njrat | 0261ae7bcfa532e3492cb55acc4de4df60cfedfdce553617ae8801b1b8006f08

General

Target

0261ae7bcfa532e3492cb55acc4de4df60cfedfdce553617ae8801b1b8006f08.exe
Size

616KB
MD5

93bc0b0789dc983fd4d3b1f099d6ca06
SHA1

519f983007ec0e3aaf2bd5274a38dfcb861833fe
SHA256

0261ae7bcfa532e3492cb55acc4de4df60cfedfdce553617ae8801b1b8006f08
SHA512

3fa9207476b52a59c0e59eaa6e38290be85eaf5a8bb102b578a87e19c621c6b790fd6cef7bd7b2597080fe5d51c07cbacc8e01efecaa1c5dc56f8a3137adcdb7
SSDEEP

12288:0sg+XyCpWKqKqKqKqKzKqKqKqKqKltoHGGrjko2N5mZU:6+XGqHG+jko2KZ

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

jafares.ddns.net:1177

Mutex

85ce27c90f0ba2b98ceb888e2ca7acde

Attributes

reg_key
85ce27c90f0ba2b98ceb888e2ca7acde
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 4 IoCs

Processes:

LocalFEnUgqRZUM.exeLocalFEnUgqRZUM.exegoogle.exegoogle.exe

pid process

1248 LocalFEnUgqRZUM.exe
752 LocalFEnUgqRZUM.exe
436 google.exe
1516 google.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1152 netsh.exe
Loads dropped DLL 2 IoCs

Processes:

LocalFEnUgqRZUM.exegoogle.exe

pid process

752 LocalFEnUgqRZUM.exe
436 google.exe

pid	process
1152	netsh.exe

pid	process
752	LocalFEnUgqRZUM.exe
436	google.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

google.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\85ce27c90f0ba2b98ceb888e2ca7acde = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\google.exe\" .."	google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\85ce27c90f0ba2b98ceb888e2ca7acde = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\google.exe\" .."	google.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

LocalFEnUgqRZUM.exegoogle.exe

description	pid	process	target process
PID 1248 set thread context of 752	1248	LocalFEnUgqRZUM.exe	LocalFEnUgqRZUM.exe
PID 436 set thread context of 1516	436	google.exe	google.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

LocalFEnUgqRZUM.exegoogle.exegoogle.exe

pid	process
1248	LocalFEnUgqRZUM.exe
436	google.exe
1248	LocalFEnUgqRZUM.exe
436	google.exe
1248	LocalFEnUgqRZUM.exe
436	google.exe
1248	LocalFEnUgqRZUM.exe
1248	LocalFEnUgqRZUM.exe
1248	LocalFEnUgqRZUM.exe
436	google.exe
436	google.exe
436	google.exe
1248	LocalFEnUgqRZUM.exe
1248	LocalFEnUgqRZUM.exe
1248	LocalFEnUgqRZUM.exe
436	google.exe
436	google.exe
436	google.exe
1248	LocalFEnUgqRZUM.exe
1248	LocalFEnUgqRZUM.exe
1248	LocalFEnUgqRZUM.exe
436	google.exe
436	google.exe
436	google.exe
1248	LocalFEnUgqRZUM.exe
1248	LocalFEnUgqRZUM.exe
1248	LocalFEnUgqRZUM.exe
436	google.exe
436	google.exe
436	google.exe
1248	LocalFEnUgqRZUM.exe
1248	LocalFEnUgqRZUM.exe
1248	LocalFEnUgqRZUM.exe
436	google.exe
436	google.exe
436	google.exe
1248	LocalFEnUgqRZUM.exe
1248	LocalFEnUgqRZUM.exe
1248	LocalFEnUgqRZUM.exe
436	google.exe
436	google.exe
436	google.exe
1248	LocalFEnUgqRZUM.exe
1248	LocalFEnUgqRZUM.exe
1248	LocalFEnUgqRZUM.exe
436	google.exe
436	google.exe
436	google.exe
1516	google.exe
1516	google.exe
1516	google.exe
1248	LocalFEnUgqRZUM.exe
1248	LocalFEnUgqRZUM.exe
1248	LocalFEnUgqRZUM.exe
436	google.exe
436	google.exe
436	google.exe
1248	LocalFEnUgqRZUM.exe
1248	LocalFEnUgqRZUM.exe
1248	LocalFEnUgqRZUM.exe
436	google.exe
436	google.exe
436	google.exe
436	google.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

LocalFEnUgqRZUM.exegoogle.exegoogle.exe

description	pid	process
Token: SeDebugPrivilege	1248	LocalFEnUgqRZUM.exe
Token: 33	1248	LocalFEnUgqRZUM.exe
Token: SeIncBasePriorityPrivilege	1248	LocalFEnUgqRZUM.exe
Token: 33	1248	LocalFEnUgqRZUM.exe
Token: SeIncBasePriorityPrivilege	1248	LocalFEnUgqRZUM.exe
Token: SeDebugPrivilege	436	google.exe
Token: 33	436	google.exe
Token: SeIncBasePriorityPrivilege	436	google.exe
Token: 33	1248	LocalFEnUgqRZUM.exe
Token: SeIncBasePriorityPrivilege	1248	LocalFEnUgqRZUM.exe
Token: 33	436	google.exe
Token: SeIncBasePriorityPrivilege	436	google.exe
Token: 33	1248	LocalFEnUgqRZUM.exe
Token: SeIncBasePriorityPrivilege	1248	LocalFEnUgqRZUM.exe
Token: 33	436	google.exe
Token: SeIncBasePriorityPrivilege	436	google.exe
Token: 33	1248	LocalFEnUgqRZUM.exe
Token: SeIncBasePriorityPrivilege	1248	LocalFEnUgqRZUM.exe
Token: 33	436	google.exe
Token: SeIncBasePriorityPrivilege	436	google.exe
Token: 33	436	google.exe
Token: SeIncBasePriorityPrivilege	436	google.exe
Token: 33	436	google.exe
Token: SeIncBasePriorityPrivilege	436	google.exe
Token: 33	1248	LocalFEnUgqRZUM.exe
Token: SeIncBasePriorityPrivilege	1248	LocalFEnUgqRZUM.exe
Token: 33	436	google.exe
Token: SeIncBasePriorityPrivilege	436	google.exe
Token: 33	436	google.exe
Token: SeIncBasePriorityPrivilege	436	google.exe
Token: 33	1248	LocalFEnUgqRZUM.exe
Token: SeIncBasePriorityPrivilege	1248	LocalFEnUgqRZUM.exe
Token: 33	436	google.exe
Token: SeIncBasePriorityPrivilege	436	google.exe
Token: 33	436	google.exe
Token: SeIncBasePriorityPrivilege	436	google.exe
Token: SeDebugPrivilege	1516	google.exe
Token: 33	1248	LocalFEnUgqRZUM.exe
Token: SeIncBasePriorityPrivilege	1248	LocalFEnUgqRZUM.exe
Token: 33	436	google.exe
Token: SeIncBasePriorityPrivilege	436	google.exe
Token: 33	436	google.exe
Token: SeIncBasePriorityPrivilege	436	google.exe
Token: 33	1248	LocalFEnUgqRZUM.exe
Token: SeIncBasePriorityPrivilege	1248	LocalFEnUgqRZUM.exe
Token: 33	436	google.exe
Token: SeIncBasePriorityPrivilege	436	google.exe
Token: 33	436	google.exe
Token: SeIncBasePriorityPrivilege	436	google.exe
Token: 33	1248	LocalFEnUgqRZUM.exe
Token: SeIncBasePriorityPrivilege	1248	LocalFEnUgqRZUM.exe
Token: 33	436	google.exe
Token: SeIncBasePriorityPrivilege	436	google.exe
Token: 33	436	google.exe
Token: SeIncBasePriorityPrivilege	436	google.exe
Token: 33	1248	LocalFEnUgqRZUM.exe
Token: SeIncBasePriorityPrivilege	1248	LocalFEnUgqRZUM.exe
Token: 33	436	google.exe
Token: SeIncBasePriorityPrivilege	436	google.exe
Token: 33	436	google.exe
Token: SeIncBasePriorityPrivilege	436	google.exe
Token: 33	436	google.exe
Token: SeIncBasePriorityPrivilege	436	google.exe
Token: 33	1248	LocalFEnUgqRZUM.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

0261ae7bcfa532e3492cb55acc4de4df60cfedfdce553617ae8801b1b8006f08.exeLocalFEnUgqRZUM.exeLocalFEnUgqRZUM.exegoogle.exegoogle.exe

description	pid	process	target process
PID 1932 wrote to memory of 1248	1932	0261ae7bcfa532e3492cb55acc4de4df60cfedfdce553617ae8801b1b8006f08.exe	LocalFEnUgqRZUM.exe
PID 1932 wrote to memory of 1248	1932	0261ae7bcfa532e3492cb55acc4de4df60cfedfdce553617ae8801b1b8006f08.exe	LocalFEnUgqRZUM.exe
PID 1932 wrote to memory of 1248	1932	0261ae7bcfa532e3492cb55acc4de4df60cfedfdce553617ae8801b1b8006f08.exe	LocalFEnUgqRZUM.exe
PID 1932 wrote to memory of 1248	1932	0261ae7bcfa532e3492cb55acc4de4df60cfedfdce553617ae8801b1b8006f08.exe	LocalFEnUgqRZUM.exe
PID 1248 wrote to memory of 752	1248	LocalFEnUgqRZUM.exe	LocalFEnUgqRZUM.exe
PID 1248 wrote to memory of 752	1248	LocalFEnUgqRZUM.exe	LocalFEnUgqRZUM.exe
PID 1248 wrote to memory of 752	1248	LocalFEnUgqRZUM.exe	LocalFEnUgqRZUM.exe
PID 1248 wrote to memory of 752	1248	LocalFEnUgqRZUM.exe	LocalFEnUgqRZUM.exe
PID 1248 wrote to memory of 752	1248	LocalFEnUgqRZUM.exe	LocalFEnUgqRZUM.exe
PID 1248 wrote to memory of 752	1248	LocalFEnUgqRZUM.exe	LocalFEnUgqRZUM.exe
PID 752 wrote to memory of 436	752	LocalFEnUgqRZUM.exe	google.exe
PID 752 wrote to memory of 436	752	LocalFEnUgqRZUM.exe	google.exe
PID 752 wrote to memory of 436	752	LocalFEnUgqRZUM.exe	google.exe
PID 752 wrote to memory of 436	752	LocalFEnUgqRZUM.exe	google.exe
PID 436 wrote to memory of 1516	436	google.exe	google.exe
PID 436 wrote to memory of 1516	436	google.exe	google.exe
PID 436 wrote to memory of 1516	436	google.exe	google.exe
PID 436 wrote to memory of 1516	436	google.exe	google.exe
PID 436 wrote to memory of 1516	436	google.exe	google.exe
PID 436 wrote to memory of 1516	436	google.exe	google.exe
PID 1516 wrote to memory of 1152	1516	google.exe	netsh.exe
PID 1516 wrote to memory of 1152	1516	google.exe	netsh.exe
PID 1516 wrote to memory of 1152	1516	google.exe	netsh.exe
PID 1516 wrote to memory of 1152	1516	google.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\0261ae7bcfa532e3492cb55acc4de4df60cfedfdce553617ae8801b1b8006f08.exe
"C:\Users\Admin\AppData\Local\Temp\0261ae7bcfa532e3492cb55acc4de4df60cfedfdce553617ae8801b1b8006f08.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\LocalFEnUgqRZUM.exe
"C:\Users\Admin\AppData\LocalFEnUgqRZUM.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248

C:\Users\Admin\AppData\LocalFEnUgqRZUM.exe
C:\Users\Admin\AppData\LocalFEnUgqRZUM.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:752

C:\Users\Admin\AppData\Local\Temp\google.exe
"C:\Users\Admin\AppData\Local\Temp\google.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436

C:\Users\Admin\AppData\Local\Temp\google.exe
C:\Users\Admin\AppData\Local\Temp\google.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\google.exe" "google.exe" ENABLE
6⤵
- Modifies Windows Firewall
PID:1152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalFEnUgqRZUM.exe

Filesize
350KB

MD5
39669e5a0b4e4b6b569fb204b6b9eedf

SHA1
6b305e9240d5ace4aeb6a528501b7b40b20423b5

SHA256
8ffd0ede4e3f0b6d033146cbb6b1b5126e9170707732eeeb46ede3b35d187883

SHA512
ef76621c91f80dd7bbf3adc766bc4aaa1252be1b81c0715004a6f7d5fcd71e3bf9384ff25b34eb6b24a0aca691c84295fde6f6e65d3abc2e73d0534bb38ca6c0

Download Submit
C:\Users\Admin\AppData\LocalFEnUgqRZUM.exe

Filesize
350KB

MD5
39669e5a0b4e4b6b569fb204b6b9eedf

SHA1
6b305e9240d5ace4aeb6a528501b7b40b20423b5

SHA256
8ffd0ede4e3f0b6d033146cbb6b1b5126e9170707732eeeb46ede3b35d187883

SHA512
ef76621c91f80dd7bbf3adc766bc4aaa1252be1b81c0715004a6f7d5fcd71e3bf9384ff25b34eb6b24a0aca691c84295fde6f6e65d3abc2e73d0534bb38ca6c0

Download Submit
C:\Users\Admin\AppData\LocalFEnUgqRZUM.exe

Filesize
350KB

MD5
39669e5a0b4e4b6b569fb204b6b9eedf

SHA1
6b305e9240d5ace4aeb6a528501b7b40b20423b5

SHA256
8ffd0ede4e3f0b6d033146cbb6b1b5126e9170707732eeeb46ede3b35d187883

SHA512
ef76621c91f80dd7bbf3adc766bc4aaa1252be1b81c0715004a6f7d5fcd71e3bf9384ff25b34eb6b24a0aca691c84295fde6f6e65d3abc2e73d0534bb38ca6c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\google.exe

Filesize
350KB

MD5
39669e5a0b4e4b6b569fb204b6b9eedf

SHA1
6b305e9240d5ace4aeb6a528501b7b40b20423b5

SHA256
8ffd0ede4e3f0b6d033146cbb6b1b5126e9170707732eeeb46ede3b35d187883

SHA512
ef76621c91f80dd7bbf3adc766bc4aaa1252be1b81c0715004a6f7d5fcd71e3bf9384ff25b34eb6b24a0aca691c84295fde6f6e65d3abc2e73d0534bb38ca6c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\google.exe

Filesize
350KB

MD5
39669e5a0b4e4b6b569fb204b6b9eedf

SHA1
6b305e9240d5ace4aeb6a528501b7b40b20423b5

SHA256
8ffd0ede4e3f0b6d033146cbb6b1b5126e9170707732eeeb46ede3b35d187883

SHA512
ef76621c91f80dd7bbf3adc766bc4aaa1252be1b81c0715004a6f7d5fcd71e3bf9384ff25b34eb6b24a0aca691c84295fde6f6e65d3abc2e73d0534bb38ca6c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\google.exe

Filesize
350KB

MD5
39669e5a0b4e4b6b569fb204b6b9eedf

SHA1
6b305e9240d5ace4aeb6a528501b7b40b20423b5

SHA256
8ffd0ede4e3f0b6d033146cbb6b1b5126e9170707732eeeb46ede3b35d187883

SHA512
ef76621c91f80dd7bbf3adc766bc4aaa1252be1b81c0715004a6f7d5fcd71e3bf9384ff25b34eb6b24a0aca691c84295fde6f6e65d3abc2e73d0534bb38ca6c0

Download Submit
\Users\Admin\AppData\Local\Temp\google.exe

Filesize
350KB

MD5
39669e5a0b4e4b6b569fb204b6b9eedf

SHA1
6b305e9240d5ace4aeb6a528501b7b40b20423b5

SHA256
8ffd0ede4e3f0b6d033146cbb6b1b5126e9170707732eeeb46ede3b35d187883

SHA512
ef76621c91f80dd7bbf3adc766bc4aaa1252be1b81c0715004a6f7d5fcd71e3bf9384ff25b34eb6b24a0aca691c84295fde6f6e65d3abc2e73d0534bb38ca6c0

Download Submit
\Users\Admin\AppData\Local\Temp\google.exe

Filesize
350KB

MD5
39669e5a0b4e4b6b569fb204b6b9eedf

SHA1
6b305e9240d5ace4aeb6a528501b7b40b20423b5

SHA256
8ffd0ede4e3f0b6d033146cbb6b1b5126e9170707732eeeb46ede3b35d187883

SHA512
ef76621c91f80dd7bbf3adc766bc4aaa1252be1b81c0715004a6f7d5fcd71e3bf9384ff25b34eb6b24a0aca691c84295fde6f6e65d3abc2e73d0534bb38ca6c0

Download Submit
memory/436-76-0x0000000001140000-0x000000000119E000-memory.dmp

Filesize
376KB

Download
memory/436-86-0x00000000049D5000-0x00000000049E6000-memory.dmp

Filesize
68KB

Download
memory/436-91-0x00000000049D5000-0x00000000049E6000-memory.dmp

Filesize
68KB

Download
memory/436-73-0x0000000000000000-mapping.dmp

Download
memory/752-63-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/752-64-0x0000000000408AFE-mapping.dmp

Download
memory/752-67-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/752-69-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1152-87-0x0000000000000000-mapping.dmp

Download
memory/1248-71-0x0000000004865000-0x0000000004876000-memory.dmp

Filesize
68KB

Download
memory/1248-62-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download
memory/1248-61-0x0000000074D71000-0x0000000074D73000-memory.dmp

Filesize
8KB

Download
memory/1248-60-0x0000000000A10000-0x0000000000A6E000-memory.dmp

Filesize
376KB

Download
memory/1248-56-0x0000000000000000-mapping.dmp

Download
memory/1248-90-0x0000000004865000-0x0000000004876000-memory.dmp

Filesize
68KB

Download
memory/1516-80-0x0000000000408AFE-mapping.dmp

Download
memory/1516-92-0x00000000005A0000-0x00000000005E0000-memory.dmp

Filesize
256KB

Download
memory/1516-93-0x00000000005A0000-0x00000000005E0000-memory.dmp

Filesize
256KB

Download
memory/1932-54-0x000007FEF3BD0000-0x000007FEF45F3000-memory.dmp

Filesize
10.1MB

Download
memory/1932-59-0x000000001AE00000-0x000000001AE10000-memory.dmp

Filesize
64KB

Download
memory/1932-55-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads