njrat | c9d944e5b381ba0475b88d52fa96b9d2690bbd3fa260aa24148625f024f2fc38

General

Target

c9d944e5b381ba0475b88d52fa96b9d2690bbd3fa260aa24148625f024f2fc38.exe
Size

29KB
MD5

37c960b09fd5281ea1d11e799d98d5f0
SHA1

a33c6a07b4c38e0bf9850b501fd578292fe9bfe0
SHA256

c9d944e5b381ba0475b88d52fa96b9d2690bbd3fa260aa24148625f024f2fc38
SHA512

21cdf8680b7eb9518fc58aa9d55452cd549edc08790964da843986ed260afdcbf296061dfa0eb8f0e83122269c8786a5aa02d319e878327174e92165b0c8b478
SSDEEP

768:xUi71MHaSf0gsHwqIXeyBKh0p29SgR5H:x71miQBjKhG29j5H

Score

10^/10

njrat صالح كوباني vpn evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

صالح كوباني vpn

C2

freepage.sytes.net:1999

Mutex

d5a38e9b5f206c41f8851bf04a251d26

Attributes

reg_key
d5a38e9b5f206c41f8851bf04a251d26
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

chrome.exe

pid process

1236 chrome.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

432 netsh.exe

pid	process
432	netsh.exe

Drops startup file 2 IoCs

Processes:

chrome.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d5a38e9b5f206c41f8851bf04a251d26.exe	chrome.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d5a38e9b5f206c41f8851bf04a251d26.exe	chrome.exe

Loads dropped DLL 1 IoCs

Processes:

c9d944e5b381ba0475b88d52fa96b9d2690bbd3fa260aa24148625f024f2fc38.exe

pid process

1996 c9d944e5b381ba0475b88d52fa96b9d2690bbd3fa260aa24148625f024f2fc38.exe

pid	process
1996	c9d944e5b381ba0475b88d52fa96b9d2690bbd3fa260aa24148625f024f2fc38.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\d5a38e9b5f206c41f8851bf04a251d26 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome.exe\" .."	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\d5a38e9b5f206c41f8851bf04a251d26 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome.exe\" .."	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

chrome.exe

pid	process
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe
1236	chrome.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

chrome.exe

description pid process

Token: SeDebugPrivilege 1236 chrome.exe

description	pid	process
Token: SeDebugPrivilege	1236	chrome.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

c9d944e5b381ba0475b88d52fa96b9d2690bbd3fa260aa24148625f024f2fc38.exechrome.exe

description	pid	process	target process
PID 1996 wrote to memory of 1236	1996	c9d944e5b381ba0475b88d52fa96b9d2690bbd3fa260aa24148625f024f2fc38.exe	chrome.exe
PID 1996 wrote to memory of 1236	1996	c9d944e5b381ba0475b88d52fa96b9d2690bbd3fa260aa24148625f024f2fc38.exe	chrome.exe
PID 1996 wrote to memory of 1236	1996	c9d944e5b381ba0475b88d52fa96b9d2690bbd3fa260aa24148625f024f2fc38.exe	chrome.exe
PID 1996 wrote to memory of 1236	1996	c9d944e5b381ba0475b88d52fa96b9d2690bbd3fa260aa24148625f024f2fc38.exe	chrome.exe
PID 1236 wrote to memory of 432	1236	chrome.exe	netsh.exe
PID 1236 wrote to memory of 432	1236	chrome.exe	netsh.exe
PID 1236 wrote to memory of 432	1236	chrome.exe	netsh.exe
PID 1236 wrote to memory of 432	1236	chrome.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\c9d944e5b381ba0475b88d52fa96b9d2690bbd3fa260aa24148625f024f2fc38.exe
"C:\Users\Admin\AppData\Local\Temp\c9d944e5b381ba0475b88d52fa96b9d2690bbd3fa260aa24148625f024f2fc38.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\chrome.exe
"C:\Users\Admin\AppData\Local\Temp\chrome.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\chrome.exe" "chrome.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\chrome.exe
Filesize
29KB

MD5
37c960b09fd5281ea1d11e799d98d5f0

SHA1
a33c6a07b4c38e0bf9850b501fd578292fe9bfe0

SHA256
c9d944e5b381ba0475b88d52fa96b9d2690bbd3fa260aa24148625f024f2fc38

SHA512
21cdf8680b7eb9518fc58aa9d55452cd549edc08790964da843986ed260afdcbf296061dfa0eb8f0e83122269c8786a5aa02d319e878327174e92165b0c8b478

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome.exe
Filesize
29KB

MD5
37c960b09fd5281ea1d11e799d98d5f0

SHA1
a33c6a07b4c38e0bf9850b501fd578292fe9bfe0

SHA256
c9d944e5b381ba0475b88d52fa96b9d2690bbd3fa260aa24148625f024f2fc38

SHA512
21cdf8680b7eb9518fc58aa9d55452cd549edc08790964da843986ed260afdcbf296061dfa0eb8f0e83122269c8786a5aa02d319e878327174e92165b0c8b478

Download Submit
\Users\Admin\AppData\Local\Temp\chrome.exe
Filesize
29KB

MD5
37c960b09fd5281ea1d11e799d98d5f0

SHA1
a33c6a07b4c38e0bf9850b501fd578292fe9bfe0

SHA256
c9d944e5b381ba0475b88d52fa96b9d2690bbd3fa260aa24148625f024f2fc38

SHA512
21cdf8680b7eb9518fc58aa9d55452cd549edc08790964da843986ed260afdcbf296061dfa0eb8f0e83122269c8786a5aa02d319e878327174e92165b0c8b478

Download Submit
memory/432-62-0x0000000000000000-mapping.dmp

Download
memory/1236-57-0x0000000000000000-mapping.dmp

Download
memory/1236-63-0x00000000745D0000-0x0000000074B7B000-memory.dmp

Filesize
5.7MB

Download
memory/1236-65-0x00000000745D0000-0x0000000074B7B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-54-0x0000000076391000-0x0000000076393000-memory.dmp

Filesize
8KB

Download
memory/1996-55-0x00000000745D0000-0x0000000074B7B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-61-0x00000000745D0000-0x0000000074B7B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads