njrat | 14e7527286628b9a3db838dcb20e96a56f5d9bedbe38b6b06fc3caf7b2ea3eb6

General

Target

onling.exe
Size

23KB
MD5

e49ba092469c2d5813bdf3259050f977
SHA1

1d65cb5388cfc4ae2f91531e8dcb3b1caa598076
SHA256

8eb3eb1266c7ec59095e1391ec473eda426303e773ff4f595d9a5e2affb37d3a
SHA512

5463a3704d9339db4a2c7fe2d77000eb1c37a35ecb8fcca2ce89fede49e7390af93a00c306c177bb76cbe4d06ab212009605d38e3f8cc3546eb3057220b81a14
SSDEEP

384:4+n2650N3qZbATcjRGC5Eo9D46BgnqUhay1ZmRvR6JZlbw8hqIusZzZNc:nm+71d5XRpcnu5

Score

10^/10

njrat dofus evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

dofus

C2

volkov2014.ddns.net:123

Mutex

3634b8c969047b1aa244e63e9c21a96a

Attributes

reg_key
3634b8c969047b1aa244e63e9c21a96a
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

984 server.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

816 netsh.exe
Loads dropped DLL 1 IoCs

Processes:

onling.exe

pid process

836 onling.exe

pid	process
984	server.exe

pid	process
816	netsh.exe

pid	process
836	onling.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\3634b8c969047b1aa244e63e9c21a96a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\3634b8c969047b1aa244e63e9c21a96a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	984	server.exe
Token: 33	984	server.exe
Token: SeIncBasePriorityPrivilege	984	server.exe
Token: 33	984	server.exe
Token: SeIncBasePriorityPrivilege	984	server.exe
Token: 33	984	server.exe
Token: SeIncBasePriorityPrivilege	984	server.exe
Token: 33	984	server.exe
Token: SeIncBasePriorityPrivilege	984	server.exe
Token: 33	984	server.exe
Token: SeIncBasePriorityPrivilege	984	server.exe
Token: 33	984	server.exe
Token: SeIncBasePriorityPrivilege	984	server.exe
Token: 33	984	server.exe
Token: SeIncBasePriorityPrivilege	984	server.exe
Token: 33	984	server.exe
Token: SeIncBasePriorityPrivilege	984	server.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

onling.exeserver.exe

description	pid	process	target process
PID 836 wrote to memory of 984	836	onling.exe	server.exe
PID 836 wrote to memory of 984	836	onling.exe	server.exe
PID 836 wrote to memory of 984	836	onling.exe	server.exe
PID 836 wrote to memory of 984	836	onling.exe	server.exe
PID 984 wrote to memory of 816	984	server.exe	netsh.exe
PID 984 wrote to memory of 816	984	server.exe	netsh.exe
PID 984 wrote to memory of 816	984	server.exe	netsh.exe
PID 984 wrote to memory of 816	984	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\onling.exe
"C:\Users\Admin\AppData\Local\Temp\onling.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:836

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
23KB

MD5
e49ba092469c2d5813bdf3259050f977

SHA1
1d65cb5388cfc4ae2f91531e8dcb3b1caa598076

SHA256
8eb3eb1266c7ec59095e1391ec473eda426303e773ff4f595d9a5e2affb37d3a

SHA512
5463a3704d9339db4a2c7fe2d77000eb1c37a35ecb8fcca2ce89fede49e7390af93a00c306c177bb76cbe4d06ab212009605d38e3f8cc3546eb3057220b81a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
23KB

MD5
e49ba092469c2d5813bdf3259050f977

SHA1
1d65cb5388cfc4ae2f91531e8dcb3b1caa598076

SHA256
8eb3eb1266c7ec59095e1391ec473eda426303e773ff4f595d9a5e2affb37d3a

SHA512
5463a3704d9339db4a2c7fe2d77000eb1c37a35ecb8fcca2ce89fede49e7390af93a00c306c177bb76cbe4d06ab212009605d38e3f8cc3546eb3057220b81a14

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
23KB

MD5
e49ba092469c2d5813bdf3259050f977

SHA1
1d65cb5388cfc4ae2f91531e8dcb3b1caa598076

SHA256
8eb3eb1266c7ec59095e1391ec473eda426303e773ff4f595d9a5e2affb37d3a

SHA512
5463a3704d9339db4a2c7fe2d77000eb1c37a35ecb8fcca2ce89fede49e7390af93a00c306c177bb76cbe4d06ab212009605d38e3f8cc3546eb3057220b81a14

Download Submit
memory/816-63-0x0000000000000000-mapping.dmp

Download
memory/836-54-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download
memory/836-55-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/836-61-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/984-57-0x0000000000000000-mapping.dmp

Download
memory/984-62-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/984-65-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads