njrat | 2b60c561adf618dfa344b55b05492d57a0970c19d08cab5c6e04ab3ee50c10ed

General

Target

2b60c561adf618dfa344b55b05492d57a0970c19d08cab5c6e04ab3ee50c10ed.exe
Size

840KB
MD5

7c969a7c3b1f4d6920c7ee6ddf165db1
SHA1

a68ed8f0d4326f78d5b80bd99766e817108ff9ae
SHA256

2b60c561adf618dfa344b55b05492d57a0970c19d08cab5c6e04ab3ee50c10ed
SHA512

6ec1a236fd307e215c042b2b9753c24abab65300f29df689be53b0e9ed7faf868d6083f5d434b8bd6d0704315d46d57e9b8cc6b26373bda9b6cd7ff9e6d677e0
SSDEEP

24576:yQZ3mQR8jblVrDEwwFPPiTGQrYdel2D3E1BoDJe56:bZlEblBZwFHaYc1Ce56

Score

10^/10

njrat john trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

john

C2

174.127.99.249:1177

Mutex

820a2113c7eb31ee7bb301083496cceb

Attributes

reg_key
820a2113c7eb31ee7bb301083496cceb
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

2b60c561adf618dfa344b55b05492d57a0970c19d08cab5c6e04ab3ee50c10ed.exe

description	pid	process	target process
PID 1900 set thread context of 1372	1900	2b60c561adf618dfa344b55b05492d57a0970c19d08cab5c6e04ab3ee50c10ed.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2015843771ffd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375996406"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000288fe0d5a7856514e5b9d1a12d481dbbe4208737da99e1acdde59075c166add8000000000e8000000002000020000000b891d9c15f36474fa836c0a6ec6cde2a4a990c15a1549c02bf5ca2370ef0a4c190000000712a41c085750cf1db21f63b712f2170958464639036334946989f22484f1b0c05ebbd8aebfa4810f997bf0e926b2680cf6d92cb9d9aaa0c4e1827433a153cf17c1bf07c1617f19f57fe26f9ec866af221701777bad2daa9079c5aea4c78342470b118d896d3a4e0a2b73784911c83eee884168645c2a174281a15ef0eb90d7870070affff9930667f3fbc3eeec6e061400000006ec779724319d120b0d03a9ee68c8d086a99ad23081cbfe3b0f8047c168a183b1413be2e461f77a8567e9b65aebaff14402eabb5aa770bdbeca660bad05eedae	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a000000000200000000001066000000010000200000004d65af59bed16829293632fc10998969b8439276ab0397fdbaa75de78863910f000000000e8000000002000020000000a8b71e1fb3f70b6e70f59ef26b6bff31119516f12ec5e880b045f689cb9d5b8c200000004ebf917688682673f1cfd507a0d2c3ae24b7a99985394991f3599eeecef64d47400000007311705737d25c5370679d5e2d342672b5b36d0f8dc7e4d94bfe091c7027e10218f0e465e6698907e2875e3f8e8371c689561f23e3d3ad514ed23d7491ec9504	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5C36F2C1-6B64-11ED-B559-F63187E7FFAB} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2b60c561adf618dfa344b55b05492d57a0970c19d08cab5c6e04ab3ee50c10ed.exe

description pid process

Token: SeDebugPrivilege 1900 2b60c561adf618dfa344b55b05492d57a0970c19d08cab5c6e04ab3ee50c10ed.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1732 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	1900	2b60c561adf618dfa344b55b05492d57a0970c19d08cab5c6e04ab3ee50c10ed.exe

pid	process
1732	iexplore.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

AcroRd32.exeiexplore.exeIEXPLORE.EXE

pid	process
1760	AcroRd32.exe
1760	AcroRd32.exe
1760	AcroRd32.exe
1732	iexplore.exe
1732	iexplore.exe
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

2b60c561adf618dfa344b55b05492d57a0970c19d08cab5c6e04ab3ee50c10ed.exeAppLaunch.exeiexplore.exe

description	pid	process	target process
PID 1900 wrote to memory of 1760	1900	2b60c561adf618dfa344b55b05492d57a0970c19d08cab5c6e04ab3ee50c10ed.exe	AcroRd32.exe
PID 1900 wrote to memory of 1760	1900	2b60c561adf618dfa344b55b05492d57a0970c19d08cab5c6e04ab3ee50c10ed.exe	AcroRd32.exe
PID 1900 wrote to memory of 1760	1900	2b60c561adf618dfa344b55b05492d57a0970c19d08cab5c6e04ab3ee50c10ed.exe	AcroRd32.exe
PID 1900 wrote to memory of 1760	1900	2b60c561adf618dfa344b55b05492d57a0970c19d08cab5c6e04ab3ee50c10ed.exe	AcroRd32.exe
PID 1900 wrote to memory of 1372	1900	2b60c561adf618dfa344b55b05492d57a0970c19d08cab5c6e04ab3ee50c10ed.exe	AppLaunch.exe
PID 1900 wrote to memory of 1372	1900	2b60c561adf618dfa344b55b05492d57a0970c19d08cab5c6e04ab3ee50c10ed.exe	AppLaunch.exe
PID 1900 wrote to memory of 1372	1900	2b60c561adf618dfa344b55b05492d57a0970c19d08cab5c6e04ab3ee50c10ed.exe	AppLaunch.exe
PID 1900 wrote to memory of 1372	1900	2b60c561adf618dfa344b55b05492d57a0970c19d08cab5c6e04ab3ee50c10ed.exe	AppLaunch.exe
PID 1900 wrote to memory of 1372	1900	2b60c561adf618dfa344b55b05492d57a0970c19d08cab5c6e04ab3ee50c10ed.exe	AppLaunch.exe
PID 1900 wrote to memory of 1372	1900	2b60c561adf618dfa344b55b05492d57a0970c19d08cab5c6e04ab3ee50c10ed.exe	AppLaunch.exe
PID 1900 wrote to memory of 1372	1900	2b60c561adf618dfa344b55b05492d57a0970c19d08cab5c6e04ab3ee50c10ed.exe	AppLaunch.exe
PID 1900 wrote to memory of 1372	1900	2b60c561adf618dfa344b55b05492d57a0970c19d08cab5c6e04ab3ee50c10ed.exe	AppLaunch.exe
PID 1900 wrote to memory of 1372	1900	2b60c561adf618dfa344b55b05492d57a0970c19d08cab5c6e04ab3ee50c10ed.exe	AppLaunch.exe
PID 1900 wrote to memory of 1372	1900	2b60c561adf618dfa344b55b05492d57a0970c19d08cab5c6e04ab3ee50c10ed.exe	AppLaunch.exe
PID 1900 wrote to memory of 1372	1900	2b60c561adf618dfa344b55b05492d57a0970c19d08cab5c6e04ab3ee50c10ed.exe	AppLaunch.exe
PID 1900 wrote to memory of 1372	1900	2b60c561adf618dfa344b55b05492d57a0970c19d08cab5c6e04ab3ee50c10ed.exe	AppLaunch.exe
PID 1372 wrote to memory of 1732	1372	AppLaunch.exe	iexplore.exe
PID 1372 wrote to memory of 1732	1372	AppLaunch.exe	iexplore.exe
PID 1372 wrote to memory of 1732	1372	AppLaunch.exe	iexplore.exe
PID 1372 wrote to memory of 1732	1372	AppLaunch.exe	iexplore.exe
PID 1732 wrote to memory of 1924	1732	iexplore.exe	IEXPLORE.EXE
PID 1732 wrote to memory of 1924	1732	iexplore.exe	IEXPLORE.EXE
PID 1732 wrote to memory of 1924	1732	iexplore.exe	IEXPLORE.EXE
PID 1732 wrote to memory of 1924	1732	iexplore.exe	IEXPLORE.EXE
PID 1732 wrote to memory of 1924	1732	iexplore.exe	IEXPLORE.EXE
PID 1732 wrote to memory of 1924	1732	iexplore.exe	IEXPLORE.EXE
PID 1732 wrote to memory of 1924	1732	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\2b60c561adf618dfa344b55b05492d57a0970c19d08cab5c6e04ab3ee50c10ed.exe
"C:\Users\Admin\AppData\Local\Temp\2b60c561adf618dfa344b55b05492d57a0970c19d08cab5c6e04ab3ee50c10ed.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\Product_Catalogue.pdf"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1760

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1372

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=AppLaunch.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1732 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KTLW93PW.txt
Filesize
608B

MD5
6bf025342be49436ab4944677adb43dd

SHA1
6364d250d0cfb41b5186832362b4b50cdb98031c

SHA256
dbfd5cc99893b7921409ab29955f926261c219818f068e5be5cd91d4756db913

SHA512
682691e635af353735c2d47de0aeeec62bc14dd442a6fde896526c9e39be2175566f9d4cf1ab198262ed7542d99d833fcd10de99891cbc19c3fd5b720be0f552

Download Submit
C:\Users\Admin\Desktop\Product_Catalogue.pdf
Filesize
563KB

MD5
6ee9b6b4c2ee69e5cb36937a6dda0d30

SHA1
e3f4f5586f5ac5d2ebb219b0c3cf07fa2b1eb369

SHA256
e8b59c9030f391d939d19c577cece3ac036a2ad470cb3e37351c5c014491f409

SHA512
97e569b3e5cf88b8bdb1c2622096ed7dd31aa61c2cfd430cfce9d491b51899f27d036bb24cd7866ed70d30317689bd694c5d699b3a186471e49da3b6a6dcd819

Download Submit
memory/1372-59-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1372-63-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1372-64-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1372-65-0x000000000040747E-mapping.dmp

Download
memory/1372-62-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1372-60-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1372-67-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1372-69-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1760-57-0x0000000000000000-mapping.dmp

Download
memory/1900-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1900-71-0x0000000074A00000-0x0000000074FAB000-memory.dmp

Filesize
5.7MB

Download
memory/1900-56-0x0000000074A00000-0x0000000074FAB000-memory.dmp

Filesize
5.7MB

Download
memory/1900-55-0x0000000074A00000-0x0000000074FAB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads