njrat | 514cde391d2cc75f6828eba57df708470e15000b3912cc280e6f2e0f70d911b6

General

Target

a6788b416256f073b1eded7e517b9efc.exe
Size

37KB
MD5

a6788b416256f073b1eded7e517b9efc
SHA1

748b30e16ad551fee8029f1070ab7c2c45c0bb15
SHA256

514cde391d2cc75f6828eba57df708470e15000b3912cc280e6f2e0f70d911b6
SHA512

3608c99f68605a1008e83dcf58cc6d48552889b804da21b0156848e2999d92294d6fdf84e3f0a2196e69ce56013bcbf02473a1d00fd37928e52cd3c9115891ce
SSDEEP

384:qLTJ9kitkZf5W9cTYXyc/jZMM6zffknvU5IrAF+rMRTyN/0L+EcoinblneHQM3e5:CJqjjTYic/jW0vU2rM+rMRa8Nuvjt

Score

10^/10

njrat hafff evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Hafff

C2

7.tcp.eu.ngrok.io:11226

Mutex

57db514cab5ed7b35a311ee80c5f73e1

Attributes

reg_key
57db514cab5ed7b35a311ee80c5f73e1
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 1 IoCs

pid	Process
840	svchost.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
676	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\57db514cab5ed7b35a311ee80c5f73e1.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\57db514cab5ed7b35a311ee80c5f73e1.exe	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1760	a6788b416256f073b1eded7e517b9efc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\57db514cab5ed7b35a311ee80c5f73e1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\57db514cab5ed7b35a311ee80c5f73e1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .."	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	840	svchost.exe
Token: 33	840	svchost.exe
Token: SeIncBasePriorityPrivilege	840	svchost.exe
Token: 33	840	svchost.exe
Token: SeIncBasePriorityPrivilege	840	svchost.exe
Token: 33	840	svchost.exe
Token: SeIncBasePriorityPrivilege	840	svchost.exe
Token: 33	840	svchost.exe
Token: SeIncBasePriorityPrivilege	840	svchost.exe
Token: 33	840	svchost.exe
Token: SeIncBasePriorityPrivilege	840	svchost.exe
Token: 33	840	svchost.exe
Token: SeIncBasePriorityPrivilege	840	svchost.exe
Token: 33	840	svchost.exe
Token: SeIncBasePriorityPrivilege	840	svchost.exe
Token: 33	840	svchost.exe
Token: SeIncBasePriorityPrivilege	840	svchost.exe
Token: 33	840	svchost.exe
Token: SeIncBasePriorityPrivilege	840	svchost.exe
Token: 33	840	svchost.exe
Token: SeIncBasePriorityPrivilege	840	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 840	1760	a6788b416256f073b1eded7e517b9efc.exe	27
PID 1760 wrote to memory of 840	1760	a6788b416256f073b1eded7e517b9efc.exe	27
PID 1760 wrote to memory of 840	1760	a6788b416256f073b1eded7e517b9efc.exe	27
PID 1760 wrote to memory of 840	1760	a6788b416256f073b1eded7e517b9efc.exe	27
PID 840 wrote to memory of 676	840	svchost.exe	28
PID 840 wrote to memory of 676	840	svchost.exe	28
PID 840 wrote to memory of 676	840	svchost.exe	28
PID 840 wrote to memory of 676	840	svchost.exe	28

C:\Users\Admin\AppData\Local\Temp\a6788b416256f073b1eded7e517b9efc.exe
"C:\Users\Admin\AppData\Local\Temp\a6788b416256f073b1eded7e517b9efc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
37KB

MD5
a6788b416256f073b1eded7e517b9efc

SHA1
748b30e16ad551fee8029f1070ab7c2c45c0bb15

SHA256
514cde391d2cc75f6828eba57df708470e15000b3912cc280e6f2e0f70d911b6

SHA512
3608c99f68605a1008e83dcf58cc6d48552889b804da21b0156848e2999d92294d6fdf84e3f0a2196e69ce56013bcbf02473a1d00fd37928e52cd3c9115891ce

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
37KB

MD5
a6788b416256f073b1eded7e517b9efc

SHA1
748b30e16ad551fee8029f1070ab7c2c45c0bb15

SHA256
514cde391d2cc75f6828eba57df708470e15000b3912cc280e6f2e0f70d911b6

SHA512
3608c99f68605a1008e83dcf58cc6d48552889b804da21b0156848e2999d92294d6fdf84e3f0a2196e69ce56013bcbf02473a1d00fd37928e52cd3c9115891ce

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
37KB

MD5
a6788b416256f073b1eded7e517b9efc

SHA1
748b30e16ad551fee8029f1070ab7c2c45c0bb15

SHA256
514cde391d2cc75f6828eba57df708470e15000b3912cc280e6f2e0f70d911b6

SHA512
3608c99f68605a1008e83dcf58cc6d48552889b804da21b0156848e2999d92294d6fdf84e3f0a2196e69ce56013bcbf02473a1d00fd37928e52cd3c9115891ce

Download Submit
memory/840-62-0x0000000073F00000-0x00000000744AB000-memory.dmp

Filesize
5.7MB

Download
memory/840-65-0x0000000073F00000-0x00000000744AB000-memory.dmp

Filesize
5.7MB

Download
memory/1760-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1760-55-0x0000000073F00000-0x00000000744AB000-memory.dmp

Filesize
5.7MB

Download
memory/1760-61-0x0000000073F00000-0x00000000744AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing