njrat | fd624aa205517580e83fad7a4ce4d64863e95f62b34ac72647b1974a52822199

General

Target

njRAT.exe
Size

959KB
MD5

0431311b5f024d6e66b90d59491f2563
SHA1

e9ff4da7e3f2199cbc16d37d8935cb1b0567ac2a
SHA256

fd624aa205517580e83fad7a4ce4d64863e95f62b34ac72647b1974a52822199
SHA512

d44b14e4b24e6e2d506ec32098488a16ebd5df57499ecd85e8878b8af2a3e1f9ed20d4125836417b702d0571f992aeac07af051dbf9268f48954556d17f51ee2
SSDEEP

12288:+O9vE3J7JO+xEPuc//9wivAmv6SAbnzmip2hGnadlFM4ZHOT2:+eXuczPCSGnzVjad1

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1716	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecc7c8c51c0850c1ec247c7fd3602f20.exe	windows.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecc7c8c51c0850c1ec247c7fd3602f20.exe	windows.exe

Executes dropped EXE 3 IoCs

pid	Process
2352	njRAT.exe
4496	njq8.exe
4292	windows.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run\ecc7c8c51c0850c1ec247c7fd3602f20 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\windows.exe\" .."	windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ecc7c8c51c0850c1ec247c7fd3602f20 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\windows.exe\" .."	windows.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1120	2352	WerFault.exe	66

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
3104	dw20.exe
3104	dw20.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe
4292	windows.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4292	windows.exe
Token: SeRestorePrivilege	3104	dw20.exe
Token: SeBackupPrivilege	3104	dw20.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 2352	4124	njRAT.exe	66
PID 4124 wrote to memory of 2352	4124	njRAT.exe	66
PID 4124 wrote to memory of 2352	4124	njRAT.exe	66
PID 4124 wrote to memory of 4496	4124	njRAT.exe	67
PID 4124 wrote to memory of 4496	4124	njRAT.exe	67
PID 4124 wrote to memory of 4496	4124	njRAT.exe	67
PID 4496 wrote to memory of 4292	4496	njq8.exe	68
PID 4496 wrote to memory of 4292	4496	njq8.exe	68
PID 4496 wrote to memory of 4292	4496	njq8.exe	68
PID 4292 wrote to memory of 1716	4292	windows.exe	69
PID 4292 wrote to memory of 1716	4292	windows.exe	69
PID 4292 wrote to memory of 1716	4292	windows.exe	69
PID 2352 wrote to memory of 3104	2352	njRAT.exe	71
PID 2352 wrote to memory of 3104	2352	njRAT.exe	71
PID 2352 wrote to memory of 3104	2352	njRAT.exe	71

C:\Users\Admin\AppData\Local\Temp\njRAT.exe
"C:\Users\Admin\AppData\Local\Temp\njRAT.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4124
- C:\njRAT.exe
  "C:\njRAT.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 1228
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3104
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 1216
    3⤵
    - Program crash
    PID:1120
- C:\njq8.exe
  "C:\njq8.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Users\Admin\AppData\Local\Temp\windows.exe
    "C:\Users\Admin\AppData\Local\Temp\windows.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4292
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\windows.exe" "windows.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\windows.exe

Filesize
28KB

MD5
edc4f10a5e164db64bf79eca207f2749

SHA1
d08eb761a5446a4409a72f3af3fb8dd60eec7c92

SHA256
ce6421107031175f39e61d3bcc5a98d1d94190e250034e27cdbebbadcba084a4

SHA512
e974a32096cc58c1a78c7aa8714b8b8b7a202859905a28d5ce61fd9a563382a7577825e8c9ee612d7ba708f3efef01a43d07df03e7c1e3e52d0cb32240d5d15d

Download Submit
C:\Users\Admin\AppData\Local\Temp\windows.exe

Filesize
28KB

MD5
edc4f10a5e164db64bf79eca207f2749

SHA1
d08eb761a5446a4409a72f3af3fb8dd60eec7c92

SHA256
ce6421107031175f39e61d3bcc5a98d1d94190e250034e27cdbebbadcba084a4

SHA512
e974a32096cc58c1a78c7aa8714b8b8b7a202859905a28d5ce61fd9a563382a7577825e8c9ee612d7ba708f3efef01a43d07df03e7c1e3e52d0cb32240d5d15d

Download Submit
C:\Users\Admin\AppData\Local\Temp\windows.exe

Filesize
28KB

MD5
edc4f10a5e164db64bf79eca207f2749

SHA1
d08eb761a5446a4409a72f3af3fb8dd60eec7c92

SHA256
ce6421107031175f39e61d3bcc5a98d1d94190e250034e27cdbebbadcba084a4

SHA512
e974a32096cc58c1a78c7aa8714b8b8b7a202859905a28d5ce61fd9a563382a7577825e8c9ee612d7ba708f3efef01a43d07df03e7c1e3e52d0cb32240d5d15d

Download Submit
C:\njRAT.exe

Filesize
898KB

MD5
08f223ac15e2e92561ed310ae71415c1

SHA1
0a871a4b376bd8771188b96a9a1bb6fe1205160d

SHA256
51f2aec8b6de1e49b1ca74203afd380484932b07067a91f027548bc20b8967ec

SHA512
9acc7b4976c23fa019361b52eb22dcdfbf0bb1039aa8c8e74507f0501709616757a2d762d0478956a03bfadecdee812c9aa2360655891ab4ed1de96f35e23cd4

Download Submit
C:\njRAT.exe

Filesize
898KB

MD5
08f223ac15e2e92561ed310ae71415c1

SHA1
0a871a4b376bd8771188b96a9a1bb6fe1205160d

SHA256
51f2aec8b6de1e49b1ca74203afd380484932b07067a91f027548bc20b8967ec

SHA512
9acc7b4976c23fa019361b52eb22dcdfbf0bb1039aa8c8e74507f0501709616757a2d762d0478956a03bfadecdee812c9aa2360655891ab4ed1de96f35e23cd4

Download Submit
C:\njq8.exe

Filesize
28KB

MD5
edc4f10a5e164db64bf79eca207f2749

SHA1
d08eb761a5446a4409a72f3af3fb8dd60eec7c92

SHA256
ce6421107031175f39e61d3bcc5a98d1d94190e250034e27cdbebbadcba084a4

SHA512
e974a32096cc58c1a78c7aa8714b8b8b7a202859905a28d5ce61fd9a563382a7577825e8c9ee612d7ba708f3efef01a43d07df03e7c1e3e52d0cb32240d5d15d

Download Submit
C:\njq8.exe

Filesize
28KB

MD5
edc4f10a5e164db64bf79eca207f2749

SHA1
d08eb761a5446a4409a72f3af3fb8dd60eec7c92

SHA256
ce6421107031175f39e61d3bcc5a98d1d94190e250034e27cdbebbadcba084a4

SHA512
e974a32096cc58c1a78c7aa8714b8b8b7a202859905a28d5ce61fd9a563382a7577825e8c9ee612d7ba708f3efef01a43d07df03e7c1e3e52d0cb32240d5d15d

Download Submit
memory/2352-143-0x0000000002F30000-0x0000000002F40000-memory.dmp

Filesize
64KB

Download
memory/2352-144-0x0000000002F30000-0x0000000002F40000-memory.dmp

Filesize
64KB

Download
memory/2352-150-0x0000000002F30000-0x0000000002F40000-memory.dmp

Filesize
64KB

Download
memory/2352-152-0x0000000002F30000-0x0000000002F40000-memory.dmp

Filesize
64KB

Download
memory/2352-133-0x0000000002F30000-0x0000000002F40000-memory.dmp

Filesize
64KB

Download
memory/2352-153-0x0000000002F30000-0x0000000002F40000-memory.dmp

Filesize
64KB

Download
memory/4124-123-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/4124-116-0x00000000000D0000-0x00000000001C8000-memory.dmp

Filesize
992KB

Download
memory/4124-121-0x0000000004CB0000-0x0000000004D06000-memory.dmp

Filesize
344KB

Download
memory/4124-120-0x0000000004A80000-0x0000000004A8A000-memory.dmp

Filesize
40KB

Download
memory/4124-145-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/4124-119-0x0000000004AF0000-0x0000000004B82000-memory.dmp

Filesize
584KB

Download
memory/4124-118-0x0000000004F50000-0x000000000544E000-memory.dmp

Filesize
5.0MB

Download
memory/4124-117-0x00000000049B0000-0x0000000004A4C000-memory.dmp

Filesize
624KB

Download
memory/4292-142-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/4292-151-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/4292-156-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/4292-157-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/4496-134-0x0000000002B70000-0x0000000002B80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing