njrat | 52c9b1b1d8a3babe07e31bb510ee9dc6d55a31dec86effcf0808a3caf8459394

General

Target

52c9b1b1d8a3babe07e31bb510ee9dc6d55a31dec86effcf0808a3caf8459394.exe
Size

29KB
MD5

4916cb099db6081c6a82c3af78f0e28d
SHA1

54dd4ae52d940a3cdd4839fd168e17f46226b34b
SHA256

52c9b1b1d8a3babe07e31bb510ee9dc6d55a31dec86effcf0808a3caf8459394
SHA512

9afa183e38357640147c1ac52c2fee3e1835ab192333e98308f50da3bad72af917e9560f6b07437a1a96be1d313055460124fa0e676098819d1097000511f199
SSDEEP

384:9SItl77FDFucYfKQCcvVt5Th3iOmqD8lTeY6GBsbh0w4wlAokw9OhgOL1vYRGOZ7:b77ucYfKQT7z3sq4TewBKh0p29SgRn/

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

danamuhammad12.no-ip.org:1177

Mutex

dae31c02cb06222e776b9ccb9207edb1

Attributes

reg_key
dae31c02cb06222e776b9ccb9207edb1
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

system.exe

pid process

1952 system.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

524 netsh.exe

pid	process
524	netsh.exe

Drops startup file 2 IoCs

Processes:

system.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dae31c02cb06222e776b9ccb9207edb1.exe	system.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dae31c02cb06222e776b9ccb9207edb1.exe	system.exe

Loads dropped DLL 1 IoCs

Processes:

52c9b1b1d8a3babe07e31bb510ee9dc6d55a31dec86effcf0808a3caf8459394.exe

pid process

1672 52c9b1b1d8a3babe07e31bb510ee9dc6d55a31dec86effcf0808a3caf8459394.exe

pid	process
1672	52c9b1b1d8a3babe07e31bb510ee9dc6d55a31dec86effcf0808a3caf8459394.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

system.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\dae31c02cb06222e776b9ccb9207edb1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\system.exe\" .."	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dae31c02cb06222e776b9ccb9207edb1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\system.exe\" .."	system.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

system.exe

pid	process
1952	system.exe
1952	system.exe
1952	system.exe
1952	system.exe
1952	system.exe
1952	system.exe
1952	system.exe
1952	system.exe
1952	system.exe
1952	system.exe
1952	system.exe
1952	system.exe
1952	system.exe
1952	system.exe
1952	system.exe
1952	system.exe
1952	system.exe
1952	system.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

system.exe

description pid process

Token: SeDebugPrivilege 1952 system.exe

description	pid	process
Token: SeDebugPrivilege	1952	system.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

52c9b1b1d8a3babe07e31bb510ee9dc6d55a31dec86effcf0808a3caf8459394.exesystem.exe

description	pid	process	target process
PID 1672 wrote to memory of 1952	1672	52c9b1b1d8a3babe07e31bb510ee9dc6d55a31dec86effcf0808a3caf8459394.exe	system.exe
PID 1672 wrote to memory of 1952	1672	52c9b1b1d8a3babe07e31bb510ee9dc6d55a31dec86effcf0808a3caf8459394.exe	system.exe
PID 1672 wrote to memory of 1952	1672	52c9b1b1d8a3babe07e31bb510ee9dc6d55a31dec86effcf0808a3caf8459394.exe	system.exe
PID 1672 wrote to memory of 1952	1672	52c9b1b1d8a3babe07e31bb510ee9dc6d55a31dec86effcf0808a3caf8459394.exe	system.exe
PID 1952 wrote to memory of 524	1952	system.exe	netsh.exe
PID 1952 wrote to memory of 524	1952	system.exe	netsh.exe
PID 1952 wrote to memory of 524	1952	system.exe	netsh.exe
PID 1952 wrote to memory of 524	1952	system.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\52c9b1b1d8a3babe07e31bb510ee9dc6d55a31dec86effcf0808a3caf8459394.exe
"C:\Users\Admin\AppData\Local\Temp\52c9b1b1d8a3babe07e31bb510ee9dc6d55a31dec86effcf0808a3caf8459394.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Roaming\system.exe
"C:\Users\Admin\AppData\Roaming\system.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\system.exe" "system.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\system.exe

Filesize
29KB

MD5
4916cb099db6081c6a82c3af78f0e28d

SHA1
54dd4ae52d940a3cdd4839fd168e17f46226b34b

SHA256
52c9b1b1d8a3babe07e31bb510ee9dc6d55a31dec86effcf0808a3caf8459394

SHA512
9afa183e38357640147c1ac52c2fee3e1835ab192333e98308f50da3bad72af917e9560f6b07437a1a96be1d313055460124fa0e676098819d1097000511f199

Download Submit
C:\Users\Admin\AppData\Roaming\system.exe

Filesize
29KB

MD5
4916cb099db6081c6a82c3af78f0e28d

SHA1
54dd4ae52d940a3cdd4839fd168e17f46226b34b

SHA256
52c9b1b1d8a3babe07e31bb510ee9dc6d55a31dec86effcf0808a3caf8459394

SHA512
9afa183e38357640147c1ac52c2fee3e1835ab192333e98308f50da3bad72af917e9560f6b07437a1a96be1d313055460124fa0e676098819d1097000511f199

Download Submit
\Users\Admin\AppData\Roaming\system.exe

Filesize
29KB

MD5
4916cb099db6081c6a82c3af78f0e28d

SHA1
54dd4ae52d940a3cdd4839fd168e17f46226b34b

SHA256
52c9b1b1d8a3babe07e31bb510ee9dc6d55a31dec86effcf0808a3caf8459394

SHA512
9afa183e38357640147c1ac52c2fee3e1835ab192333e98308f50da3bad72af917e9560f6b07437a1a96be1d313055460124fa0e676098819d1097000511f199

Download Submit
memory/524-61-0x0000000000000000-mapping.dmp

Download
memory/1672-54-0x0000000076AE1000-0x0000000076AE3000-memory.dmp

Filesize
8KB

Download
memory/1672-55-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1672-62-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1952-57-0x0000000000000000-mapping.dmp

Download
memory/1952-64-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1952-65-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads