njrat | 7caf8f81caea74f0a583349fc9f4f96e9226c913a7cb9f2dbca87050ae595e84

General

Target

wearaawr.exe
Size

93KB
MD5

63f06efdbe1f93b7a2688a0baf2256d4
SHA1

91d9cc6369d885534cfa7eea162964bc06c00b2b
SHA256

7caf8f81caea74f0a583349fc9f4f96e9226c913a7cb9f2dbca87050ae595e84
SHA512

a0137176f42d908d09bb96d74aef630bcb50b42a64c6763945b42e0ef9f159c05bd8b468320b1c6f248e8591e23a27edf5f7c17bb32342d1eb9744667ed196b1
SSDEEP

1536:CIaw0gMX6BbNrnYjS7JjEwzGi1dDxDbgS:CIwX6BbNraS7Gi1d1U

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

FRANSESCOTI3LjAuFRANSESCOC4x:MzE0OQ==

Mutex

1e837d763a164123719a02065b1e7b81

Attributes

reg_key
1e837d763a164123719a02065b1e7b81
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 1 TTPs 3 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exe

pid process

2980 netsh.exe
4656 netsh.exe
212 netsh.exe

pid	process
2980	netsh.exe
4656	netsh.exe
212	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wearaawr.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	wearaawr.exe

Drops startup file 4 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1e837d763a164123719a02065b1e7b81Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1e837d763a164123719a02065b1e7b81Windows Update.exe	server.exe

Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

4952 server.exe
Drops file in System32 directory 2 IoCs

Processes:

server.exe

description ioc process

File created C:\Windows\SysWOW64\Explower.exe server.exe
File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe

pid	process
4952	server.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe

Drops file in Program Files directory 2 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

4952 server.exe

pid	process
4952	server.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	4952	server.exe
Token: 33	4952	server.exe
Token: SeIncBasePriorityPrivilege	4952	server.exe
Token: 33	4952	server.exe
Token: SeIncBasePriorityPrivilege	4952	server.exe
Token: 33	4952	server.exe
Token: SeIncBasePriorityPrivilege	4952	server.exe
Token: 33	4952	server.exe
Token: SeIncBasePriorityPrivilege	4952	server.exe
Token: 33	4952	server.exe
Token: SeIncBasePriorityPrivilege	4952	server.exe
Token: 33	4952	server.exe
Token: SeIncBasePriorityPrivilege	4952	server.exe
Token: 33	4952	server.exe
Token: SeIncBasePriorityPrivilege	4952	server.exe
Token: 33	4952	server.exe
Token: SeIncBasePriorityPrivilege	4952	server.exe
Token: 33	4952	server.exe
Token: SeIncBasePriorityPrivilege	4952	server.exe
Token: 33	4952	server.exe
Token: SeIncBasePriorityPrivilege	4952	server.exe
Token: 33	4952	server.exe
Token: SeIncBasePriorityPrivilege	4952	server.exe
Token: 33	4952	server.exe
Token: SeIncBasePriorityPrivilege	4952	server.exe
Token: 33	4952	server.exe
Token: SeIncBasePriorityPrivilege	4952	server.exe
Token: 33	4952	server.exe
Token: SeIncBasePriorityPrivilege	4952	server.exe
Token: 33	4952	server.exe
Token: SeIncBasePriorityPrivilege	4952	server.exe
Token: 33	4952	server.exe
Token: SeIncBasePriorityPrivilege	4952	server.exe
Token: 33	4952	server.exe
Token: SeIncBasePriorityPrivilege	4952	server.exe
Token: 33	4952	server.exe
Token: SeIncBasePriorityPrivilege	4952	server.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

wearaawr.exeserver.exe

description	pid	process	target process
PID 1316 wrote to memory of 4952	1316	wearaawr.exe	server.exe
PID 1316 wrote to memory of 4952	1316	wearaawr.exe	server.exe
PID 1316 wrote to memory of 4952	1316	wearaawr.exe	server.exe
PID 4952 wrote to memory of 212	4952	server.exe	netsh.exe
PID 4952 wrote to memory of 212	4952	server.exe	netsh.exe
PID 4952 wrote to memory of 212	4952	server.exe	netsh.exe
PID 4952 wrote to memory of 2980	4952	server.exe	netsh.exe
PID 4952 wrote to memory of 2980	4952	server.exe	netsh.exe
PID 4952 wrote to memory of 2980	4952	server.exe	netsh.exe
PID 4952 wrote to memory of 4656	4952	server.exe	netsh.exe
PID 4952 wrote to memory of 4656	4952	server.exe	netsh.exe
PID 4952 wrote to memory of 4656	4952	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\wearaawr.exe
"C:\Users\Admin\AppData\Local\Temp\wearaawr.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1316

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:212

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
3⤵
- Modifies Windows Firewall
PID:2980

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:4656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\app
Filesize
5B

MD5
112317d572ce0538d2d1b20d7f32170e

SHA1
c7f3714c4806b907bcff7f79aa1d1c9373b77d1e

SHA256
fd9e9a8be71786826787d6eb9aa28371d09b0515ddf0c19b082fe7bac57a88a9

SHA512
265dbebc83c74dc97770e650580b0321144990d133403bab2bc1de4618cde63dfd4fedfa56b5e4e259b510585db0f7a59042c356356c56bea3ac861d4be5337f

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
63f06efdbe1f93b7a2688a0baf2256d4

SHA1
91d9cc6369d885534cfa7eea162964bc06c00b2b

SHA256
7caf8f81caea74f0a583349fc9f4f96e9226c913a7cb9f2dbca87050ae595e84

SHA512
a0137176f42d908d09bb96d74aef630bcb50b42a64c6763945b42e0ef9f159c05bd8b468320b1c6f248e8591e23a27edf5f7c17bb32342d1eb9744667ed196b1

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
63f06efdbe1f93b7a2688a0baf2256d4

SHA1
91d9cc6369d885534cfa7eea162964bc06c00b2b

SHA256
7caf8f81caea74f0a583349fc9f4f96e9226c913a7cb9f2dbca87050ae595e84

SHA512
a0137176f42d908d09bb96d74aef630bcb50b42a64c6763945b42e0ef9f159c05bd8b468320b1c6f248e8591e23a27edf5f7c17bb32342d1eb9744667ed196b1

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
63f06efdbe1f93b7a2688a0baf2256d4

SHA1
91d9cc6369d885534cfa7eea162964bc06c00b2b

SHA256
7caf8f81caea74f0a583349fc9f4f96e9226c913a7cb9f2dbca87050ae595e84

SHA512
a0137176f42d908d09bb96d74aef630bcb50b42a64c6763945b42e0ef9f159c05bd8b468320b1c6f248e8591e23a27edf5f7c17bb32342d1eb9744667ed196b1

Download Submit
memory/1316-134-0x0000000001470000-0x0000000001480000-memory.dmp

Filesize
64KB

Download
memory/4952-146-0x0000000001540000-0x0000000001550000-memory.dmp

Filesize
64KB

Download
memory/4952-152-0x0000000001540000-0x0000000001550000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads