njrat | 9b128bead261e37e627633f1c1eaa0e242f0681b07074badfc03c0f59120a5b2

General

Target

b510d18d2aa0a1c6e1f268fa888454d7.exe
Size

287KB
MD5

b510d18d2aa0a1c6e1f268fa888454d7
SHA1

6fa648be32432436ac88b5461a01a535b60a2892
SHA256

9b128bead261e37e627633f1c1eaa0e242f0681b07074badfc03c0f59120a5b2
SHA512

7e285b8d164633e82291a7089dccc9f37ebb364c87b6de5ffa2cd5cd0da701de998f01f43f82e8d612d262f8a163b1137373a4432eb95a6a8aa92243942a1bac
SSDEEP

3072:eU0c0PAZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ+ZZZZZZZZZZZZZZZZZZZZZe:6+GIIIIIIIhIIIIIIIIIIIIIIIU

Score

10^/10

njrat gargulecnaraciespoof evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

GargulecNaRacieSpoof

C2

5.249.160.56:2137

Mutex

1ce03857c4a192a1bd388be0ffabd5c2

Attributes

reg_key
1ce03857c4a192a1bd388be0ffabd5c2
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 1 IoCs

pid	Process
1356	bypass.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
656	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1ce03857c4a192a1bd388be0ffabd5c2.exe	bypass.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1ce03857c4a192a1bd388be0ffabd5c2.exe	bypass.exe

Loads dropped DLL 1 IoCs

pid	Process
1204	b510d18d2aa0a1c6e1f268fa888454d7.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\1ce03857c4a192a1bd388be0ffabd5c2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\bypass.exe\" .."	bypass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1ce03857c4a192a1bd388be0ffabd5c2 = "\"C:\\Users\\Admin\\AppData\\Roaming\\bypass.exe\" .."	bypass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1356	bypass.exe
Token: 33	1356	bypass.exe
Token: SeIncBasePriorityPrivilege	1356	bypass.exe
Token: 33	1356	bypass.exe
Token: SeIncBasePriorityPrivilege	1356	bypass.exe
Token: 33	1356	bypass.exe
Token: SeIncBasePriorityPrivilege	1356	bypass.exe
Token: 33	1356	bypass.exe
Token: SeIncBasePriorityPrivilege	1356	bypass.exe
Token: 33	1356	bypass.exe
Token: SeIncBasePriorityPrivilege	1356	bypass.exe
Token: 33	1356	bypass.exe
Token: SeIncBasePriorityPrivilege	1356	bypass.exe
Token: 33	1356	bypass.exe
Token: SeIncBasePriorityPrivilege	1356	bypass.exe
Token: 33	1356	bypass.exe
Token: SeIncBasePriorityPrivilege	1356	bypass.exe
Token: 33	1356	bypass.exe
Token: SeIncBasePriorityPrivilege	1356	bypass.exe
Token: 33	1356	bypass.exe
Token: SeIncBasePriorityPrivilege	1356	bypass.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 1356	1204	b510d18d2aa0a1c6e1f268fa888454d7.exe	28
PID 1204 wrote to memory of 1356	1204	b510d18d2aa0a1c6e1f268fa888454d7.exe	28
PID 1204 wrote to memory of 1356	1204	b510d18d2aa0a1c6e1f268fa888454d7.exe	28
PID 1204 wrote to memory of 1356	1204	b510d18d2aa0a1c6e1f268fa888454d7.exe	28
PID 1356 wrote to memory of 656	1356	bypass.exe	29
PID 1356 wrote to memory of 656	1356	bypass.exe	29
PID 1356 wrote to memory of 656	1356	bypass.exe	29
PID 1356 wrote to memory of 656	1356	bypass.exe	29

C:\Users\Admin\AppData\Local\Temp\b510d18d2aa0a1c6e1f268fa888454d7.exe
"C:\Users\Admin\AppData\Local\Temp\b510d18d2aa0a1c6e1f268fa888454d7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Roaming\bypass.exe
  "C:\Users\Admin\AppData\Roaming\bypass.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\bypass.exe" "bypass.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\bypass.exe

Filesize
287KB

MD5
b510d18d2aa0a1c6e1f268fa888454d7

SHA1
6fa648be32432436ac88b5461a01a535b60a2892

SHA256
9b128bead261e37e627633f1c1eaa0e242f0681b07074badfc03c0f59120a5b2

SHA512
7e285b8d164633e82291a7089dccc9f37ebb364c87b6de5ffa2cd5cd0da701de998f01f43f82e8d612d262f8a163b1137373a4432eb95a6a8aa92243942a1bac

Download Submit
C:\Users\Admin\AppData\Roaming\bypass.exe

Filesize
287KB

MD5
b510d18d2aa0a1c6e1f268fa888454d7

SHA1
6fa648be32432436ac88b5461a01a535b60a2892

SHA256
9b128bead261e37e627633f1c1eaa0e242f0681b07074badfc03c0f59120a5b2

SHA512
7e285b8d164633e82291a7089dccc9f37ebb364c87b6de5ffa2cd5cd0da701de998f01f43f82e8d612d262f8a163b1137373a4432eb95a6a8aa92243942a1bac

Download Submit
\Users\Admin\AppData\Roaming\bypass.exe

Filesize
287KB

MD5
b510d18d2aa0a1c6e1f268fa888454d7

SHA1
6fa648be32432436ac88b5461a01a535b60a2892

SHA256
9b128bead261e37e627633f1c1eaa0e242f0681b07074badfc03c0f59120a5b2

SHA512
7e285b8d164633e82291a7089dccc9f37ebb364c87b6de5ffa2cd5cd0da701de998f01f43f82e8d612d262f8a163b1137373a4432eb95a6a8aa92243942a1bac

Download Submit
memory/1204-54-0x00000000753F1000-0x00000000753F3000-memory.dmp

Filesize
8KB

Download
memory/1204-55-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/1204-61-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/1356-62-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/1356-65-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing