njrat | 4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9

General

Target

4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exe
Size

29KB
MD5

cc1527601b9652935e9056cb92446af4
SHA1

aae8b36b18e40a006ce13e64b02c85e46e22f458
SHA256

4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9
SHA512

77d34263df5ef22f99c176020d5163b19b1392c6833da14d864e9762a6b9e4d11e3613a2a161937871150c80df0dd43d9edea1cee1e621c0d45a2047839172a5
SSDEEP

768:4Qv/27NYsDkfZPoIqlHepBKh0p29SgRcr:tm7N143wEKhG29jcr

Score

10^/10

njrat system evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

system

C2

saadk.no-ip.biz:1177

Mutex

12ce4e06a81e8d54fd01d9b762f1b1bb

Attributes

reg_key
12ce4e06a81e8d54fd01d9b762f1b1bb
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

system.exe

pid process

1936 system.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1928 netsh.exe
Loads dropped DLL 1 IoCs

Processes:

4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exe

pid process

1408 4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exe

pid	process
1928	netsh.exe

pid	process
1408	4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

system.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\12ce4e06a81e8d54fd01d9b762f1b1bb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe\" .."	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\12ce4e06a81e8d54fd01d9b762f1b1bb = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe\" .."	system.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

system.exe

pid	process
1936	system.exe
1936	system.exe
1936	system.exe
1936	system.exe
1936	system.exe
1936	system.exe
1936	system.exe
1936	system.exe
1936	system.exe
1936	system.exe
1936	system.exe
1936	system.exe
1936	system.exe
1936	system.exe
1936	system.exe
1936	system.exe
1936	system.exe
1936	system.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

system.exe

description pid process

Token: SeDebugPrivilege 1936 system.exe

description	pid	process
Token: SeDebugPrivilege	1936	system.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exesystem.exe

description	pid	process	target process
PID 1408 wrote to memory of 1936	1408	4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exe	system.exe
PID 1408 wrote to memory of 1936	1408	4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exe	system.exe
PID 1408 wrote to memory of 1936	1408	4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exe	system.exe
PID 1408 wrote to memory of 1936	1408	4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exe	system.exe
PID 1936 wrote to memory of 1928	1936	system.exe	netsh.exe
PID 1936 wrote to memory of 1928	1936	system.exe	netsh.exe
PID 1936 wrote to memory of 1928	1936	system.exe	netsh.exe
PID 1936 wrote to memory of 1928	1936	system.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exe
"C:\Users\Admin\AppData\Local\Temp\4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Admin\AppData\Local\Temp\system.exe
"C:\Users\Admin\AppData\Local\Temp\system.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\system.exe" "system.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\system.exe
Filesize
29KB

MD5
cc1527601b9652935e9056cb92446af4

SHA1
aae8b36b18e40a006ce13e64b02c85e46e22f458

SHA256
4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9

SHA512
77d34263df5ef22f99c176020d5163b19b1392c6833da14d864e9762a6b9e4d11e3613a2a161937871150c80df0dd43d9edea1cee1e621c0d45a2047839172a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.exe
Filesize
29KB

MD5
cc1527601b9652935e9056cb92446af4

SHA1
aae8b36b18e40a006ce13e64b02c85e46e22f458

SHA256
4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9

SHA512
77d34263df5ef22f99c176020d5163b19b1392c6833da14d864e9762a6b9e4d11e3613a2a161937871150c80df0dd43d9edea1cee1e621c0d45a2047839172a5

Download Submit
\Users\Admin\AppData\Local\Temp\system.exe
Filesize
29KB

MD5
cc1527601b9652935e9056cb92446af4

SHA1
aae8b36b18e40a006ce13e64b02c85e46e22f458

SHA256
4c0f695c4024706da28de651915101981018d3100856d421fb76f6d78b8adab9

SHA512
77d34263df5ef22f99c176020d5163b19b1392c6833da14d864e9762a6b9e4d11e3613a2a161937871150c80df0dd43d9edea1cee1e621c0d45a2047839172a5

Download Submit
memory/1408-54-0x00000000750A1000-0x00000000750A3000-memory.dmp

Filesize
8KB

Download
memory/1408-55-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/1408-61-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-62-0x0000000000000000-mapping.dmp

Download
memory/1936-57-0x0000000000000000-mapping.dmp

Download
memory/1936-64-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/1936-65-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads