njrat | 1edd9675ca9e84553106201aae3a98bdb2fd2ff8e6039af4478fe5af4fbfd995

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2023 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bMJj.exe
Size

78KB
MD5

d6b907a131586513531e26f54e424ef1
SHA1

dbd94a49ebcf17acf7aa27b0e7e37db8161d3fae
SHA256

1edd9675ca9e84553106201aae3a98bdb2fd2ff8e6039af4478fe5af4fbfd995
SHA512

0af91f99df2b9453a19051f988d1683d3eff52aa471dc206766e55139f06ae894a2df9b418977808a5a62196da423efea07add75bcba9ba6fe8a5c83eca704ff
SSDEEP

1536:h5B+r0dODplS5wpOk3JCK6pFoO/d6fOpd/9nEh9TG6JgR:YQwpOk5CK6gO/9ES6Jg

Score

10^/10

njrat lime trojan

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

Lime

ax4.duckdns.org:9966

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
16426337

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

bMJj.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation bMJj.exe
Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

3896 Client.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	bMJj.exe

pid	process
3896	Client.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

Client.exe

description	pid	process
Token: SeDebugPrivilege	3896	Client.exe
Token: 33	3896	Client.exe
Token: SeIncBasePriorityPrivilege	3896	Client.exe
Token: 33	3896	Client.exe
Token: SeIncBasePriorityPrivilege	3896	Client.exe
Token: 33	3896	Client.exe
Token: SeIncBasePriorityPrivilege	3896	Client.exe
Token: 33	3896	Client.exe
Token: SeIncBasePriorityPrivilege	3896	Client.exe
Token: 33	3896	Client.exe
Token: SeIncBasePriorityPrivilege	3896	Client.exe
Token: 33	3896	Client.exe
Token: SeIncBasePriorityPrivilege	3896	Client.exe
Token: 33	3896	Client.exe
Token: SeIncBasePriorityPrivilege	3896	Client.exe
Token: 33	3896	Client.exe
Token: SeIncBasePriorityPrivilege	3896	Client.exe
Token: 33	3896	Client.exe
Token: SeIncBasePriorityPrivilege	3896	Client.exe
Token: 33	3896	Client.exe
Token: SeIncBasePriorityPrivilege	3896	Client.exe
Token: 33	3896	Client.exe
Token: SeIncBasePriorityPrivilege	3896	Client.exe
Token: 33	3896	Client.exe
Token: SeIncBasePriorityPrivilege	3896	Client.exe
Token: 33	3896	Client.exe
Token: SeIncBasePriorityPrivilege	3896	Client.exe
Token: 33	3896	Client.exe
Token: SeIncBasePriorityPrivilege	3896	Client.exe
Token: 33	3896	Client.exe
Token: SeIncBasePriorityPrivilege	3896	Client.exe
Token: 33	3896	Client.exe
Token: SeIncBasePriorityPrivilege	3896	Client.exe
Token: 33	3896	Client.exe
Token: SeIncBasePriorityPrivilege	3896	Client.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

bMJj.exe

description	pid	process	target process
PID 3532 wrote to memory of 3896	3532	bMJj.exe	Client.exe
PID 3532 wrote to memory of 3896	3532	bMJj.exe	Client.exe
PID 3532 wrote to memory of 3896	3532	bMJj.exe	Client.exe

C:\Users\Admin\AppData\Local\Temp\bMJj.exe
"C:\Users\Admin\AppData\Local\Temp\bMJj.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3532

C:\Users\Admin\AppData\Roaming\Client.exe
"C:\Users\Admin\AppData\Roaming\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Client.exe
Filesize
78KB

MD5
d6b907a131586513531e26f54e424ef1

SHA1
dbd94a49ebcf17acf7aa27b0e7e37db8161d3fae

SHA256
1edd9675ca9e84553106201aae3a98bdb2fd2ff8e6039af4478fe5af4fbfd995

SHA512
0af91f99df2b9453a19051f988d1683d3eff52aa471dc206766e55139f06ae894a2df9b418977808a5a62196da423efea07add75bcba9ba6fe8a5c83eca704ff

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe
Filesize
78KB

MD5
d6b907a131586513531e26f54e424ef1

SHA1
dbd94a49ebcf17acf7aa27b0e7e37db8161d3fae

SHA256
1edd9675ca9e84553106201aae3a98bdb2fd2ff8e6039af4478fe5af4fbfd995

SHA512
0af91f99df2b9453a19051f988d1683d3eff52aa471dc206766e55139f06ae894a2df9b418977808a5a62196da423efea07add75bcba9ba6fe8a5c83eca704ff

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe
Filesize
78KB

MD5
d6b907a131586513531e26f54e424ef1

SHA1
dbd94a49ebcf17acf7aa27b0e7e37db8161d3fae

SHA256
1edd9675ca9e84553106201aae3a98bdb2fd2ff8e6039af4478fe5af4fbfd995

SHA512
0af91f99df2b9453a19051f988d1683d3eff52aa471dc206766e55139f06ae894a2df9b418977808a5a62196da423efea07add75bcba9ba6fe8a5c83eca704ff

Download Submit
memory/3532-133-0x0000000000780000-0x0000000000790000-memory.dmp

Filesize
64KB

Download
memory/3896-143-0x00000000015E0000-0x00000000015F0000-memory.dmp

Filesize
64KB

Download
memory/3896-144-0x00000000015E0000-0x00000000015F0000-memory.dmp

Filesize
64KB

Download
memory/3896-145-0x00000000015E0000-0x00000000015F0000-memory.dmp

Filesize
64KB

Download