njrat | ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e

General

Target

ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
Size

1.5MB
MD5

62acb695a8baccb136d49911f38a58ea
SHA1

cf0977abb66708f5aef2a4606d065448d39bbfc0
SHA256

ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e
SHA512

daeed0028080beb28bd944facb6b970b11d27f43a5f7e2a4f80ac09c916156cf1e96c18d63966b22a40315f6fde9e8a171adfd96b6ee185f20f0aaad5c793190
SSDEEP

24576:8egV2LlUOwU1OmvLx/mMBT9RHnw1bMtIWz0DvxYIEFV4O3ZH6gTqp:8MTt1OmvLx/mMBT9RHnw1bMtIWz0DvxL

Score

10^/10

njrat hacked_byme evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed_ByMe

C2

topo2015.no-ip.biz:1177

Mutex

08f4dc96bbb7af09d1a37fe35c75a42f

Attributes

reg_key
08f4dc96bbb7af09d1a37fe35c75a42f
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

344.exeexplorer.exe

pid process

736 344.exe
4700 explorer.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2680 netsh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

344.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 344.exe

pid	process
736	344.exe
4700	explorer.exe

pid	process
2680	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	344.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\08f4dc96bbb7af09d1a37fe35c75a42f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe\" .."	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\08f4dc96bbb7af09d1a37fe35c75a42f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe\" .."	explorer.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe

description	ioc	process
File created	C:\autorun.inf	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
File opened for modification	C:\autorun.inf	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe

description	pid	process	target process
PID 4140 set thread context of 1036	4140	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exeexplorer.exe

pid	process
4140	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
4140	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
4140	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
4140	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
4140	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
4140	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe
4700	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	4140	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
Token: SeDebugPrivilege	4700	explorer.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exeff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe344.exeexplorer.exe

description	pid	process	target process
PID 4140 wrote to memory of 1036	4140	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
PID 4140 wrote to memory of 1036	4140	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
PID 4140 wrote to memory of 1036	4140	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
PID 4140 wrote to memory of 1036	4140	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
PID 4140 wrote to memory of 1036	4140	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
PID 1036 wrote to memory of 736	1036	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe	344.exe
PID 1036 wrote to memory of 736	1036	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe	344.exe
PID 1036 wrote to memory of 736	1036	ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe	344.exe
PID 736 wrote to memory of 4700	736	344.exe	explorer.exe
PID 736 wrote to memory of 4700	736	344.exe	explorer.exe
PID 736 wrote to memory of 4700	736	344.exe	explorer.exe
PID 4700 wrote to memory of 2680	4700	explorer.exe	netsh.exe
PID 4700 wrote to memory of 2680	4700	explorer.exe	netsh.exe
PID 4700 wrote to memory of 2680	4700	explorer.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
"C:\Users\Admin\AppData\Local\Temp\ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe"
1⤵
- Drops autorun.inf file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4140

C:\Users\Admin\AppData\Local\Temp\ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
C:\Users\Admin\AppData\Local\Temp\ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1036

C:\Users\Admin\AppData\Local\Temp\344.exe
C:\Users\Admin\AppData\Local\Temp\344.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:736

C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4700

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\explorer.exe" "explorer.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:2680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ff980ba1ada09aa1539fefa27236c23a321dd075ac7538ec7cac29519d3bba6e.exe.log
Filesize
1KB

MD5
362b202f72e593d16c9fe1249267f6bf

SHA1
380de3b8a5412f5cff2cbb08035d40ffd4dea63f

SHA256
5b0f2c4e98fc7bd5a42bbe5eb20512b4f747ae85d562be171d76371795589e4c

SHA512
4a8e8cae1f0bfb5326099643281aeba0cc7fbae47f2b94fd48978c5348925a196e9f84f4625c90670f688375da99dce7e92d4a8d27ad43da965390f033a2d0eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\344.exe
Filesize
29KB

MD5
43afee168bd48d96a9d5680e9e018f48

SHA1
5d7d7759dd7de0689b1c7f00907bc35c76c91b64

SHA256
9bae1caa1febc9c5757159e1b6d3eac50274e48ebd5a0c562506478495df8397

SHA512
e636e8c998b87f8364dadb98f830a632ac640b727a9928cd686039bcb63aef85a233bef3b025f723eb3c7e3a00ac5c33512e931c4289fd9c4b7309e6475b2789

Download Submit
C:\Users\Admin\AppData\Local\Temp\344.exe
Filesize
29KB

MD5
43afee168bd48d96a9d5680e9e018f48

SHA1
5d7d7759dd7de0689b1c7f00907bc35c76c91b64

SHA256
9bae1caa1febc9c5757159e1b6d3eac50274e48ebd5a0c562506478495df8397

SHA512
e636e8c998b87f8364dadb98f830a632ac640b727a9928cd686039bcb63aef85a233bef3b025f723eb3c7e3a00ac5c33512e931c4289fd9c4b7309e6475b2789

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe
Filesize
29KB

MD5
43afee168bd48d96a9d5680e9e018f48

SHA1
5d7d7759dd7de0689b1c7f00907bc35c76c91b64

SHA256
9bae1caa1febc9c5757159e1b6d3eac50274e48ebd5a0c562506478495df8397

SHA512
e636e8c998b87f8364dadb98f830a632ac640b727a9928cd686039bcb63aef85a233bef3b025f723eb3c7e3a00ac5c33512e931c4289fd9c4b7309e6475b2789

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe
Filesize
29KB

MD5
43afee168bd48d96a9d5680e9e018f48

SHA1
5d7d7759dd7de0689b1c7f00907bc35c76c91b64

SHA256
9bae1caa1febc9c5757159e1b6d3eac50274e48ebd5a0c562506478495df8397

SHA512
e636e8c998b87f8364dadb98f830a632ac640b727a9928cd686039bcb63aef85a233bef3b025f723eb3c7e3a00ac5c33512e931c4289fd9c4b7309e6475b2789

Download Submit
memory/736-140-0x0000000000000000-mapping.dmp

Download
memory/736-149-0x00000000703F0000-0x00000000709A1000-memory.dmp

Filesize
5.7MB

Download
memory/736-145-0x00000000703F0000-0x00000000709A1000-memory.dmp

Filesize
5.7MB

Download
memory/736-143-0x00000000703F0000-0x00000000709A1000-memory.dmp

Filesize
5.7MB

Download
memory/1036-138-0x0000000000000000-mapping.dmp

Download
memory/1036-139-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2680-150-0x0000000000000000-mapping.dmp

Download
memory/4140-135-0x0000000004D30000-0x0000000004DC2000-memory.dmp

Filesize
584KB

Download
memory/4140-132-0x00000000000B0000-0x000000000022E000-memory.dmp

Filesize
1.5MB

Download
memory/4140-134-0x0000000005240000-0x00000000057E4000-memory.dmp

Filesize
5.6MB

Download
memory/4140-133-0x0000000004B70000-0x0000000004C0C000-memory.dmp

Filesize
624KB

Download
memory/4140-136-0x0000000004EA0000-0x0000000004F6E000-memory.dmp

Filesize
824KB

Download
memory/4140-137-0x0000000004CA0000-0x0000000004CAA000-memory.dmp

Filesize
40KB

Download
memory/4700-146-0x0000000000000000-mapping.dmp

Download
memory/4700-151-0x00000000703F0000-0x00000000709A1000-memory.dmp

Filesize
5.7MB

Download
memory/4700-152-0x00000000703F0000-0x00000000709A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads