njrat | 889a5de641983dcca6e2a91b1442812e84fd17821c7117f965f751bea5eb4067

General

Target

56adfb1405dcba693c73ba64a9d1c463.exe
Size

93KB
MD5

56adfb1405dcba693c73ba64a9d1c463
SHA1

294664d8ebda0f36572a1fb44c84a1df55376493
SHA256

889a5de641983dcca6e2a91b1442812e84fd17821c7117f965f751bea5eb4067
SHA512

9a5b362929702907913f4caf50a02c876307731b4ed97252b9196eaafa6b4ae39f1198d0f0d46b8bcdc257336636dcdac20a8cc57d9c7f9705b9e1f982b2cd65
SSDEEP

1536:ZerkVbPGHz88Ebb1pjEwzGi1dDXBDrgS:ZekPGHzmf1mi1drxk

Score

10^/10

njrat lox evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

lox

C2

YWxyZWFkeS1oZXJlaW4uYXQucGx5Lmdn:NTgxNTg=

Mutex

7585b9138af20fd06384c70df526bb85

Attributes

reg_key
7585b9138af20fd06384c70df526bb85
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1716 netsh.exe

pid	process
1716	netsh.exe

Drops startup file 4 IoCs

Processes:

server.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7585b9138af20fd06384c70df526bb85Windows System.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Comporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Comporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7585b9138af20fd06384c70df526bb85Windows System.exe	server.exe

Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

364 server.exe
Loads dropped DLL 2 IoCs

Processes:

56adfb1405dcba693c73ba64a9d1c463.exe

pid process

1584 56adfb1405dcba693c73ba64a9d1c463.exe
1584 56adfb1405dcba693c73ba64a9d1c463.exe
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

server.exe

description ioc process

File created C:\autorun.inf server.exe
File opened for modification C:\autorun.inf server.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1584	56adfb1405dcba693c73ba64a9d1c463.exe
1584	56adfb1405dcba693c73ba64a9d1c463.exe

description	ioc	process
File created	C:\autorun.inf	server.exe
File opened for modification	C:\autorun.inf	server.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

server.exe

pid	process
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe
364	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

364 server.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	364	server.exe
Token: 33	364	server.exe
Token: SeIncBasePriorityPrivilege	364	server.exe
Token: 33	364	server.exe
Token: SeIncBasePriorityPrivilege	364	server.exe
Token: 33	364	server.exe
Token: SeIncBasePriorityPrivilege	364	server.exe
Token: 33	364	server.exe
Token: SeIncBasePriorityPrivilege	364	server.exe
Token: 33	364	server.exe
Token: SeIncBasePriorityPrivilege	364	server.exe
Token: 33	364	server.exe
Token: SeIncBasePriorityPrivilege	364	server.exe
Token: 33	364	server.exe
Token: SeIncBasePriorityPrivilege	364	server.exe
Token: 33	364	server.exe
Token: SeIncBasePriorityPrivilege	364	server.exe
Token: 33	364	server.exe
Token: SeIncBasePriorityPrivilege	364	server.exe
Token: 33	364	server.exe
Token: SeIncBasePriorityPrivilege	364	server.exe
Token: 33	364	server.exe
Token: SeIncBasePriorityPrivilege	364	server.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

56adfb1405dcba693c73ba64a9d1c463.exeserver.exe

description	pid	process	target process
PID 1584 wrote to memory of 364	1584	56adfb1405dcba693c73ba64a9d1c463.exe	server.exe
PID 1584 wrote to memory of 364	1584	56adfb1405dcba693c73ba64a9d1c463.exe	server.exe
PID 1584 wrote to memory of 364	1584	56adfb1405dcba693c73ba64a9d1c463.exe	server.exe
PID 1584 wrote to memory of 364	1584	56adfb1405dcba693c73ba64a9d1c463.exe	server.exe
PID 364 wrote to memory of 1716	364	server.exe	netsh.exe
PID 364 wrote to memory of 1716	364	server.exe	netsh.exe
PID 364 wrote to memory of 1716	364	server.exe	netsh.exe
PID 364 wrote to memory of 1716	364	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\56adfb1405dcba693c73ba64a9d1c463.exe
"C:\Users\Admin\AppData\Local\Temp\56adfb1405dcba693c73ba64a9d1c463.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\app
Filesize
5B

MD5
f478c76bbb3174dbc7fabae62224f818

SHA1
bed239508bad9fcd15a9bdea1e132f62468d07d1

SHA256
d7a0af52f260c87ef40bdfc1f1196faf7797593d62c6120ae99957d78762ed1a

SHA512
b653aa05746c721c9129456de3798d9e94385a0e5630c5d497fa0d6076274560885edd5875232b40d07aafa3f0e929e9b3bf2ff388ad2c21b3589cb01b79f94b

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
56adfb1405dcba693c73ba64a9d1c463

SHA1
294664d8ebda0f36572a1fb44c84a1df55376493

SHA256
889a5de641983dcca6e2a91b1442812e84fd17821c7117f965f751bea5eb4067

SHA512
9a5b362929702907913f4caf50a02c876307731b4ed97252b9196eaafa6b4ae39f1198d0f0d46b8bcdc257336636dcdac20a8cc57d9c7f9705b9e1f982b2cd65

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
56adfb1405dcba693c73ba64a9d1c463

SHA1
294664d8ebda0f36572a1fb44c84a1df55376493

SHA256
889a5de641983dcca6e2a91b1442812e84fd17821c7117f965f751bea5eb4067

SHA512
9a5b362929702907913f4caf50a02c876307731b4ed97252b9196eaafa6b4ae39f1198d0f0d46b8bcdc257336636dcdac20a8cc57d9c7f9705b9e1f982b2cd65

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
56adfb1405dcba693c73ba64a9d1c463

SHA1
294664d8ebda0f36572a1fb44c84a1df55376493

SHA256
889a5de641983dcca6e2a91b1442812e84fd17821c7117f965f751bea5eb4067

SHA512
9a5b362929702907913f4caf50a02c876307731b4ed97252b9196eaafa6b4ae39f1198d0f0d46b8bcdc257336636dcdac20a8cc57d9c7f9705b9e1f982b2cd65

Download Submit
\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
56adfb1405dcba693c73ba64a9d1c463

SHA1
294664d8ebda0f36572a1fb44c84a1df55376493

SHA256
889a5de641983dcca6e2a91b1442812e84fd17821c7117f965f751bea5eb4067

SHA512
9a5b362929702907913f4caf50a02c876307731b4ed97252b9196eaafa6b4ae39f1198d0f0d46b8bcdc257336636dcdac20a8cc57d9c7f9705b9e1f982b2cd65

Download Submit
\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
56adfb1405dcba693c73ba64a9d1c463

SHA1
294664d8ebda0f36572a1fb44c84a1df55376493

SHA256
889a5de641983dcca6e2a91b1442812e84fd17821c7117f965f751bea5eb4067

SHA512
9a5b362929702907913f4caf50a02c876307731b4ed97252b9196eaafa6b4ae39f1198d0f0d46b8bcdc257336636dcdac20a8cc57d9c7f9705b9e1f982b2cd65

Download Submit
memory/364-68-0x00000000009D0000-0x0000000000A10000-memory.dmp

Filesize
256KB

Download
memory/364-76-0x00000000009D0000-0x0000000000A10000-memory.dmp

Filesize
256KB

Download
memory/364-77-0x00000000009D0000-0x0000000000A10000-memory.dmp

Filesize
256KB

Download
memory/1584-54-0x00000000001E0000-0x0000000000220000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads