njrat | 2c0033a6f0d9b0c8f0127ae6c7615b81acef43fef4f89bf89b9e329e7fdf9fb2

Analysis

max time kernel
8s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12/06/2023, 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Server.exe
Size

43KB
MD5

621e4e49b03c78b3d7e5f3009d30ca7e
SHA1

2c61e1935a571f299824c9014801dbedaa54f280
SHA256

2c0033a6f0d9b0c8f0127ae6c7615b81acef43fef4f89bf89b9e329e7fdf9fb2
SHA512

d91d03eb4896f35fd16ff249050461c732974c8bbfd608b4859258e0cde9c84ba4f8d7c11cefb611837ad32820d1d572fead2653ec50598cf9f2dff8208f9072
SSDEEP

384:qZy0lO1STss7yKSxVYkEgEkurJS2dzsIij+ZsNO3PlpJKkkjh/TzF7pWnm/greTf:oHIk4smKSHYZxrEYuXQ/o/3+L

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

7.tcp.eu.ngrok.io:7777

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	Server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .."	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .."	Server.exe

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
1⤵
- Drops startup file
- Adds Run key to start application
PID:1304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1304-54-0x0000000000BC0000-0x0000000000BD2000-memory.dmp

Filesize
72KB

Download
memory/1304-55-0x0000000004BD0000-0x0000000004C10000-memory.dmp

Filesize
256KB

Download