njrat | 0ca46809803efa80c85e98086320c7a0c433cc73bc9ede372e566a14f426b9df

Analysis

max time kernel
113s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ca46809803efa80c85e98086320c7a0c433cc73bc9ede372e566a14f426b9df.exe
Size

248KB
MD5

8432935b64ef23c0c07720f1142ffd93
SHA1

1f22b05be3855a7a66cf59cc2958277a2a23f925
SHA256

0ca46809803efa80c85e98086320c7a0c433cc73bc9ede372e566a14f426b9df
SHA512

feb256e675739097f5cca45524159b0b16294d885a0fc56cb8385bd3540ed58060396eb3b39e0761a4a80faddcfa97afd386ea8a08957d2ecdd5d845c1c2f2ec
SSDEEP

3072:4k2t7jYmwrtGHESwzd5XmXm1656cKWK1mrFlao6Tw2C6NHZtl4o3nb9Bb1qle/jQ:mtnKGkaXC6563WKsvlawX6RZ1BDiEC

Score

10^/10

njrat hacker trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Hacker

yayo.ddns.net:8899

Mutex

760a31a51389e6dce4ab8e433bd27602

Attributes

reg_key
760a31a51389e6dce4ab8e433bd27602
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

google.exe

pid process

1520 google.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1520	google.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

0ca46809803efa80c85e98086320c7a0c433cc73bc9ede372e566a14f426b9df.exe

description	pid	process	target process
PID 900 wrote to memory of 1520	900	0ca46809803efa80c85e98086320c7a0c433cc73bc9ede372e566a14f426b9df.exe	google.exe
PID 900 wrote to memory of 1520	900	0ca46809803efa80c85e98086320c7a0c433cc73bc9ede372e566a14f426b9df.exe	google.exe
PID 900 wrote to memory of 1520	900	0ca46809803efa80c85e98086320c7a0c433cc73bc9ede372e566a14f426b9df.exe	google.exe

C:\Users\Admin\AppData\Local\Temp\0ca46809803efa80c85e98086320c7a0c433cc73bc9ede372e566a14f426b9df.exe
"C:\Users\Admin\AppData\Local\Temp\0ca46809803efa80c85e98086320c7a0c433cc73bc9ede372e566a14f426b9df.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\AppData\Local\Temp\google.exe
"C:\Users\Admin\AppData\Local\Temp\google.exe"
2⤵
- Executes dropped EXE
PID:1520

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\google.exe
Filesize
248KB

MD5
8432935b64ef23c0c07720f1142ffd93

SHA1
1f22b05be3855a7a66cf59cc2958277a2a23f925

SHA256
0ca46809803efa80c85e98086320c7a0c433cc73bc9ede372e566a14f426b9df

SHA512
feb256e675739097f5cca45524159b0b16294d885a0fc56cb8385bd3540ed58060396eb3b39e0761a4a80faddcfa97afd386ea8a08957d2ecdd5d845c1c2f2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\google.exe
Filesize
248KB

MD5
8432935b64ef23c0c07720f1142ffd93

SHA1
1f22b05be3855a7a66cf59cc2958277a2a23f925

SHA256
0ca46809803efa80c85e98086320c7a0c433cc73bc9ede372e566a14f426b9df

SHA512
feb256e675739097f5cca45524159b0b16294d885a0fc56cb8385bd3540ed58060396eb3b39e0761a4a80faddcfa97afd386ea8a08957d2ecdd5d845c1c2f2ec

Download Submit
memory/900-60-0x00000000001D0000-0x00000000001DE000-memory.dmp

Filesize
56KB

Download
memory/900-57-0x0000000000190000-0x000000000019C000-memory.dmp

Filesize
48KB

Download
memory/900-58-0x00000000001B0000-0x00000000001BC000-memory.dmp

Filesize
48KB

Download
memory/900-59-0x00000000001C0000-0x00000000001CC000-memory.dmp

Filesize
48KB

Download
memory/900-54-0x0000000001030000-0x0000000001074000-memory.dmp

Filesize
272KB

Download
memory/900-61-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download
memory/900-62-0x000007FEFB7F1000-0x000007FEFB7F3000-memory.dmp

Filesize
8KB

Download
memory/900-56-0x0000000000180000-0x000000000018C000-memory.dmp

Filesize
48KB

Download
memory/900-55-0x0000000000170000-0x000000000017E000-memory.dmp

Filesize
56KB

Download
memory/1520-63-0x0000000000000000-mapping.dmp

Download
memory/1520-66-0x00000000010F0000-0x0000000001134000-memory.dmp

Filesize
272KB

Download