AppData\Local\Temp\69a1f9fb95247f6decf04d817a6c0715c86aa09f7fadf6902b6292f0d49918d0.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Users\Admin\AppData\Local\Temp\Trojan.exe
    "C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Users\Admin\AppData\Local\Temp\Trojan.exe
      C:\Users\Admin\AppData\Local\Temp\Trojan.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2352
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:4348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\69a1f9fb95247f6decf04d817a6c0715c86aa09f7fadf6902b6292f0d49918d0.exe.log

Filesize
418B

MD5
89c8a5340eb284f551067d44e27ae8dd

SHA1
d2431ae25a1ab67762a5125574f046f4c951d297

SHA256
73ca1f27b1c153e3405856ebe8b3c6cdd23424d2ab09c0fe1eb0e2075513057b

SHA512
b101ac2e008bd3cc6f97fedb97b8253fb07fed1c334629ecbebe0f4942ccc1070491cddc4daea521164543b6f97ba9b99d2be1c50cc5a013f04e697fea9dbdac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
905KB

MD5
9298a561a8fb25ecd82623decf63e030

SHA1
0e55af8d345123d46bd7df3ce18f55fa5e100447

SHA256
69a1f9fb95247f6decf04d817a6c0715c86aa09f7fadf6902b6292f0d49918d0

SHA512
2b073f29bad7d1dda19d87b26f118e8aa1a19892e0152efe0b697374122f08bec2feb56474fc1a5afff9bf2cec7c9338243865f70560b5f11fb3f8e0292e693d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
905KB

MD5
9298a561a8fb25ecd82623decf63e030

SHA1
0e55af8d345123d46bd7df3ce18f55fa5e100447

SHA256
69a1f9fb95247f6decf04d817a6c0715c86aa09f7fadf6902b6292f0d49918d0

SHA512
2b073f29bad7d1dda19d87b26f118e8aa1a19892e0152efe0b697374122f08bec2feb56474fc1a5afff9bf2cec7c9338243865f70560b5f11fb3f8e0292e693d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
905KB

MD5
9298a561a8fb25ecd82623decf63e030

SHA1
0e55af8d345123d46bd7df3ce18f55fa5e100447

SHA256
69a1f9fb95247f6decf04d817a6c0715c86aa09f7fadf6902b6292f0d49918d0

SHA512
2b073f29bad7d1dda19d87b26f118e8aa1a19892e0152efe0b697374122f08bec2feb56474fc1a5afff9bf2cec7c9338243865f70560b5f11fb3f8e0292e693d

Download Submit
memory/2352-142-0x0000000000000000-mapping.dmp

Download
memory/4348-145-0x0000000000000000-mapping.dmp

Download
memory/4656-138-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4656-137-0x0000000000000000-mapping.dmp

Download
memory/4900-132-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/4900-136-0x0000000004F50000-0x0000000004F5A000-memory.dmp

Filesize
40KB

Download
memory/4900-135-0x0000000005010000-0x00000000050AC000-memory.dmp

Filesize
624KB

Download
memory/4900-134-0x0000000004E90000-0x0000000004F22000-memory.dmp

Filesize
584KB

Download
memory/4900-133-0x0000000005520000-0x0000000005AC4000-memory.dmp

Filesize
5.6MB

Download
memory/4964-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing