njrat | 3ac16c7b82034ad11f034dd1edab2484577eac6e2991e65a2fd1299784687df2

General

Target

14eed63dd3f3814eb8640b7437dcea62.exe
Size

104KB
MD5

14eed63dd3f3814eb8640b7437dcea62
SHA1

a6e9ba8f069961a7b0f5dbdf35dea5c354eb6aa5
SHA256

3ac16c7b82034ad11f034dd1edab2484577eac6e2991e65a2fd1299784687df2
SHA512

6792834ced2429f62088487516a23f682f0851826b4fb4dec6044e8deeaeca08323e6ca35d04e618d50458f6bfbd5f27685e4b0cd7c6b608d19b0f42e919217f
SSDEEP

3072:Yp/uy6Ogx6bsBnKZ2kNVmJQuahzata9DP:Yp/MOgx6sBnSlmJQhhOt

Score

10^/10

njrat uopfff persistence trojan

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

uopfff

C2

212.ip.ply.gg:17869

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	14eed63dd3f3814eb8640b7437dcea62.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Payload.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Payload.exe

Executes dropped EXE 1 IoCs

pid	Process
2268	Payload.exe

Loads dropped DLL 1 IoCs

pid	Process
2400	14eed63dd3f3814eb8640b7437dcea62.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe"	14eed63dd3f3814eb8640b7437dcea62.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-719110999-4061093145-1944564496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2268	Payload.exe
Token: 33	2268	Payload.exe
Token: SeIncBasePriorityPrivilege	2268	Payload.exe
Token: 33	2268	Payload.exe
Token: SeIncBasePriorityPrivilege	2268	Payload.exe
Token: 33	2268	Payload.exe
Token: SeIncBasePriorityPrivilege	2268	Payload.exe
Token: 33	2268	Payload.exe
Token: SeIncBasePriorityPrivilege	2268	Payload.exe
Token: 33	2268	Payload.exe
Token: SeIncBasePriorityPrivilege	2268	Payload.exe
Token: 33	2268	Payload.exe
Token: SeIncBasePriorityPrivilege	2268	Payload.exe
Token: 33	2268	Payload.exe
Token: SeIncBasePriorityPrivilege	2268	Payload.exe
Token: 33	2268	Payload.exe
Token: SeIncBasePriorityPrivilege	2268	Payload.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2268	2400	14eed63dd3f3814eb8640b7437dcea62.exe	29
PID 2400 wrote to memory of 2268	2400	14eed63dd3f3814eb8640b7437dcea62.exe	29
PID 2400 wrote to memory of 2268	2400	14eed63dd3f3814eb8640b7437dcea62.exe	29
PID 2400 wrote to memory of 2268	2400	14eed63dd3f3814eb8640b7437dcea62.exe	29
PID 2400 wrote to memory of 2108	2400	14eed63dd3f3814eb8640b7437dcea62.exe	30
PID 2400 wrote to memory of 2108	2400	14eed63dd3f3814eb8640b7437dcea62.exe	30
PID 2400 wrote to memory of 2108	2400	14eed63dd3f3814eb8640b7437dcea62.exe	30
PID 2400 wrote to memory of 2108	2400	14eed63dd3f3814eb8640b7437dcea62.exe	30

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2108	attrib.exe

C:\Users\Admin\AppData\Local\Temp\14eed63dd3f3814eb8640b7437dcea62.exe
"C:\Users\Admin\AppData\Local\Temp\14eed63dd3f3814eb8640b7437dcea62.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\Payload.exe
  "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2268
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
  2⤵
  - Views/modifies file attributes
  PID:2108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Payload.exe

Filesize
104KB

MD5
14eed63dd3f3814eb8640b7437dcea62

SHA1
a6e9ba8f069961a7b0f5dbdf35dea5c354eb6aa5

SHA256
3ac16c7b82034ad11f034dd1edab2484577eac6e2991e65a2fd1299784687df2

SHA512
6792834ced2429f62088487516a23f682f0851826b4fb4dec6044e8deeaeca08323e6ca35d04e618d50458f6bfbd5f27685e4b0cd7c6b608d19b0f42e919217f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payload.exe

Filesize
104KB

MD5
14eed63dd3f3814eb8640b7437dcea62

SHA1
a6e9ba8f069961a7b0f5dbdf35dea5c354eb6aa5

SHA256
3ac16c7b82034ad11f034dd1edab2484577eac6e2991e65a2fd1299784687df2

SHA512
6792834ced2429f62088487516a23f682f0851826b4fb4dec6044e8deeaeca08323e6ca35d04e618d50458f6bfbd5f27685e4b0cd7c6b608d19b0f42e919217f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe

Filesize
104KB

MD5
14eed63dd3f3814eb8640b7437dcea62

SHA1
a6e9ba8f069961a7b0f5dbdf35dea5c354eb6aa5

SHA256
3ac16c7b82034ad11f034dd1edab2484577eac6e2991e65a2fd1299784687df2

SHA512
6792834ced2429f62088487516a23f682f0851826b4fb4dec6044e8deeaeca08323e6ca35d04e618d50458f6bfbd5f27685e4b0cd7c6b608d19b0f42e919217f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Filesize
1KB

MD5
b4c5730f2503da25ce74328998140417

SHA1
029fd03e8bfbdefacdb58738bf7c73cffa126b26

SHA256
f76e22ff0e4dfeabfc333b957b2f51739ab5f592d73a4722924e16e1ba3bbbff

SHA512
645a3085a1f052ac808dbf7a275fd7ad7224802536ff2e108dfec199280c86c7c079d1c90cbcf736128f6ca5f103f93a7605c629613b7436e50c005380d7bfee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Filesize
1018B

MD5
21473805a7410d962ba0884e6cbaaba8

SHA1
d95a1c4c518ba08bdeae3462166ebac0d3093c56

SHA256
8f1288a3b495a2108cf8f0405b41eedeb5a94ad179b208066d496f30fc2286af

SHA512
6ec3a52c181e3cc074e5f595131323e0c5431680dd7bcb654a13fb4ed0bd46388ac467ce573775b73de09600484844ee9e80a636700f00520f26d8d6fe676e25

Download Submit
\Users\Admin\AppData\Local\Temp\Payload.exe

Filesize
104KB

MD5
14eed63dd3f3814eb8640b7437dcea62

SHA1
a6e9ba8f069961a7b0f5dbdf35dea5c354eb6aa5

SHA256
3ac16c7b82034ad11f034dd1edab2484577eac6e2991e65a2fd1299784687df2

SHA512
6792834ced2429f62088487516a23f682f0851826b4fb4dec6044e8deeaeca08323e6ca35d04e618d50458f6bfbd5f27685e4b0cd7c6b608d19b0f42e919217f

Download Submit
memory/2268-67-0x0000000000950000-0x0000000000972000-memory.dmp

Filesize
136KB

Download
memory/2268-72-0x00000000020F0000-0x0000000002130000-memory.dmp

Filesize
256KB

Download
memory/2268-73-0x00000000020F0000-0x0000000002130000-memory.dmp

Filesize
256KB

Download
memory/2400-59-0x0000000000540000-0x0000000000580000-memory.dmp

Filesize
256KB

Download
memory/2400-58-0x0000000000540000-0x0000000000580000-memory.dmp

Filesize
256KB

Download
memory/2400-54-0x00000000003A0000-0x00000000003C2000-memory.dmp

Filesize
136KB

Download
memory/2400-55-0x00000000002A0000-0x00000000002AE000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads