njrat | 97cac6f39661b123ad7001774042f62433d3bd5d0fd09682fc32d3acac81984b

General

Target

97cac6f39661b123ad7001774042f62433d3bd5d0fd09682fc32d3acac81984b.exe
Size

29KB
MD5

c126e0f1c902ecc3c38a70201a3ff596
SHA1

7f2f7546361464ac039fc7f59a40c2bbe72fe60b
SHA256

97cac6f39661b123ad7001774042f62433d3bd5d0fd09682fc32d3acac81984b
SHA512

499030cf4ca86ee53304998100133603c940db3e6c40c9b1c31a901cce50d8201ffa283aa27abd645e75405708a308699c102ae48b8998eab0c5825e89199ec1
SSDEEP

384:ABgJGJl7tj1Msagab1h5Vh+2CWmrDRbD59ePbGBsbh0w4wlAokw9OhgOL1vYRGO5:AZ7nMsanzR+2crdDveyBKh0p29SgRxR

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

supermorad.no-ip.biz:1177

Mutex

5cd8f17f4086744065eb0992a09e05a2

Attributes

reg_key
5cd8f17f4086744065eb0992a09e05a2
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 1 IoCs

pid	Process
2036	Trojan.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
2020	netsh.exe

Loads dropped DLL 1 IoCs

pid	Process
844	97cac6f39661b123ad7001774042f62433d3bd5d0fd09682fc32d3acac81984b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2036	Trojan.exe
2036	Trojan.exe
2036	Trojan.exe
2036	Trojan.exe
2036	Trojan.exe
2036	Trojan.exe
2036	Trojan.exe
2036	Trojan.exe
2036	Trojan.exe
2036	Trojan.exe
2036	Trojan.exe
2036	Trojan.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	Trojan.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 2036	844	97cac6f39661b123ad7001774042f62433d3bd5d0fd09682fc32d3acac81984b.exe	27
PID 844 wrote to memory of 2036	844	97cac6f39661b123ad7001774042f62433d3bd5d0fd09682fc32d3acac81984b.exe	27
PID 844 wrote to memory of 2036	844	97cac6f39661b123ad7001774042f62433d3bd5d0fd09682fc32d3acac81984b.exe	27
PID 844 wrote to memory of 2036	844	97cac6f39661b123ad7001774042f62433d3bd5d0fd09682fc32d3acac81984b.exe	27
PID 2036 wrote to memory of 2020	2036	Trojan.exe	28
PID 2036 wrote to memory of 2020	2036	Trojan.exe	28
PID 2036 wrote to memory of 2020	2036	Trojan.exe	28
PID 2036 wrote to memory of 2020	2036	Trojan.exe	28

C:\Users\Admin\AppData\Local\Temp\97cac6f39661b123ad7001774042f62433d3bd5d0fd09682fc32d3acac81984b.exe
"C:\Users\Admin\AppData\Local\Temp\97cac6f39661b123ad7001774042f62433d3bd5d0fd09682fc32d3acac81984b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:844
- C:\Users\Admin\AppData\Local\Temp\Trojan.exe
  "C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
29KB

MD5
c126e0f1c902ecc3c38a70201a3ff596

SHA1
7f2f7546361464ac039fc7f59a40c2bbe72fe60b

SHA256
97cac6f39661b123ad7001774042f62433d3bd5d0fd09682fc32d3acac81984b

SHA512
499030cf4ca86ee53304998100133603c940db3e6c40c9b1c31a901cce50d8201ffa283aa27abd645e75405708a308699c102ae48b8998eab0c5825e89199ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
29KB

MD5
c126e0f1c902ecc3c38a70201a3ff596

SHA1
7f2f7546361464ac039fc7f59a40c2bbe72fe60b

SHA256
97cac6f39661b123ad7001774042f62433d3bd5d0fd09682fc32d3acac81984b

SHA512
499030cf4ca86ee53304998100133603c940db3e6c40c9b1c31a901cce50d8201ffa283aa27abd645e75405708a308699c102ae48b8998eab0c5825e89199ec1

Download Submit
\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
29KB

MD5
c126e0f1c902ecc3c38a70201a3ff596

SHA1
7f2f7546361464ac039fc7f59a40c2bbe72fe60b

SHA256
97cac6f39661b123ad7001774042f62433d3bd5d0fd09682fc32d3acac81984b

SHA512
499030cf4ca86ee53304998100133603c940db3e6c40c9b1c31a901cce50d8201ffa283aa27abd645e75405708a308699c102ae48b8998eab0c5825e89199ec1

Download Submit
memory/844-54-0x0000000076401000-0x0000000076403000-memory.dmp

Filesize
8KB

Download
memory/844-55-0x0000000074EA0000-0x000000007544B000-memory.dmp

Filesize
5.7MB

Download
memory/844-61-0x0000000074EA0000-0x000000007544B000-memory.dmp

Filesize
5.7MB

Download
memory/2036-64-0x0000000074EA0000-0x000000007544B000-memory.dmp

Filesize
5.7MB

Download
memory/2036-65-0x0000000074EA0000-0x000000007544B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing