njrat | cbaef05f8225ce70a6103129c69ed19c1a3af6fd1136c43e435603be4aa4238e

General

Target

cbaef05f8225ce70a6103129c69ed19c1a3af6fd1136c43e435603be4aa4238e.exe
Size

23KB
MD5

1b5d01ad390e8ca90fc4708a21f1b846
SHA1

88a27e59b8ec194d96a6d5f947a888310f95bbe8
SHA256

cbaef05f8225ce70a6103129c69ed19c1a3af6fd1136c43e435603be4aa4238e
SHA512

9fd898d36ea7630c31f470b07f97d3fd5f4b0ff8bf870fb7debea0df1dfe6b6ffe751cebdbc9283cfd33b2f9330066d6973c460b4aa9f9c5364a04c345e52586
SSDEEP

384:PluBPiZCMfdfSJrQbsLRGSIxYeL46Dg/i8BD9BmRvR6JZlbw8hqIusZzZiZ:4OmhtItRpcnuF

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

bodylol2.no-ip.biz:1177

Mutex

42de0ab5567f78f85e9d2682d65bbf19

Attributes

reg_key
42de0ab5567f78f85e9d2682d65bbf19
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

System.exe

pid process

840 System.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

592 netsh.exe

pid	process
840	System.exe

pid	process
592	netsh.exe

Drops startup file 2 IoCs

Processes:

System.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\42de0ab5567f78f85e9d2682d65bbf19.exe	System.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\42de0ab5567f78f85e9d2682d65bbf19.exe	System.exe

Loads dropped DLL 1 IoCs

Processes:

cbaef05f8225ce70a6103129c69ed19c1a3af6fd1136c43e435603be4aa4238e.exe

pid process

1544 cbaef05f8225ce70a6103129c69ed19c1a3af6fd1136c43e435603be4aa4238e.exe

pid	process
1544	cbaef05f8225ce70a6103129c69ed19c1a3af6fd1136c43e435603be4aa4238e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

System.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\42de0ab5567f78f85e9d2682d65bbf19 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.exe\" .."	System.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\42de0ab5567f78f85e9d2682d65bbf19 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.exe\" .."	System.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

System.exe

description	pid	process
Token: SeDebugPrivilege	840	System.exe
Token: 33	840	System.exe
Token: SeIncBasePriorityPrivilege	840	System.exe
Token: 33	840	System.exe
Token: SeIncBasePriorityPrivilege	840	System.exe
Token: 33	840	System.exe
Token: SeIncBasePriorityPrivilege	840	System.exe
Token: 33	840	System.exe
Token: SeIncBasePriorityPrivilege	840	System.exe
Token: 33	840	System.exe
Token: SeIncBasePriorityPrivilege	840	System.exe
Token: 33	840	System.exe
Token: SeIncBasePriorityPrivilege	840	System.exe
Token: 33	840	System.exe
Token: SeIncBasePriorityPrivilege	840	System.exe
Token: 33	840	System.exe
Token: SeIncBasePriorityPrivilege	840	System.exe
Token: 33	840	System.exe
Token: SeIncBasePriorityPrivilege	840	System.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cbaef05f8225ce70a6103129c69ed19c1a3af6fd1136c43e435603be4aa4238e.exeSystem.exe

description	pid	process	target process
PID 1544 wrote to memory of 840	1544	cbaef05f8225ce70a6103129c69ed19c1a3af6fd1136c43e435603be4aa4238e.exe	System.exe
PID 1544 wrote to memory of 840	1544	cbaef05f8225ce70a6103129c69ed19c1a3af6fd1136c43e435603be4aa4238e.exe	System.exe
PID 1544 wrote to memory of 840	1544	cbaef05f8225ce70a6103129c69ed19c1a3af6fd1136c43e435603be4aa4238e.exe	System.exe
PID 1544 wrote to memory of 840	1544	cbaef05f8225ce70a6103129c69ed19c1a3af6fd1136c43e435603be4aa4238e.exe	System.exe
PID 840 wrote to memory of 592	840	System.exe	netsh.exe
PID 840 wrote to memory of 592	840	System.exe	netsh.exe
PID 840 wrote to memory of 592	840	System.exe	netsh.exe
PID 840 wrote to memory of 592	840	System.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\cbaef05f8225ce70a6103129c69ed19c1a3af6fd1136c43e435603be4aa4238e.exe
"C:\Users\Admin\AppData\Local\Temp\cbaef05f8225ce70a6103129c69ed19c1a3af6fd1136c43e435603be4aa4238e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Local\Temp\System.exe
"C:\Users\Admin\AppData\Local\Temp\System.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\System.exe" "System.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\System.exe
Filesize
23KB

MD5
1b5d01ad390e8ca90fc4708a21f1b846

SHA1
88a27e59b8ec194d96a6d5f947a888310f95bbe8

SHA256
cbaef05f8225ce70a6103129c69ed19c1a3af6fd1136c43e435603be4aa4238e

SHA512
9fd898d36ea7630c31f470b07f97d3fd5f4b0ff8bf870fb7debea0df1dfe6b6ffe751cebdbc9283cfd33b2f9330066d6973c460b4aa9f9c5364a04c345e52586

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.exe
Filesize
23KB

MD5
1b5d01ad390e8ca90fc4708a21f1b846

SHA1
88a27e59b8ec194d96a6d5f947a888310f95bbe8

SHA256
cbaef05f8225ce70a6103129c69ed19c1a3af6fd1136c43e435603be4aa4238e

SHA512
9fd898d36ea7630c31f470b07f97d3fd5f4b0ff8bf870fb7debea0df1dfe6b6ffe751cebdbc9283cfd33b2f9330066d6973c460b4aa9f9c5364a04c345e52586

Download Submit
\Users\Admin\AppData\Local\Temp\System.exe
Filesize
23KB

MD5
1b5d01ad390e8ca90fc4708a21f1b846

SHA1
88a27e59b8ec194d96a6d5f947a888310f95bbe8

SHA256
cbaef05f8225ce70a6103129c69ed19c1a3af6fd1136c43e435603be4aa4238e

SHA512
9fd898d36ea7630c31f470b07f97d3fd5f4b0ff8bf870fb7debea0df1dfe6b6ffe751cebdbc9283cfd33b2f9330066d6973c460b4aa9f9c5364a04c345e52586

Download Submit
memory/592-63-0x0000000000000000-mapping.dmp

Download
memory/840-57-0x0000000000000000-mapping.dmp

Download
memory/840-62-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/840-65-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/1544-54-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download
memory/1544-55-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download
memory/1544-61-0x0000000074530000-0x0000000074ADB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads