njrat | 973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077.exe
Size

878KB
MD5

f5af188a585adc74007264e0d043a3c1
SHA1

6912cf14453f8c8f3182995ae8162c98f6cc7f34
SHA256

973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077
SHA512

d3c2f501595499bf2a0cf6a502a10743d06426e2c51bcde4fce9f3e4676555d9e3ea48eb663545bb30c915dbe6a2c8ac829916051862bf386436fc8631a556b2
SSDEEP

12288:Pat0EAH49n8BZ7yMhmuPgJ3BhOl+nHzHdQJ0pTCaQfOgNgrX2gIvvsL/8T3eJGix:yt24+7+uPgJ3ul+nTd+OSgLpz4T3eJGO

Score

10^/10

njrat billy evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

BILLY

withgod.hopper.pw:770

Mutex

b84a37071759ef5cf75837e93f4b857b

Attributes

reg_key
b84a37071759ef5cf75837e93f4b857b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

xjgdw.pifxjgdw.pifRegSvcs.exe

pid process

4872 xjgdw.pif
4800 xjgdw.pif
4344 RegSvcs.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1800 netsh.exe

pid	process
4872	xjgdw.pif
4800	xjgdw.pif
4344	RegSvcs.exe

pid	process
1800	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

xjgdw.pif

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	xjgdw.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cvtres = "C:\\Users\\Admin\\AppData\\Roaming\\dcdsp\\xjgdw.pif C:\\Users\\Admin\\AppData\\Roaming\\dcdsp\\qsleh.qie"	xjgdw.pif

Suspicious use of SetThreadContext 1 IoCs

Processes:

xjgdw.pif

description pid process target process

PID 4800 set thread context of 4344 4800 xjgdw.pif RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 4800 set thread context of 4344	4800	xjgdw.pif	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	4344	RegSvcs.exe
Token: 33	4344	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	4344	RegSvcs.exe
Token: 33	4344	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	4344	RegSvcs.exe
Token: 33	4344	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	4344	RegSvcs.exe
Token: 33	4344	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	4344	RegSvcs.exe
Token: 33	4344	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	4344	RegSvcs.exe
Token: 33	4344	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	4344	RegSvcs.exe
Token: 33	4344	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	4344	RegSvcs.exe
Token: 33	4344	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	4344	RegSvcs.exe
Token: 33	4344	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	4344	RegSvcs.exe
Token: 33	4344	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	4344	RegSvcs.exe
Token: 33	4344	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	4344	RegSvcs.exe
Token: 33	4344	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	4344	RegSvcs.exe
Token: 33	4344	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	4344	RegSvcs.exe
Token: 33	4344	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	4344	RegSvcs.exe
Token: 33	4344	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	4344	RegSvcs.exe
Token: 33	4344	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	4344	RegSvcs.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077.exexjgdw.pifxjgdw.pifRegSvcs.exe

description	pid	process	target process
PID 2424 wrote to memory of 4872	2424	973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077.exe	xjgdw.pif
PID 2424 wrote to memory of 4872	2424	973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077.exe	xjgdw.pif
PID 2424 wrote to memory of 4872	2424	973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077.exe	xjgdw.pif
PID 4872 wrote to memory of 4800	4872	xjgdw.pif	xjgdw.pif
PID 4872 wrote to memory of 4800	4872	xjgdw.pif	xjgdw.pif
PID 4872 wrote to memory of 4800	4872	xjgdw.pif	xjgdw.pif
PID 4800 wrote to memory of 4344	4800	xjgdw.pif	RegSvcs.exe
PID 4800 wrote to memory of 4344	4800	xjgdw.pif	RegSvcs.exe
PID 4800 wrote to memory of 4344	4800	xjgdw.pif	RegSvcs.exe
PID 4800 wrote to memory of 4344	4800	xjgdw.pif	RegSvcs.exe
PID 4800 wrote to memory of 4344	4800	xjgdw.pif	RegSvcs.exe
PID 4800 wrote to memory of 4344	4800	xjgdw.pif	RegSvcs.exe
PID 4800 wrote to memory of 4344	4800	xjgdw.pif	RegSvcs.exe
PID 4800 wrote to memory of 4344	4800	xjgdw.pif	RegSvcs.exe
PID 4344 wrote to memory of 1800	4344	RegSvcs.exe	netsh.exe
PID 4344 wrote to memory of 1800	4344	RegSvcs.exe	netsh.exe
PID 4344 wrote to memory of 1800	4344	RegSvcs.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077.exe
"C:\Users\Admin\AppData\Local\Temp\973c9e8c1325a97b1f899f5a10cea9d2f8f80b3aa3e33c10bb63336e09ee4077.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2424

C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif
"C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif" qsleh.qie
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872

C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif
C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif C:\Users\Admin\AppData\Roaming\dcdsp\YGSNI
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4800

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe" "RegSvcs.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:1800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
Filesize
33KB

MD5
5257104440f9fcd3055ca809b81684e3

SHA1
586db1b80505fb4244fedad9e1cee86ef7184f9e

SHA256
1820441d8ba174eb2d3af1d41aaaa5952835912606db606efe4de1ec20c9429b

SHA512
2544f36ddd06783a67938e06aeb87b5b9c2b0d80f631ad97cb9357c8bb5774f909001dda5676e179b70c8e8b0187b2f95411eef11dea5d405f667acb96f153e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
Filesize
33KB

MD5
5257104440f9fcd3055ca809b81684e3

SHA1
586db1b80505fb4244fedad9e1cee86ef7184f9e

SHA256
1820441d8ba174eb2d3af1d41aaaa5952835912606db606efe4de1ec20c9429b

SHA512
2544f36ddd06783a67938e06aeb87b5b9c2b0d80f631ad97cb9357c8bb5774f909001dda5676e179b70c8e8b0187b2f95411eef11dea5d405f667acb96f153e3

Download Submit
C:\Users\Admin\AppData\Roaming\dcdsp\YGSNI
Filesize
118KB

MD5
c346f5cd7684d742e218dc717b47c027

SHA1
c1486531db25d3c7f86e6a0031342885bd8580b5

SHA256
f4277a31ceba382ca8de4d8771e9d12e67dac07c421edbb9dc38be4d843bcb63

SHA512
90548e009e967c0151b3330c5070352a5de2e227d61a0695044ebaddad492d2a95a05fbeddb7155b959320ffbfbb0866f091348f8e7927a5810aa8ec2344edaf

Download Submit
C:\Users\Admin\AppData\Roaming\dcdsp\YMQGIX
Filesize
29KB

MD5
7b7b71df124bc97c534515dcf50ce86e

SHA1
0cdd2b9f2dde88f2ff78ffca3557bee3dff77154

SHA256
602ea3bc757612fc4dd9a3e4b83de03283684afa3e31d2c61f1b559d6c513f14

SHA512
f9d4e142945aff10f561bf5ae7718128df04adbbfcc97b18d647985e71e88b4e2bcc539d1950e1115d386649b0a838f243982c783eee69a144f13125cf2723dd

Download Submit
C:\Users\Admin\AppData\Roaming\dcdsp\etttt
Filesize
1KB

MD5
640db8da702baaf410c9790e09b7cc82

SHA1
7c4539c77c83ea64e85133969aa94795a76a43fd

SHA256
6aad9f2e7c636dcea995389fcd99c558d5a9c136aaa9cfbcbb132cc7f7abefd8

SHA512
25132c750641f572a6c739971d219ff8da01d6899480c8bbefd05fb054246f6ca2bbb46c0fd72132cee8bd70bb695692bc1c66c3b8e51233ad4fc2d9c7ba47a2

Download Submit
C:\Users\Admin\AppData\Roaming\dcdsp\ppcof.qve
Filesize
118KB

MD5
f5bacdd6c1b958b5f71b2104468564c2

SHA1
69844070a757c70050ea53bb511117b13e5664be

SHA256
4d326ee4122d3c8664105f3bb590b5ef799a60e233bf74217e19d4c9f609f601

SHA512
e03772e56d0e069809f5b94052f315c0063cc6235a34b68ae1639769fe7cb43522950a7fe3c7776b2b3e90e2c59954954430a0be64e84d07a29fd7854efc9f8e

Download Submit
C:\Users\Admin\AppData\Roaming\dcdsp\qmvsh
Filesize
23KB

MD5
5a712708d9e44c1155486fe98f43e902

SHA1
e38fed07c7ba70cd767d6523efd405172cfaf25d

SHA256
94755876bbca49070b732853ee3ecc345690d56818dc0bd6557e22c94fa954fd

SHA512
a93b64ff068a93ab034507e16d946fc05bf2fdc19d52aaadf253a93b999dac39c64e55b82723a7a24accd390d35845f3d720203c523699cf9e6d93b25f59838c

Download Submit
C:\Users\Admin\AppData\Roaming\dcdsp\qsleh.qie
Filesize
3KB

MD5
d5b4309ba1f32fd202be951358732d2f

SHA1
045b0d44191088c05a76c12f38d9979482def488

SHA256
7f991f482669a82eb2317c45777350a738487fa9d7bcbc66ca731bfaf617cbe7

SHA512
378e34554c166cef62ba5a1832d6a15845b092c3f9a76c937bc5ec7eea69c20f01a5b7293bf2f18b84bc31dbd780cc0ad4541e8e371ea8c52a976f3f41b9d6d2

Download Submit
C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Roaming\dcdsp\xjgdw.pif
Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
memory/1800-148-0x0000000000000000-mapping.dmp

Download
memory/4344-143-0x0000000000000000-mapping.dmp

Download
memory/4344-144-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4344-147-0x00000000742F0000-0x00000000748A1000-memory.dmp

Filesize
5.7MB

Download
memory/4344-149-0x00000000742F0000-0x00000000748A1000-memory.dmp

Filesize
5.7MB

Download
memory/4800-138-0x0000000000000000-mapping.dmp

Download
memory/4872-132-0x0000000000000000-mapping.dmp

Download