njrat | 98319c8882f4f78cd685921fb0a7bdc6d7bd52aae8e6e480a9009d7aaa326e16

General

Target

98319c8882f4f78cd685921fb0a7bdc6d7bd52aae8e6e480a9009d7aaa326e16.exe
Size

55KB
MD5

7d4f891f353fbadcbf39634df6e9dc91
SHA1

a08cae72f2bc91883f307c384922fc1adcd2a2c7
SHA256

98319c8882f4f78cd685921fb0a7bdc6d7bd52aae8e6e480a9009d7aaa326e16
SHA512

9da0cedb556ba01dbf2f0c92b4cf6d69031cd69457bb3df21f174c252950518a6b2836ecee2e81c2c8245b49940a829c0ca2fd04db129f207e581eb5b87a0095
SSDEEP

768:CygGGiYSj7hoB1b5U88cH1Ne5BKh0p29SgRczrH8zE85CNqlWVLRYe:CWGiYSj7hKXVWKhG29jczrH8j5C0e9f

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

127.0.0.1:1177

Mutex

17e873bfcaa25c26ef0c2dc468367fc3

Attributes

reg_key
17e873bfcaa25c26ef0c2dc468367fc3
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

TempServer.exejeux.exe

pid process

3104 TempServer.exe
4592 jeux.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1976 netsh.exe

pid	process
3104	TempServer.exe
4592	jeux.exe

pid	process
1976	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

98319c8882f4f78cd685921fb0a7bdc6d7bd52aae8e6e480a9009d7aaa326e16.exeTempServer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	98319c8882f4f78cd685921fb0a7bdc6d7bd52aae8e6e480a9009d7aaa326e16.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	TempServer.exe

Drops startup file 2 IoCs

Processes:

jeux.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\17e873bfcaa25c26ef0c2dc468367fc3.exe	jeux.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\17e873bfcaa25c26ef0c2dc468367fc3.exe	jeux.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

jeux.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\17e873bfcaa25c26ef0c2dc468367fc3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\jeux.exe\" .."	jeux.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\17e873bfcaa25c26ef0c2dc468367fc3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\jeux.exe\" .."	jeux.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 45 IoCs

Processes:

jeux.exe

pid	process
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe
4592	jeux.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

jeux.exe

description pid process

Token: SeDebugPrivilege 4592 jeux.exe

description	pid	process
Token: SeDebugPrivilege	4592	jeux.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

98319c8882f4f78cd685921fb0a7bdc6d7bd52aae8e6e480a9009d7aaa326e16.exeTempServer.exejeux.exe

description	pid	process	target process
PID 544 wrote to memory of 3104	544	98319c8882f4f78cd685921fb0a7bdc6d7bd52aae8e6e480a9009d7aaa326e16.exe	TempServer.exe
PID 544 wrote to memory of 3104	544	98319c8882f4f78cd685921fb0a7bdc6d7bd52aae8e6e480a9009d7aaa326e16.exe	TempServer.exe
PID 544 wrote to memory of 3104	544	98319c8882f4f78cd685921fb0a7bdc6d7bd52aae8e6e480a9009d7aaa326e16.exe	TempServer.exe
PID 3104 wrote to memory of 4592	3104	TempServer.exe	jeux.exe
PID 3104 wrote to memory of 4592	3104	TempServer.exe	jeux.exe
PID 3104 wrote to memory of 4592	3104	TempServer.exe	jeux.exe
PID 4592 wrote to memory of 1976	4592	jeux.exe	netsh.exe
PID 4592 wrote to memory of 1976	4592	jeux.exe	netsh.exe
PID 4592 wrote to memory of 1976	4592	jeux.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\98319c8882f4f78cd685921fb0a7bdc6d7bd52aae8e6e480a9009d7aaa326e16.exe
"C:\Users\Admin\AppData\Local\Temp\98319c8882f4f78cd685921fb0a7bdc6d7bd52aae8e6e480a9009d7aaa326e16.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:544

C:\Users\Admin\AppData\Local\TempServer.exe
"C:\Users\Admin\AppData\Local\TempServer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3104

C:\Users\Admin\AppData\Local\Temp\jeux.exe
"C:\Users\Admin\AppData\Local\Temp\jeux.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4592

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\jeux.exe" "jeux.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempServer.exe

Filesize
29KB

MD5
37ca368169ce0b732cfd74b18631b22d

SHA1
09968c66e560df248ea23a921626b4a24a955a28

SHA256
6312f259175d52f1b9dc55ad1c762be931cd166e9d6c157e567218847d925761

SHA512
69149d741ac20767a4e5d375bfd288ea91dd0220f2aab75e802f1a208caba64fb054590177902abce72cb90cf970bed5f343e77981e19f8faab1c4d8843d5633

Download Submit
C:\Users\Admin\AppData\Local\TempServer.exe

Filesize
29KB

MD5
37ca368169ce0b732cfd74b18631b22d

SHA1
09968c66e560df248ea23a921626b4a24a955a28

SHA256
6312f259175d52f1b9dc55ad1c762be931cd166e9d6c157e567218847d925761

SHA512
69149d741ac20767a4e5d375bfd288ea91dd0220f2aab75e802f1a208caba64fb054590177902abce72cb90cf970bed5f343e77981e19f8faab1c4d8843d5633

Download Submit
C:\Users\Admin\AppData\Local\Temp\jeux.exe

Filesize
29KB

MD5
37ca368169ce0b732cfd74b18631b22d

SHA1
09968c66e560df248ea23a921626b4a24a955a28

SHA256
6312f259175d52f1b9dc55ad1c762be931cd166e9d6c157e567218847d925761

SHA512
69149d741ac20767a4e5d375bfd288ea91dd0220f2aab75e802f1a208caba64fb054590177902abce72cb90cf970bed5f343e77981e19f8faab1c4d8843d5633

Download Submit
C:\Users\Admin\AppData\Local\Temp\jeux.exe

Filesize
29KB

MD5
37ca368169ce0b732cfd74b18631b22d

SHA1
09968c66e560df248ea23a921626b4a24a955a28

SHA256
6312f259175d52f1b9dc55ad1c762be931cd166e9d6c157e567218847d925761

SHA512
69149d741ac20767a4e5d375bfd288ea91dd0220f2aab75e802f1a208caba64fb054590177902abce72cb90cf970bed5f343e77981e19f8faab1c4d8843d5633

Download Submit
memory/544-136-0x0000000004B20000-0x0000000004B2A000-memory.dmp

Filesize
40KB

Download
memory/544-137-0x0000000004DF0000-0x0000000004E46000-memory.dmp

Filesize
344KB

Download
memory/544-132-0x0000000000160000-0x0000000000176000-memory.dmp

Filesize
88KB

Download
memory/544-135-0x0000000004BE0000-0x0000000004C72000-memory.dmp

Filesize
584KB

Download
memory/544-134-0x0000000005190000-0x0000000005734000-memory.dmp

Filesize
5.6MB

Download
memory/544-133-0x0000000004B40000-0x0000000004BDC000-memory.dmp

Filesize
624KB

Download
memory/1976-144-0x0000000000000000-mapping.dmp

Download
memory/3104-138-0x0000000000000000-mapping.dmp

Download
memory/3104-145-0x000000006F700000-0x000000006FCB1000-memory.dmp

Filesize
5.7MB

Download
memory/4592-141-0x0000000000000000-mapping.dmp

Download
memory/4592-146-0x000000006F700000-0x000000006FCB1000-memory.dmp

Filesize
5.7MB

Download
memory/4592-147-0x000000006F700000-0x000000006FCB1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads