njrat | ba38db076db9709a7b5e70a9a81ce2b1116800e60951006c4c5f4534fd55f16d

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
17/03/2023, 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

920-55-0x0000000000150000-0x000000000016C000-memory.exe
Size

112KB
MD5

6bf92ac881f8bcf056d86806f358f2ad
SHA1

f0576d75b587612fb22137757c0486103e05eec1
SHA256

ba38db076db9709a7b5e70a9a81ce2b1116800e60951006c4c5f4534fd55f16d
SHA512

a39557f3359dbd072234de4f22da937687bac992ce2182bdd39ef2cbd3f052d7c238f82ebd908291e24eb54f9937a22be62bbfc20e0e2c9d4213c55fe4da4c04
SSDEEP

768:zY3rETnkpjTMpALPGMtsas88EtNXhU9f1mxCXxrjEtCdnl2pi1Rz4Rk3BsGdpVgM:6E7kVbPGHz88EbE1pjEwzGi1dDRDVgS

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

Zm9ycnV4eC5kZG5zLm5ldAStrikStrik:OTA5MA==

Mutex

30bf20a7c4c21398efee41949036ac7b

Attributes

reg_key
30bf20a7c4c21398efee41949036ac7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 3 IoCs

evasion

Modify Existing Service

T1031

pid	Process
304	netsh.exe
564	netsh.exe
316	netsh.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\30bf20a7c4c21398efee41949036ac7bWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\30bf20a7c4c21398efee41949036ac7bWindows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe

Executes dropped EXE 1 IoCs

pid	Process
1624	server.exe

Loads dropped DLL 2 IoCs

pid	Process
1368	920-55-0x0000000000150000-0x000000000016C000-memory.exe
1368	920-55-0x0000000000150000-0x000000000016C000-memory.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	server.exe
File opened for modification	C:\autorun.inf	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe
1624	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1624	server.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	1624	server.exe
Token: 33	1624	server.exe
Token: SeIncBasePriorityPrivilege	1624	server.exe
Token: 33	1624	server.exe
Token: SeIncBasePriorityPrivilege	1624	server.exe
Token: 33	1624	server.exe
Token: SeIncBasePriorityPrivilege	1624	server.exe
Token: 33	1624	server.exe
Token: SeIncBasePriorityPrivilege	1624	server.exe
Token: 33	1624	server.exe
Token: SeIncBasePriorityPrivilege	1624	server.exe
Token: 33	1624	server.exe
Token: SeIncBasePriorityPrivilege	1624	server.exe
Token: 33	1624	server.exe
Token: SeIncBasePriorityPrivilege	1624	server.exe
Token: 33	1624	server.exe
Token: SeIncBasePriorityPrivilege	1624	server.exe
Token: 33	1624	server.exe
Token: SeIncBasePriorityPrivilege	1624	server.exe
Token: 33	1624	server.exe
Token: SeIncBasePriorityPrivilege	1624	server.exe
Token: 33	1624	server.exe
Token: SeIncBasePriorityPrivilege	1624	server.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 1624	1368	920-55-0x0000000000150000-0x000000000016C000-memory.exe	28
PID 1368 wrote to memory of 1624	1368	920-55-0x0000000000150000-0x000000000016C000-memory.exe	28
PID 1368 wrote to memory of 1624	1368	920-55-0x0000000000150000-0x000000000016C000-memory.exe	28
PID 1368 wrote to memory of 1624	1368	920-55-0x0000000000150000-0x000000000016C000-memory.exe	28
PID 1624 wrote to memory of 304	1624	server.exe	29
PID 1624 wrote to memory of 304	1624	server.exe	29
PID 1624 wrote to memory of 304	1624	server.exe	29
PID 1624 wrote to memory of 304	1624	server.exe	29
PID 1624 wrote to memory of 564	1624	server.exe	31
PID 1624 wrote to memory of 564	1624	server.exe	31
PID 1624 wrote to memory of 564	1624	server.exe	31
PID 1624 wrote to memory of 564	1624	server.exe	31
PID 1624 wrote to memory of 316	1624	server.exe	32
PID 1624 wrote to memory of 316	1624	server.exe	32
PID 1624 wrote to memory of 316	1624	server.exe	32
PID 1624 wrote to memory of 316	1624	server.exe	32

C:\Users\Admin\AppData\Local\Temp\920-55-0x0000000000150000-0x000000000016C000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\920-55-0x0000000000150000-0x000000000016C000-memory.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops autorun.inf file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:304
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Modifies Windows Firewall
    PID:564
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
112KB

MD5
6bf92ac881f8bcf056d86806f358f2ad

SHA1
f0576d75b587612fb22137757c0486103e05eec1

SHA256
ba38db076db9709a7b5e70a9a81ce2b1116800e60951006c4c5f4534fd55f16d

SHA512
a39557f3359dbd072234de4f22da937687bac992ce2182bdd39ef2cbd3f052d7c238f82ebd908291e24eb54f9937a22be62bbfc20e0e2c9d4213c55fe4da4c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
112KB

MD5
6bf92ac881f8bcf056d86806f358f2ad

SHA1
f0576d75b587612fb22137757c0486103e05eec1

SHA256
ba38db076db9709a7b5e70a9a81ce2b1116800e60951006c4c5f4534fd55f16d

SHA512
a39557f3359dbd072234de4f22da937687bac992ce2182bdd39ef2cbd3f052d7c238f82ebd908291e24eb54f9937a22be62bbfc20e0e2c9d4213c55fe4da4c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
112KB

MD5
6bf92ac881f8bcf056d86806f358f2ad

SHA1
f0576d75b587612fb22137757c0486103e05eec1

SHA256
ba38db076db9709a7b5e70a9a81ce2b1116800e60951006c4c5f4534fd55f16d

SHA512
a39557f3359dbd072234de4f22da937687bac992ce2182bdd39ef2cbd3f052d7c238f82ebd908291e24eb54f9937a22be62bbfc20e0e2c9d4213c55fe4da4c04

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
69cf10399d0d1350c3698099796624cb

SHA1
d0b58b76ff065f51172971853a7da414286d9ea7

SHA256
a7bff94c7cdef50b67a3bab142ebcec4d360491e339581c41f433fec6d002f48

SHA512
5e1c9745b2b529c026e51fbff7fd4e1e0bd208c705b7da830459758d28c01b32b9bc93caa7ad60228d3e785784023d8a739fda0dab62d3c76770ea84c257f1f7

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
112KB

MD5
6bf92ac881f8bcf056d86806f358f2ad

SHA1
f0576d75b587612fb22137757c0486103e05eec1

SHA256
ba38db076db9709a7b5e70a9a81ce2b1116800e60951006c4c5f4534fd55f16d

SHA512
a39557f3359dbd072234de4f22da937687bac992ce2182bdd39ef2cbd3f052d7c238f82ebd908291e24eb54f9937a22be62bbfc20e0e2c9d4213c55fe4da4c04

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
112KB

MD5
6bf92ac881f8bcf056d86806f358f2ad

SHA1
f0576d75b587612fb22137757c0486103e05eec1

SHA256
ba38db076db9709a7b5e70a9a81ce2b1116800e60951006c4c5f4534fd55f16d

SHA512
a39557f3359dbd072234de4f22da937687bac992ce2182bdd39ef2cbd3f052d7c238f82ebd908291e24eb54f9937a22be62bbfc20e0e2c9d4213c55fe4da4c04

Download Submit
memory/1368-55-0x0000000002070000-0x00000000020B0000-memory.dmp

Filesize
256KB

Download
memory/1624-68-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download