njrat | 5311007a8d4e7b034dbe652619428aefe33bef614cc385d2d4f74f3b7c8cfe88

Analysis

max time kernel
154s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5311007a8d4e7b034dbe652619428aefe33bef614cc385d2d4f74f3b7c8cfe88.exe
Size

649KB
MD5

fd77bce75d75a3587ed36155da6888e0
SHA1

b58ad2e1cf5bca700c5ed198acbb197335f3a3fa
SHA256

5311007a8d4e7b034dbe652619428aefe33bef614cc385d2d4f74f3b7c8cfe88
SHA512

ca212402d0e133ca518e5d82a4375f37d2105eb2c234be0b6d571f784c86b597508626cde919c7814d343df717b5af36a4aec79a0e8b5a85420858ce63970a5e
SSDEEP

12288:aJLBZE2PUOGzNmAF6699D52yjS6EGdyafJaSIMPzkqdtRbKdE1J:yLfE2PUOk6U55PS67fcsPR/dz1J

Score

10^/10

njrat hacked by jamal evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed By Jamal

mokla.no-ip.biz:1177

Mutex

19e3e31e995d880c12ab2c426a9773dd

Attributes

reg_key
19e3e31e995d880c12ab2c426a9773dd
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 4 IoCs

Processes:

photo.exephoto.exePhoto.exePhoto.exe

pid process

4948 photo.exe
4820 photo.exe
4404 Photo.exe
1992 Photo.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

3768 netsh.exe

pid	process
4948	photo.exe
4820	photo.exe
4404	Photo.exe
1992	Photo.exe

pid	process
3768	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5311007a8d4e7b034dbe652619428aefe33bef614cc385d2d4f74f3b7c8cfe88.exephoto.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	5311007a8d4e7b034dbe652619428aefe33bef614cc385d2d4f74f3b7c8cfe88.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	photo.exe

Drops startup file 2 IoCs

Processes:

Photo.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19e3e31e995d880c12ab2c426a9773dd.exe	Photo.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\19e3e31e995d880c12ab2c426a9773dd.exe	Photo.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Photo.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\19e3e31e995d880c12ab2c426a9773dd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Photo.exe\" .."	Photo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\19e3e31e995d880c12ab2c426a9773dd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Photo.exe\" .."	Photo.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

photo.exePhoto.exe

description	pid	process	target process
PID 4948 set thread context of 4820	4948	photo.exe	photo.exe
PID 4404 set thread context of 1992	4404	Photo.exe	Photo.exe

Drops file in Windows directory 4 IoCs

Processes:

photo.exePhoto.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	photo.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	Photo.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	Photo.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	photo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

photo.exePhoto.exePhoto.exe

description	pid	process
Token: SeDebugPrivilege	4948	photo.exe
Token: 33	4948	photo.exe
Token: SeIncBasePriorityPrivilege	4948	photo.exe
Token: SeDebugPrivilege	4404	Photo.exe
Token: 33	4404	Photo.exe
Token: SeIncBasePriorityPrivilege	4404	Photo.exe
Token: SeDebugPrivilege	1992	Photo.exe
Token: 33	1992	Photo.exe
Token: SeIncBasePriorityPrivilege	1992	Photo.exe
Token: 33	1992	Photo.exe
Token: SeIncBasePriorityPrivilege	1992	Photo.exe
Token: 33	1992	Photo.exe
Token: SeIncBasePriorityPrivilege	1992	Photo.exe
Token: 33	1992	Photo.exe
Token: SeIncBasePriorityPrivilege	1992	Photo.exe
Token: 33	1992	Photo.exe
Token: SeIncBasePriorityPrivilege	1992	Photo.exe
Token: 33	1992	Photo.exe
Token: SeIncBasePriorityPrivilege	1992	Photo.exe
Token: 33	1992	Photo.exe
Token: SeIncBasePriorityPrivilege	1992	Photo.exe
Token: 33	1992	Photo.exe
Token: SeIncBasePriorityPrivilege	1992	Photo.exe
Token: 33	1992	Photo.exe
Token: SeIncBasePriorityPrivilege	1992	Photo.exe
Token: 33	1992	Photo.exe
Token: SeIncBasePriorityPrivilege	1992	Photo.exe
Token: 33	1992	Photo.exe
Token: SeIncBasePriorityPrivilege	1992	Photo.exe
Token: 33	1992	Photo.exe
Token: SeIncBasePriorityPrivilege	1992	Photo.exe
Token: 33	1992	Photo.exe
Token: SeIncBasePriorityPrivilege	1992	Photo.exe
Token: 33	1992	Photo.exe
Token: SeIncBasePriorityPrivilege	1992	Photo.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

5311007a8d4e7b034dbe652619428aefe33bef614cc385d2d4f74f3b7c8cfe88.exephoto.exephoto.exePhoto.exePhoto.exe

description	pid	process	target process
PID 3996 wrote to memory of 4948	3996	5311007a8d4e7b034dbe652619428aefe33bef614cc385d2d4f74f3b7c8cfe88.exe	photo.exe
PID 3996 wrote to memory of 4948	3996	5311007a8d4e7b034dbe652619428aefe33bef614cc385d2d4f74f3b7c8cfe88.exe	photo.exe
PID 3996 wrote to memory of 4948	3996	5311007a8d4e7b034dbe652619428aefe33bef614cc385d2d4f74f3b7c8cfe88.exe	photo.exe
PID 4948 wrote to memory of 4820	4948	photo.exe	photo.exe
PID 4948 wrote to memory of 4820	4948	photo.exe	photo.exe
PID 4948 wrote to memory of 4820	4948	photo.exe	photo.exe
PID 4948 wrote to memory of 4820	4948	photo.exe	photo.exe
PID 4948 wrote to memory of 4820	4948	photo.exe	photo.exe
PID 4948 wrote to memory of 4820	4948	photo.exe	photo.exe
PID 4948 wrote to memory of 4820	4948	photo.exe	photo.exe
PID 4948 wrote to memory of 4820	4948	photo.exe	photo.exe
PID 4820 wrote to memory of 4404	4820	photo.exe	Photo.exe
PID 4820 wrote to memory of 4404	4820	photo.exe	Photo.exe
PID 4820 wrote to memory of 4404	4820	photo.exe	Photo.exe
PID 4404 wrote to memory of 1992	4404	Photo.exe	Photo.exe
PID 4404 wrote to memory of 1992	4404	Photo.exe	Photo.exe
PID 4404 wrote to memory of 1992	4404	Photo.exe	Photo.exe
PID 4404 wrote to memory of 1992	4404	Photo.exe	Photo.exe
PID 4404 wrote to memory of 1992	4404	Photo.exe	Photo.exe
PID 4404 wrote to memory of 1992	4404	Photo.exe	Photo.exe
PID 4404 wrote to memory of 1992	4404	Photo.exe	Photo.exe
PID 4404 wrote to memory of 1992	4404	Photo.exe	Photo.exe
PID 1992 wrote to memory of 3768	1992	Photo.exe	netsh.exe
PID 1992 wrote to memory of 3768	1992	Photo.exe	netsh.exe
PID 1992 wrote to memory of 3768	1992	Photo.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\5311007a8d4e7b034dbe652619428aefe33bef614cc385d2d4f74f3b7c8cfe88.exe
"C:\Users\Admin\AppData\Local\Temp\5311007a8d4e7b034dbe652619428aefe33bef614cc385d2d4f74f3b7c8cfe88.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Users\Admin\AppData\Local\Temp\photo.exe
  "C:\Users\Admin\AppData\Local\Temp\photo.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Users\Admin\AppData\Local\Temp\photo.exe
    "C:\Users\Admin\AppData\Local\Temp\photo.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4820
  - - C:\Users\Admin\AppData\Roaming\Photo.exe
      "C:\Users\Admin\AppData\Roaming\Photo.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4404
    - - C:\Users\Admin\AppData\Roaming\Photo.exe
        
        "C:\Users\Admin\AppData\Roaming\Photo.exe"
        5⤵
        Executes dropped EXE
        Drops startup file
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1992
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Photo.exe" "Photo.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:3768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Photo.exe.log

Filesize
408B

MD5
661cab77d3b907e8057f2e689e995af3

SHA1
5d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c

SHA256
8f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2

SHA512
2523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67

Download Submit
C:\Users\Admin\AppData\Local\Temp\photo.exe

Filesize
564KB

MD5
73a787e94c4eda195521bbf9ca5df164

SHA1
4027e3eeb2f2549b9054b162dccc39f63c630826

SHA256
2d9165cf3577fd8e201af52bc416784ad6ffa8c4e0162fe3f6926aec99da1618

SHA512
5695dc574ece58defc76537787186f13021248dace336760b21069ea81f2e698b9877e713b13d6530f891486642b1b90d6bd76fa6dc79695080c976cfe72e557

Download Submit
C:\Users\Admin\AppData\Local\Temp\photo.exe

Filesize
564KB

MD5
73a787e94c4eda195521bbf9ca5df164

SHA1
4027e3eeb2f2549b9054b162dccc39f63c630826

SHA256
2d9165cf3577fd8e201af52bc416784ad6ffa8c4e0162fe3f6926aec99da1618

SHA512
5695dc574ece58defc76537787186f13021248dace336760b21069ea81f2e698b9877e713b13d6530f891486642b1b90d6bd76fa6dc79695080c976cfe72e557

Download Submit
C:\Users\Admin\AppData\Local\Temp\photo.exe

Filesize
564KB

MD5
73a787e94c4eda195521bbf9ca5df164

SHA1
4027e3eeb2f2549b9054b162dccc39f63c630826

SHA256
2d9165cf3577fd8e201af52bc416784ad6ffa8c4e0162fe3f6926aec99da1618

SHA512
5695dc574ece58defc76537787186f13021248dace336760b21069ea81f2e698b9877e713b13d6530f891486642b1b90d6bd76fa6dc79695080c976cfe72e557

Download Submit
C:\Users\Admin\AppData\Roaming\Photo.exe

Filesize
564KB

MD5
73a787e94c4eda195521bbf9ca5df164

SHA1
4027e3eeb2f2549b9054b162dccc39f63c630826

SHA256
2d9165cf3577fd8e201af52bc416784ad6ffa8c4e0162fe3f6926aec99da1618

SHA512
5695dc574ece58defc76537787186f13021248dace336760b21069ea81f2e698b9877e713b13d6530f891486642b1b90d6bd76fa6dc79695080c976cfe72e557

Download Submit
C:\Users\Admin\AppData\Roaming\Photo.exe

Filesize
564KB

MD5
73a787e94c4eda195521bbf9ca5df164

SHA1
4027e3eeb2f2549b9054b162dccc39f63c630826

SHA256
2d9165cf3577fd8e201af52bc416784ad6ffa8c4e0162fe3f6926aec99da1618

SHA512
5695dc574ece58defc76537787186f13021248dace336760b21069ea81f2e698b9877e713b13d6530f891486642b1b90d6bd76fa6dc79695080c976cfe72e557

Download Submit
C:\Users\Admin\AppData\Roaming\Photo.exe

Filesize
564KB

MD5
73a787e94c4eda195521bbf9ca5df164

SHA1
4027e3eeb2f2549b9054b162dccc39f63c630826

SHA256
2d9165cf3577fd8e201af52bc416784ad6ffa8c4e0162fe3f6926aec99da1618

SHA512
5695dc574ece58defc76537787186f13021248dace336760b21069ea81f2e698b9877e713b13d6530f891486642b1b90d6bd76fa6dc79695080c976cfe72e557

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch

Filesize
1KB

MD5
0ab10c7693829b4df09553caa8b5cb6a

SHA1
14a79441721d62318c86189cc277928138c008a9

SHA256
43236056ef3b7f42736d61b1f9e7b98f19067b7f3f8271be9482ff4400ca23f3

SHA512
3fde870b190c9ad392aea71c6d6603280ecbdfda7b9120eef46599e4d3fce9a45189e1277d4050c476b0482944f22c6bb86b01999c7a9fc03d7a65998ce37119

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch

Filesize
1KB

MD5
0ab10c7693829b4df09553caa8b5cb6a

SHA1
14a79441721d62318c86189cc277928138c008a9

SHA256
43236056ef3b7f42736d61b1f9e7b98f19067b7f3f8271be9482ff4400ca23f3

SHA512
3fde870b190c9ad392aea71c6d6603280ecbdfda7b9120eef46599e4d3fce9a45189e1277d4050c476b0482944f22c6bb86b01999c7a9fc03d7a65998ce37119

Download Submit
memory/1992-153-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/1992-155-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/1992-149-0x0000000000000000-mapping.dmp

Download
memory/3768-154-0x0000000000000000-mapping.dmp

Download
memory/4404-152-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/4404-148-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/4404-141-0x0000000000000000-mapping.dmp

Download
memory/4820-137-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4820-147-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/4820-139-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/4820-136-0x0000000000000000-mapping.dmp

Download
memory/4948-140-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/4948-132-0x0000000000000000-mapping.dmp

Download
memory/4948-135-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download