njrat | afef4ac4600d7a1818d247de889d68ac7651d2ad842854d0726b50ba15f61bce

Analysis

max time kernel
151s
max time network
72s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afef4ac4600d7a1818d247de889d68ac7651d2ad842854d0726b50ba15f61bce.exe
Size

279KB
MD5

d3ece560d7a18b6c0d948a6c6302ec4f
SHA1

acf5e9b9e5093091fc726745bd8ff089a3040934
SHA256

afef4ac4600d7a1818d247de889d68ac7651d2ad842854d0726b50ba15f61bce
SHA512

e23eccb408c71b1abb574968ae21a2a8dbeb7857c95b0efcbe5acd68a077deb454be9a30915ba1a1ef668e17c4e39a792b57fbbec748bd23392f64d4dab7e58e
SSDEEP

6144:x1dlZro5yiyA4AvxE+faCHPJKUuM5NbRtELCe:x1dlZo5yiytAvpPJK4zwLD

Score

10^/10

njrat system evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

System

matrix123.ddns.net:2222

Mutex

93f19dda2412c86ad7520ba4198f39a0

Attributes

reg_key
93f19dda2412c86ad7520ba4198f39a0
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

Register.exeexplorer.exeWindows8LoopbackManager.exe

pid process

1116 Register.exe
828 explorer.exe
1588 Windows8LoopbackManager.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1972 netsh.exe

pid	process
1116	Register.exe
828	explorer.exe
1588	Windows8LoopbackManager.exe

pid	process
1972	netsh.exe

Drops startup file 2 IoCs

Processes:

explorer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93f19dda2412c86ad7520ba4198f39a0.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93f19dda2412c86ad7520ba4198f39a0.exe	explorer.exe

Loads dropped DLL 7 IoCs

Processes:

afef4ac4600d7a1818d247de889d68ac7651d2ad842854d0726b50ba15f61bce.exeWerFault.exe

pid	process
960	afef4ac4600d7a1818d247de889d68ac7651d2ad842854d0726b50ba15f61bce.exe
960	afef4ac4600d7a1818d247de889d68ac7651d2ad842854d0726b50ba15f61bce.exe
1520	WerFault.exe
1520	WerFault.exe
1520	WerFault.exe
1520	WerFault.exe
1520	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1520 1588 WerFault.exe Windows8LoopbackManager.exe

pid	pid_target	process	target process
1520	1588	WerFault.exe	Windows8LoopbackManager.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

explorer.exe

pid	process
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1116	Register.exe
Token: 33	1116	Register.exe
Token: SeIncBasePriorityPrivilege	1116	Register.exe
Token: SeDebugPrivilege	828	explorer.exe
Token: 33	828	explorer.exe
Token: SeIncBasePriorityPrivilege	828	explorer.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

afef4ac4600d7a1818d247de889d68ac7651d2ad842854d0726b50ba15f61bce.exeRegister.exeexplorer.exeWindows8LoopbackManager.exe

description	pid	process	target process
PID 960 wrote to memory of 1116	960	afef4ac4600d7a1818d247de889d68ac7651d2ad842854d0726b50ba15f61bce.exe	Register.exe
PID 960 wrote to memory of 1116	960	afef4ac4600d7a1818d247de889d68ac7651d2ad842854d0726b50ba15f61bce.exe	Register.exe
PID 960 wrote to memory of 1116	960	afef4ac4600d7a1818d247de889d68ac7651d2ad842854d0726b50ba15f61bce.exe	Register.exe
PID 960 wrote to memory of 1116	960	afef4ac4600d7a1818d247de889d68ac7651d2ad842854d0726b50ba15f61bce.exe	Register.exe
PID 1116 wrote to memory of 828	1116	Register.exe	explorer.exe
PID 1116 wrote to memory of 828	1116	Register.exe	explorer.exe
PID 1116 wrote to memory of 828	1116	Register.exe	explorer.exe
PID 960 wrote to memory of 1588	960	afef4ac4600d7a1818d247de889d68ac7651d2ad842854d0726b50ba15f61bce.exe	Windows8LoopbackManager.exe
PID 960 wrote to memory of 1588	960	afef4ac4600d7a1818d247de889d68ac7651d2ad842854d0726b50ba15f61bce.exe	Windows8LoopbackManager.exe
PID 960 wrote to memory of 1588	960	afef4ac4600d7a1818d247de889d68ac7651d2ad842854d0726b50ba15f61bce.exe	Windows8LoopbackManager.exe
PID 960 wrote to memory of 1588	960	afef4ac4600d7a1818d247de889d68ac7651d2ad842854d0726b50ba15f61bce.exe	Windows8LoopbackManager.exe
PID 828 wrote to memory of 1972	828	explorer.exe	netsh.exe
PID 828 wrote to memory of 1972	828	explorer.exe	netsh.exe
PID 828 wrote to memory of 1972	828	explorer.exe	netsh.exe
PID 1588 wrote to memory of 1520	1588	Windows8LoopbackManager.exe	WerFault.exe
PID 1588 wrote to memory of 1520	1588	Windows8LoopbackManager.exe	WerFault.exe
PID 1588 wrote to memory of 1520	1588	Windows8LoopbackManager.exe	WerFault.exe
PID 1588 wrote to memory of 1520	1588	Windows8LoopbackManager.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\afef4ac4600d7a1818d247de889d68ac7651d2ad842854d0726b50ba15f61bce.exe
"C:\Users\Admin\AppData\Local\Temp\afef4ac4600d7a1818d247de889d68ac7651d2ad842854d0726b50ba15f61bce.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:960
- C:\Users\Admin\AppData\Local\Temp\Register.exe
  "C:\Users\Admin\AppData\Local\Temp\Register.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Users\Admin\AppData\Roaming\explorer.exe
    "C:\Users\Admin\AppData\Roaming\explorer.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Windows\system32\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\explorer.exe" "explorer.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:1972
- C:\Users\Admin\AppData\Local\Temp\Windows8LoopbackManager.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows8LoopbackManager.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 812
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Register.exe

Filesize
144KB

MD5
672fb841cddc1584b0e52e0a4508a12a

SHA1
7c3b5676bed56ea6d2a45bdcba73c3bf7c3afd2b

SHA256
fbb2b8247dfdc696f58ed8ad335ec29f809a76de9b3240d1439225897d83dc8b

SHA512
90ea24a4946c38de8f8feb795a65dfe41dabbf135592eb450718d9a50f0e1d66a85bad757ba3b935e7d41fa7b2f1a9a7fad7b8661c41f2002e13362567054326

Download Submit
C:\Users\Admin\AppData\Local\Temp\Register.exe

Filesize
144KB

MD5
672fb841cddc1584b0e52e0a4508a12a

SHA1
7c3b5676bed56ea6d2a45bdcba73c3bf7c3afd2b

SHA256
fbb2b8247dfdc696f58ed8ad335ec29f809a76de9b3240d1439225897d83dc8b

SHA512
90ea24a4946c38de8f8feb795a65dfe41dabbf135592eb450718d9a50f0e1d66a85bad757ba3b935e7d41fa7b2f1a9a7fad7b8661c41f2002e13362567054326

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows8LoopbackManager.exe

Filesize
186KB

MD5
d7937dce17efb0762b0942bb65bff9d7

SHA1
bdd4d85da112311007ab6dbffc4255a445eb9667

SHA256
8685fffb468a4fbade430eac70c6fd3fe95f5a89bfb5cc44f1b8b435d85d6fec

SHA512
3a9e42522ed61f3714e14fcd6aa5afd97feb5d8434b94d8cdf96a9463a59b643480535e047cd0fc279cdba46f2a5ce45832f4a49d893232eb9ae32a2a6803012

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows8LoopbackManager.exe

Filesize
186KB

MD5
d7937dce17efb0762b0942bb65bff9d7

SHA1
bdd4d85da112311007ab6dbffc4255a445eb9667

SHA256
8685fffb468a4fbade430eac70c6fd3fe95f5a89bfb5cc44f1b8b435d85d6fec

SHA512
3a9e42522ed61f3714e14fcd6aa5afd97feb5d8434b94d8cdf96a9463a59b643480535e047cd0fc279cdba46f2a5ce45832f4a49d893232eb9ae32a2a6803012

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
144KB

MD5
672fb841cddc1584b0e52e0a4508a12a

SHA1
7c3b5676bed56ea6d2a45bdcba73c3bf7c3afd2b

SHA256
fbb2b8247dfdc696f58ed8ad335ec29f809a76de9b3240d1439225897d83dc8b

SHA512
90ea24a4946c38de8f8feb795a65dfe41dabbf135592eb450718d9a50f0e1d66a85bad757ba3b935e7d41fa7b2f1a9a7fad7b8661c41f2002e13362567054326

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe

Filesize
144KB

MD5
672fb841cddc1584b0e52e0a4508a12a

SHA1
7c3b5676bed56ea6d2a45bdcba73c3bf7c3afd2b

SHA256
fbb2b8247dfdc696f58ed8ad335ec29f809a76de9b3240d1439225897d83dc8b

SHA512
90ea24a4946c38de8f8feb795a65dfe41dabbf135592eb450718d9a50f0e1d66a85bad757ba3b935e7d41fa7b2f1a9a7fad7b8661c41f2002e13362567054326

Download Submit
\Users\Admin\AppData\Local\Temp\Register.exe

Filesize
144KB

MD5
672fb841cddc1584b0e52e0a4508a12a

SHA1
7c3b5676bed56ea6d2a45bdcba73c3bf7c3afd2b

SHA256
fbb2b8247dfdc696f58ed8ad335ec29f809a76de9b3240d1439225897d83dc8b

SHA512
90ea24a4946c38de8f8feb795a65dfe41dabbf135592eb450718d9a50f0e1d66a85bad757ba3b935e7d41fa7b2f1a9a7fad7b8661c41f2002e13362567054326

Download Submit
\Users\Admin\AppData\Local\Temp\Windows8LoopbackManager.exe

Filesize
186KB

MD5
d7937dce17efb0762b0942bb65bff9d7

SHA1
bdd4d85da112311007ab6dbffc4255a445eb9667

SHA256
8685fffb468a4fbade430eac70c6fd3fe95f5a89bfb5cc44f1b8b435d85d6fec

SHA512
3a9e42522ed61f3714e14fcd6aa5afd97feb5d8434b94d8cdf96a9463a59b643480535e047cd0fc279cdba46f2a5ce45832f4a49d893232eb9ae32a2a6803012

Download Submit
\Users\Admin\AppData\Local\Temp\Windows8LoopbackManager.exe

Filesize
186KB

MD5
d7937dce17efb0762b0942bb65bff9d7

SHA1
bdd4d85da112311007ab6dbffc4255a445eb9667

SHA256
8685fffb468a4fbade430eac70c6fd3fe95f5a89bfb5cc44f1b8b435d85d6fec

SHA512
3a9e42522ed61f3714e14fcd6aa5afd97feb5d8434b94d8cdf96a9463a59b643480535e047cd0fc279cdba46f2a5ce45832f4a49d893232eb9ae32a2a6803012

Download Submit
\Users\Admin\AppData\Local\Temp\Windows8LoopbackManager.exe

Filesize
186KB

MD5
d7937dce17efb0762b0942bb65bff9d7

SHA1
bdd4d85da112311007ab6dbffc4255a445eb9667

SHA256
8685fffb468a4fbade430eac70c6fd3fe95f5a89bfb5cc44f1b8b435d85d6fec

SHA512
3a9e42522ed61f3714e14fcd6aa5afd97feb5d8434b94d8cdf96a9463a59b643480535e047cd0fc279cdba46f2a5ce45832f4a49d893232eb9ae32a2a6803012

Download Submit
\Users\Admin\AppData\Local\Temp\Windows8LoopbackManager.exe

Filesize
186KB

MD5
d7937dce17efb0762b0942bb65bff9d7

SHA1
bdd4d85da112311007ab6dbffc4255a445eb9667

SHA256
8685fffb468a4fbade430eac70c6fd3fe95f5a89bfb5cc44f1b8b435d85d6fec

SHA512
3a9e42522ed61f3714e14fcd6aa5afd97feb5d8434b94d8cdf96a9463a59b643480535e047cd0fc279cdba46f2a5ce45832f4a49d893232eb9ae32a2a6803012

Download Submit
\Users\Admin\AppData\Local\Temp\Windows8LoopbackManager.exe

Filesize
186KB

MD5
d7937dce17efb0762b0942bb65bff9d7

SHA1
bdd4d85da112311007ab6dbffc4255a445eb9667

SHA256
8685fffb468a4fbade430eac70c6fd3fe95f5a89bfb5cc44f1b8b435d85d6fec

SHA512
3a9e42522ed61f3714e14fcd6aa5afd97feb5d8434b94d8cdf96a9463a59b643480535e047cd0fc279cdba46f2a5ce45832f4a49d893232eb9ae32a2a6803012

Download Submit
\Users\Admin\AppData\Local\Temp\Windows8LoopbackManager.exe

Filesize
186KB

MD5
d7937dce17efb0762b0942bb65bff9d7

SHA1
bdd4d85da112311007ab6dbffc4255a445eb9667

SHA256
8685fffb468a4fbade430eac70c6fd3fe95f5a89bfb5cc44f1b8b435d85d6fec

SHA512
3a9e42522ed61f3714e14fcd6aa5afd97feb5d8434b94d8cdf96a9463a59b643480535e047cd0fc279cdba46f2a5ce45832f4a49d893232eb9ae32a2a6803012

Download Submit
memory/828-64-0x0000000000000000-mapping.dmp

Download
memory/828-67-0x0000000000C50000-0x0000000000C7A000-memory.dmp

Filesize
168KB

Download
memory/960-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/1116-61-0x0000000000180000-0x00000000001A4000-memory.dmp

Filesize
144KB

Download
memory/1116-63-0x000007FEFB8A1000-0x000007FEFB8A3000-memory.dmp

Filesize
8KB

Download
memory/1116-56-0x0000000000000000-mapping.dmp

Download
memory/1116-59-0x0000000000EB0000-0x0000000000EDA000-memory.dmp

Filesize
168KB

Download
memory/1116-60-0x0000000000140000-0x0000000000156000-memory.dmp

Filesize
88KB

Download
memory/1116-62-0x0000000000600000-0x000000000060E000-memory.dmp

Filesize
56KB

Download
memory/1520-79-0x0000000000000000-mapping.dmp

Download
memory/1588-69-0x0000000000000000-mapping.dmp

Download
memory/1588-78-0x00000000022E5000-0x00000000022F6000-memory.dmp

Filesize
68KB

Download
memory/1588-77-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/1588-76-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/1588-74-0x0000000000B20000-0x0000000000B54000-memory.dmp

Filesize
208KB

Download
memory/1588-85-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/1972-72-0x0000000000000000-mapping.dmp

Download