njrat | ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e

General

Target

ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
Size

1.5MB
MD5

62acb695a8baccb136d49911f38a58ea
SHA1

cf0977abb66708f5aef2a4606d065448d39bbfc0
SHA256

ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e
SHA512

daeed0028080beb28bd944facb6b970b11d27f43a5f7e2a4f80ac09c916156cf1e96c18d63966b22a40315f6fde9e8a171adfd96b6ee185f20f0aaad5c793190
SSDEEP

24576:8egV2LlUOwU1OmvLx/mMBT9RHnw1bMtIWz0DvxYIEFV4O3ZH6gTqp:8MTt1OmvLx/mMBT9RHnw1bMtIWz0DvxL

Score

10^/10

njrat hacked_byme evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed_ByMe

C2

topo2015.no-ip.biz:1177

Mutex

08f4dc96bbb7af09d1a37fe35c75a42f

Attributes

reg_key
08f4dc96bbb7af09d1a37fe35c75a42f
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

352.exeexplorer.exe

pid process

1764 352.exe
1772 explorer.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1204 netsh.exe
Loads dropped DLL 2 IoCs

Processes:

ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe352.exe

pid process

1936 ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
1764 352.exe

pid	process
1764	352.exe
1772	explorer.exe

pid	process
1204	netsh.exe

pid	process
1936	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
1764	352.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\08f4dc96bbb7af09d1a37fe35c75a42f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe\" .."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\08f4dc96bbb7af09d1a37fe35c75a42f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe\" .."	explorer.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe

description	ioc	process
File created	C:\autorun.inf	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
File opened for modification	C:\autorun.inf	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe

description	pid	process	target process
PID 1388 set thread context of 1936	1388	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exeexplorer.exe

pid	process
1388	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
1388	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
1388	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
1388	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
1388	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
1388	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1388	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
Token: SeDebugPrivilege	1772	explorer.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exeff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe352.exeexplorer.exe

description	pid	process	target process
PID 1388 wrote to memory of 1936	1388	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
PID 1388 wrote to memory of 1936	1388	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
PID 1388 wrote to memory of 1936	1388	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
PID 1388 wrote to memory of 1936	1388	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
PID 1388 wrote to memory of 1936	1388	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
PID 1388 wrote to memory of 1936	1388	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
PID 1936 wrote to memory of 1764	1936	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe	352.exe
PID 1936 wrote to memory of 1764	1936	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe	352.exe
PID 1936 wrote to memory of 1764	1936	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe	352.exe
PID 1936 wrote to memory of 1764	1936	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe	352.exe
PID 1764 wrote to memory of 1772	1764	352.exe	explorer.exe
PID 1764 wrote to memory of 1772	1764	352.exe	explorer.exe
PID 1764 wrote to memory of 1772	1764	352.exe	explorer.exe
PID 1764 wrote to memory of 1772	1764	352.exe	explorer.exe
PID 1772 wrote to memory of 1204	1772	explorer.exe	netsh.exe
PID 1772 wrote to memory of 1204	1772	explorer.exe	netsh.exe
PID 1772 wrote to memory of 1204	1772	explorer.exe	netsh.exe
PID 1772 wrote to memory of 1204	1772	explorer.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
"C:\Users\Admin\AppData\Local\Temp\ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe"
1⤵
- Drops autorun.inf file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388

C:\Users\Admin\AppData\Local\Temp\ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
C:\Users\Admin\AppData\Local\Temp\ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936

C:\Users\Admin\AppData\Local\Temp\352.exe
C:\Users\Admin\AppData\Local\Temp\352.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1764

C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\explorer.exe" "explorer.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:1204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\352.exe
Filesize
29KB

MD5
43afee168bd48d96a9d5680e9e018f48

SHA1
5d7d7759dd7de0689b1c7f00907bc35c76c91b64

SHA256
9bae1caa1febc9c5757159e1b6d3eac50274e48ebd5a0c562506478495df8397

SHA512
e636e8c998b87f8364dadb98f830a632ac640b727a9928cd686039bcb63aef85a233bef3b025f723eb3c7e3a00ac5c33512e931c4289fd9c4b7309e6475b2789

Download Submit
C:\Users\Admin\AppData\Local\Temp\352.exe
Filesize
29KB

MD5
43afee168bd48d96a9d5680e9e018f48

SHA1
5d7d7759dd7de0689b1c7f00907bc35c76c91b64

SHA256
9bae1caa1febc9c5757159e1b6d3eac50274e48ebd5a0c562506478495df8397

SHA512
e636e8c998b87f8364dadb98f830a632ac640b727a9928cd686039bcb63aef85a233bef3b025f723eb3c7e3a00ac5c33512e931c4289fd9c4b7309e6475b2789

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe
Filesize
29KB

MD5
43afee168bd48d96a9d5680e9e018f48

SHA1
5d7d7759dd7de0689b1c7f00907bc35c76c91b64

SHA256
9bae1caa1febc9c5757159e1b6d3eac50274e48ebd5a0c562506478495df8397

SHA512
e636e8c998b87f8364dadb98f830a632ac640b727a9928cd686039bcb63aef85a233bef3b025f723eb3c7e3a00ac5c33512e931c4289fd9c4b7309e6475b2789

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe
Filesize
29KB

MD5
43afee168bd48d96a9d5680e9e018f48

SHA1
5d7d7759dd7de0689b1c7f00907bc35c76c91b64

SHA256
9bae1caa1febc9c5757159e1b6d3eac50274e48ebd5a0c562506478495df8397

SHA512
e636e8c998b87f8364dadb98f830a632ac640b727a9928cd686039bcb63aef85a233bef3b025f723eb3c7e3a00ac5c33512e931c4289fd9c4b7309e6475b2789

Download Submit
\Users\Admin\AppData\Local\Temp\352.exe
Filesize
29KB

MD5
43afee168bd48d96a9d5680e9e018f48

SHA1
5d7d7759dd7de0689b1c7f00907bc35c76c91b64

SHA256
9bae1caa1febc9c5757159e1b6d3eac50274e48ebd5a0c562506478495df8397

SHA512
e636e8c998b87f8364dadb98f830a632ac640b727a9928cd686039bcb63aef85a233bef3b025f723eb3c7e3a00ac5c33512e931c4289fd9c4b7309e6475b2789

Download Submit
\Users\Admin\AppData\Local\Temp\explorer.exe
Filesize
29KB

MD5
43afee168bd48d96a9d5680e9e018f48

SHA1
5d7d7759dd7de0689b1c7f00907bc35c76c91b64

SHA256
9bae1caa1febc9c5757159e1b6d3eac50274e48ebd5a0c562506478495df8397

SHA512
e636e8c998b87f8364dadb98f830a632ac640b727a9928cd686039bcb63aef85a233bef3b025f723eb3c7e3a00ac5c33512e931c4289fd9c4b7309e6475b2789

Download Submit
memory/1204-76-0x0000000000000000-mapping.dmp

Download
memory/1388-73-0x0000000004325000-0x0000000004336000-memory.dmp

Filesize
68KB

Download
memory/1388-56-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/1388-77-0x0000000004325000-0x0000000004336000-memory.dmp

Filesize
68KB

Download
memory/1388-55-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1388-54-0x0000000000820000-0x000000000099E000-memory.dmp

Filesize
1.5MB

Download
memory/1764-64-0x0000000000000000-mapping.dmp

Download
memory/1764-74-0x000000006FE10000-0x00000000703BB000-memory.dmp

Filesize
5.7MB

Download
memory/1772-75-0x000000006FE10000-0x00000000703BB000-memory.dmp

Filesize
5.7MB

Download
memory/1772-69-0x0000000000000000-mapping.dmp

Download
memory/1772-79-0x000000006FE10000-0x00000000703BB000-memory.dmp

Filesize
5.7MB

Download
memory/1936-57-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1936-58-0x000000000041679E-mapping.dmp

Download
memory/1936-60-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1936-62-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads