njrat | 284f61865c2e04fd1b835bcc4f488565140823bba0ca40eba083108d560ddd52

Analysis

max time kernel
34s
max time network
38s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
10/02/2023, 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Server.exe
Size

93KB
MD5

3cbf6e57b14a57ec9873564109ed293b
SHA1

ffb229b7d5a4a1c97e316812e60b2f4c5ca2e75d
SHA256

284f61865c2e04fd1b835bcc4f488565140823bba0ca40eba083108d560ddd52
SHA512

dc810a473ba15bc8402bb41174008582179ef6869dab7f0780f1e35ecb98dbf980408687486798e36ed922d8222af73d623645ca9c4f193cda394db43d46a670
SSDEEP

768:YY3NxEFKghFchQVTqWnwz/1h3XE/dlczxXSsvXxrjEtCdnl2pi1Rz4Rk38sGdpO3:txeK6bTq8itNEUVhjEwzGi1dD0DOgS

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

b3h5FRANSESCODEuZHVja2Rucy5vcmcStrik:MTQ0NA==

Mutex

c0a391fef49101cfadbb06a771d06348

Attributes

reg_key
c0a391fef49101cfadbb06a771d06348
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1180	netsh.exe
1032	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 3 IoCs

pid	Process
2800	server.exe
3068	svchost.exe
1296	server.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\server.exe	Server.exe
File created	C:\Windows\server.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2800	server.exe
3068	svchost.exe
1296	server.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 2800	4848	Server.exe	84
PID 4848 wrote to memory of 2800	4848	Server.exe	84
PID 4848 wrote to memory of 2800	4848	Server.exe	84
PID 2800 wrote to memory of 1180	2800	server.exe	85
PID 2800 wrote to memory of 1180	2800	server.exe	85
PID 2800 wrote to memory of 1180	2800	server.exe	85
PID 2800 wrote to memory of 3068	2800	server.exe	87
PID 2800 wrote to memory of 3068	2800	server.exe	87
PID 2800 wrote to memory of 3068	2800	server.exe	87
PID 3068 wrote to memory of 1296	3068	svchost.exe	88
PID 3068 wrote to memory of 1296	3068	svchost.exe	88
PID 3068 wrote to memory of 1296	3068	svchost.exe	88
PID 1296 wrote to memory of 1032	1296	server.exe	90
PID 1296 wrote to memory of 1032	1296	server.exe	90
PID 1296 wrote to memory of 1032	1296	server.exe	90

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\server.exe
  "C:\Windows\server.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:1180
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\server.exe
      "C:\Windows\server.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of WriteProcessMemory
      PID:1296
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:1032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log

Filesize
408B

MD5
661cab77d3b907e8057f2e689e995af3

SHA1
5d1a0ee9c5ee7a7a90d56d00c10dc0e679bee01c

SHA256
8f27f95ad7c09f2e05d7960e78ef8cd935c1262e9657883a75d70dcb877592d2

SHA512
2523b316bd79fed0e9b3d73f46959f3dfe270cf950f34bd9d49fe4113a2ae46d0cd00224d848bc40c0d8c55449e2dccc4b4278ba4809c0ca9ede1ac75673fc67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
3cbf6e57b14a57ec9873564109ed293b

SHA1
ffb229b7d5a4a1c97e316812e60b2f4c5ca2e75d

SHA256
284f61865c2e04fd1b835bcc4f488565140823bba0ca40eba083108d560ddd52

SHA512
dc810a473ba15bc8402bb41174008582179ef6869dab7f0780f1e35ecb98dbf980408687486798e36ed922d8222af73d623645ca9c4f193cda394db43d46a670

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe

Filesize
93KB

MD5
3cbf6e57b14a57ec9873564109ed293b

SHA1
ffb229b7d5a4a1c97e316812e60b2f4c5ca2e75d

SHA256
284f61865c2e04fd1b835bcc4f488565140823bba0ca40eba083108d560ddd52

SHA512
dc810a473ba15bc8402bb41174008582179ef6869dab7f0780f1e35ecb98dbf980408687486798e36ed922d8222af73d623645ca9c4f193cda394db43d46a670

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
a65a8cc18c0fdcac3b78ed8f032e2f98

SHA1
9087f7aaf4edf3b132348b1e5dfa7a678d57d40e

SHA256
ca1c5c735384c64968c987e3e608cb48a3cbd73e870f1bc6d60f2b24f9445e3a

SHA512
8e56c9aa0c90fb30b488fa72a0b9d40e69c357e32d8e6f9d5a299dfbf9df8c896c28684d7163972019ab53dfcfe35dc75e9b305e07c81b9984a410e04b96186d

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
a65a8cc18c0fdcac3b78ed8f032e2f98

SHA1
9087f7aaf4edf3b132348b1e5dfa7a678d57d40e

SHA256
ca1c5c735384c64968c987e3e608cb48a3cbd73e870f1bc6d60f2b24f9445e3a

SHA512
8e56c9aa0c90fb30b488fa72a0b9d40e69c357e32d8e6f9d5a299dfbf9df8c896c28684d7163972019ab53dfcfe35dc75e9b305e07c81b9984a410e04b96186d

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
a65a8cc18c0fdcac3b78ed8f032e2f98

SHA1
9087f7aaf4edf3b132348b1e5dfa7a678d57d40e

SHA256
ca1c5c735384c64968c987e3e608cb48a3cbd73e870f1bc6d60f2b24f9445e3a

SHA512
8e56c9aa0c90fb30b488fa72a0b9d40e69c357e32d8e6f9d5a299dfbf9df8c896c28684d7163972019ab53dfcfe35dc75e9b305e07c81b9984a410e04b96186d

Download Submit
C:\Windows\server.exe

Filesize
93KB

MD5
3cbf6e57b14a57ec9873564109ed293b

SHA1
ffb229b7d5a4a1c97e316812e60b2f4c5ca2e75d

SHA256
284f61865c2e04fd1b835bcc4f488565140823bba0ca40eba083108d560ddd52

SHA512
dc810a473ba15bc8402bb41174008582179ef6869dab7f0780f1e35ecb98dbf980408687486798e36ed922d8222af73d623645ca9c4f193cda394db43d46a670

Download Submit
C:\Windows\server.exe

Filesize
93KB

MD5
3cbf6e57b14a57ec9873564109ed293b

SHA1
ffb229b7d5a4a1c97e316812e60b2f4c5ca2e75d

SHA256
284f61865c2e04fd1b835bcc4f488565140823bba0ca40eba083108d560ddd52

SHA512
dc810a473ba15bc8402bb41174008582179ef6869dab7f0780f1e35ecb98dbf980408687486798e36ed922d8222af73d623645ca9c4f193cda394db43d46a670

Download Submit
C:\Windows\server.exe

Filesize
93KB

MD5
3cbf6e57b14a57ec9873564109ed293b

SHA1
ffb229b7d5a4a1c97e316812e60b2f4c5ca2e75d

SHA256
284f61865c2e04fd1b835bcc4f488565140823bba0ca40eba083108d560ddd52

SHA512
dc810a473ba15bc8402bb41174008582179ef6869dab7f0780f1e35ecb98dbf980408687486798e36ed922d8222af73d623645ca9c4f193cda394db43d46a670

Download Submit
C:\Windows\server.exe

Filesize
93KB

MD5
3cbf6e57b14a57ec9873564109ed293b

SHA1
ffb229b7d5a4a1c97e316812e60b2f4c5ca2e75d

SHA256
284f61865c2e04fd1b835bcc4f488565140823bba0ca40eba083108d560ddd52

SHA512
dc810a473ba15bc8402bb41174008582179ef6869dab7f0780f1e35ecb98dbf980408687486798e36ed922d8222af73d623645ca9c4f193cda394db43d46a670

Download Submit
memory/1296-151-0x00000000751A0000-0x0000000075751000-memory.dmp

Filesize
5.7MB

Download
memory/1296-155-0x00000000751A0000-0x0000000075751000-memory.dmp

Filesize
5.7MB

Download
memory/2800-138-0x00000000751A0000-0x0000000075751000-memory.dmp

Filesize
5.7MB

Download
memory/2800-145-0x00000000751A0000-0x0000000075751000-memory.dmp

Filesize
5.7MB

Download
memory/2800-140-0x00000000751A0000-0x0000000075751000-memory.dmp

Filesize
5.7MB

Download
memory/3068-147-0x00000000751A0000-0x0000000075751000-memory.dmp

Filesize
5.7MB

Download
memory/3068-153-0x00000000751A0000-0x0000000075751000-memory.dmp

Filesize
5.7MB

Download
memory/4848-132-0x00000000751A0000-0x0000000075751000-memory.dmp

Filesize
5.7MB

Download
memory/4848-136-0x00000000751A0000-0x0000000075751000-memory.dmp

Filesize
5.7MB

Download