njrat | b0ca0c818554939b2e8043c4605298f8f2ab0071cafddaf36d6a08684f5a2d02

General

Target

b0ca0c818554939b2e8043c4605298f8f2ab0071cafddaf36d6a08684f5a2d02.exe
Size

759KB
MD5

02cf06a70cf46b0c7a09db8531bebb50
SHA1

f6e7407628eb18ae391a44396e7e1993dd28e2ce
SHA256

b0ca0c818554939b2e8043c4605298f8f2ab0071cafddaf36d6a08684f5a2d02
SHA512

53d1ac6f87b16cc377909f53d2f5fd691476e8f896b7307eda5e118239a5116c150f11a0746a7ea103edcfeb2ff934aa8d6977eca862e2735a7d4403ccb8e7da
SSDEEP

12288:O1dlZo5y/RjeQE0A5U/ZvUzTdJCJ5/rcIpwOGSgO8AtmuasL/OeTk2CcpqItSPBS:O1dlZo5YRCQE9U/hUlw7n6SB/OrYqI8Y

Score

10^/10

njrat fucked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

FUcKed

C2

nigro02.no-ip.info:1177

Mutex

8b6c724afb458a51b8bbc1984d95f348

Attributes

reg_key
8b6c724afb458a51b8bbc1984d95f348
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 3 IoCs

pid	Process
1028	idm.exe
1224	srvhost.exe
1824	Creative Cloud Set-Up.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
972	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8b6c724afb458a51b8bbc1984d95f348.exe	srvhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8b6c724afb458a51b8bbc1984d95f348.exe	srvhost.exe

Loads dropped DLL 3 IoCs

pid	Process
1044	b0ca0c818554939b2e8043c4605298f8f2ab0071cafddaf36d6a08684f5a2d02.exe
1044	b0ca0c818554939b2e8043c4605298f8f2ab0071cafddaf36d6a08684f5a2d02.exe
1044	b0ca0c818554939b2e8043c4605298f8f2ab0071cafddaf36d6a08684f5a2d02.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\8b6c724afb458a51b8bbc1984d95f348 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\srvhost.exe\" .."	srvhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8b6c724afb458a51b8bbc1984d95f348 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\srvhost.exe\" .."	srvhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1224	srvhost.exe
1224	srvhost.exe
1224	srvhost.exe
1224	srvhost.exe
1224	srvhost.exe
1224	srvhost.exe
1224	srvhost.exe
1224	srvhost.exe
1224	srvhost.exe
1224	srvhost.exe
1224	srvhost.exe
1224	srvhost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1224	srvhost.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 1028	1044	b0ca0c818554939b2e8043c4605298f8f2ab0071cafddaf36d6a08684f5a2d02.exe	27
PID 1044 wrote to memory of 1028	1044	b0ca0c818554939b2e8043c4605298f8f2ab0071cafddaf36d6a08684f5a2d02.exe	27
PID 1044 wrote to memory of 1028	1044	b0ca0c818554939b2e8043c4605298f8f2ab0071cafddaf36d6a08684f5a2d02.exe	27
PID 1044 wrote to memory of 1028	1044	b0ca0c818554939b2e8043c4605298f8f2ab0071cafddaf36d6a08684f5a2d02.exe	27
PID 1028 wrote to memory of 1224	1028	idm.exe	28
PID 1028 wrote to memory of 1224	1028	idm.exe	28
PID 1028 wrote to memory of 1224	1028	idm.exe	28
PID 1224 wrote to memory of 972	1224	srvhost.exe	29
PID 1224 wrote to memory of 972	1224	srvhost.exe	29
PID 1224 wrote to memory of 972	1224	srvhost.exe	29
PID 1044 wrote to memory of 1824	1044	b0ca0c818554939b2e8043c4605298f8f2ab0071cafddaf36d6a08684f5a2d02.exe	30
PID 1044 wrote to memory of 1824	1044	b0ca0c818554939b2e8043c4605298f8f2ab0071cafddaf36d6a08684f5a2d02.exe	30
PID 1044 wrote to memory of 1824	1044	b0ca0c818554939b2e8043c4605298f8f2ab0071cafddaf36d6a08684f5a2d02.exe	30
PID 1044 wrote to memory of 1824	1044	b0ca0c818554939b2e8043c4605298f8f2ab0071cafddaf36d6a08684f5a2d02.exe	30

C:\Users\Admin\AppData\Local\Temp\b0ca0c818554939b2e8043c4605298f8f2ab0071cafddaf36d6a08684f5a2d02.exe
"C:\Users\Admin\AppData\Local\Temp\b0ca0c818554939b2e8043c4605298f8f2ab0071cafddaf36d6a08684f5a2d02.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Extracted\idm.exe
  "C:\Extracted\idm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Users\Admin\AppData\Local\Temp\srvhost.exe
    "C:\Users\Admin\AppData\Local\Temp\srvhost.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Windows\system32\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\srvhost.exe" "srvhost.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:972
- C:\Extracted\Creative Cloud Set-Up.exe
  "C:\Extracted\Creative Cloud Set-Up.exe"
  2⤵
  - Executes dropped EXE
  PID:1824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Extracted\Creative Cloud Set-Up.exe

Filesize
600KB

MD5
1d021a009ba55f3843403a738e4b4a6b

SHA1
16916fc5c8701f899b420a4b487f41f85b438075

SHA256
42baf8c8943c905f8ed860ada40f30559f8b63ec8f7635148345a611d2495f00

SHA512
0df78ba3665efaf6c6649b88a44e74a2b83ac0ed02e55ab0bc9b333ae177c437dbda0022f73ac46928f82b0edb511a71cf860f3ae645a7ce3707fddcf8e3d72c

Download Submit
C:\Extracted\idm.exe

Filesize
93KB

MD5
5b010258a27e8e3398bf3c5a30c5f132

SHA1
8c567f40a929893588c138eb0d0a5795e31edf3e

SHA256
fe32ac4d77d96712c44416c0b73a8dd0f06423a28e950a9f0105699e35fd955e

SHA512
26cd4e676f6b464f460a8cb16b9fcd1a225805eb395f76427578d95f16fd496855410212a972bdb4638f9f36028f1bf5d3f21fb5769b9e530af66b6c130992b8

Download Submit
C:\Extracted\idm.exe

Filesize
93KB

MD5
5b010258a27e8e3398bf3c5a30c5f132

SHA1
8c567f40a929893588c138eb0d0a5795e31edf3e

SHA256
fe32ac4d77d96712c44416c0b73a8dd0f06423a28e950a9f0105699e35fd955e

SHA512
26cd4e676f6b464f460a8cb16b9fcd1a225805eb395f76427578d95f16fd496855410212a972bdb4638f9f36028f1bf5d3f21fb5769b9e530af66b6c130992b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\srvhost.exe

Filesize
93KB

MD5
5b010258a27e8e3398bf3c5a30c5f132

SHA1
8c567f40a929893588c138eb0d0a5795e31edf3e

SHA256
fe32ac4d77d96712c44416c0b73a8dd0f06423a28e950a9f0105699e35fd955e

SHA512
26cd4e676f6b464f460a8cb16b9fcd1a225805eb395f76427578d95f16fd496855410212a972bdb4638f9f36028f1bf5d3f21fb5769b9e530af66b6c130992b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\srvhost.exe

Filesize
93KB

MD5
5b010258a27e8e3398bf3c5a30c5f132

SHA1
8c567f40a929893588c138eb0d0a5795e31edf3e

SHA256
fe32ac4d77d96712c44416c0b73a8dd0f06423a28e950a9f0105699e35fd955e

SHA512
26cd4e676f6b464f460a8cb16b9fcd1a225805eb395f76427578d95f16fd496855410212a972bdb4638f9f36028f1bf5d3f21fb5769b9e530af66b6c130992b8

Download Submit
\Extracted\Creative Cloud Set-Up.exe

Filesize
600KB

MD5
1d021a009ba55f3843403a738e4b4a6b

SHA1
16916fc5c8701f899b420a4b487f41f85b438075

SHA256
42baf8c8943c905f8ed860ada40f30559f8b63ec8f7635148345a611d2495f00

SHA512
0df78ba3665efaf6c6649b88a44e74a2b83ac0ed02e55ab0bc9b333ae177c437dbda0022f73ac46928f82b0edb511a71cf860f3ae645a7ce3707fddcf8e3d72c

Download Submit
\Extracted\Creative Cloud Set-Up.exe

Filesize
600KB

MD5
1d021a009ba55f3843403a738e4b4a6b

SHA1
16916fc5c8701f899b420a4b487f41f85b438075

SHA256
42baf8c8943c905f8ed860ada40f30559f8b63ec8f7635148345a611d2495f00

SHA512
0df78ba3665efaf6c6649b88a44e74a2b83ac0ed02e55ab0bc9b333ae177c437dbda0022f73ac46928f82b0edb511a71cf860f3ae645a7ce3707fddcf8e3d72c

Download Submit
\Extracted\idm.exe

Filesize
93KB

MD5
5b010258a27e8e3398bf3c5a30c5f132

SHA1
8c567f40a929893588c138eb0d0a5795e31edf3e

SHA256
fe32ac4d77d96712c44416c0b73a8dd0f06423a28e950a9f0105699e35fd955e

SHA512
26cd4e676f6b464f460a8cb16b9fcd1a225805eb395f76427578d95f16fd496855410212a972bdb4638f9f36028f1bf5d3f21fb5769b9e530af66b6c130992b8

Download Submit
memory/1028-60-0x00000000002C0000-0x00000000002CA000-memory.dmp

Filesize
40KB

Download
memory/1028-64-0x000007FEFB821000-0x000007FEFB823000-memory.dmp

Filesize
8KB

Download
memory/1028-63-0x0000000000310000-0x000000000031E000-memory.dmp

Filesize
56KB

Download
memory/1028-62-0x0000000000300000-0x0000000000308000-memory.dmp

Filesize
32KB

Download
memory/1028-59-0x00000000008F0000-0x000000000090E000-memory.dmp

Filesize
120KB

Download
memory/1028-61-0x00000000002E0000-0x00000000002EE000-memory.dmp

Filesize
56KB

Download
memory/1044-54-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1224-68-0x0000000000850000-0x000000000086E000-memory.dmp

Filesize
120KB

Download
memory/1224-79-0x00000000002F6000-0x0000000000315000-memory.dmp

Filesize
124KB

Download
memory/1824-76-0x0000000000150000-0x0000000000153000-memory.dmp

Filesize
12KB

Download
memory/1824-77-0x0000000000E10000-0x000000000103D000-memory.dmp

Filesize
2.2MB

Download
memory/1824-78-0x0000000000E10000-0x000000000103D000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing