njrat | a77d89af9f2b35acf31f220c08293373fb7670ae463d114dd9aa0ba76d040d96

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
15/08/2023, 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11d49dd9407654efd37f016694461dfc.exe
Size

93KB
MD5

11d49dd9407654efd37f016694461dfc
SHA1

55f385dde7de9eb303a6ad158a6150d1322da736
SHA256

a77d89af9f2b35acf31f220c08293373fb7670ae463d114dd9aa0ba76d040d96
SHA512

2c27613c62c759059c17758cc62cada5d08e5fc0382d3c4a64badb85c45301cdc4fe38f87da328e6b98adeb00980d0b503e790b0616ad514ffb5f9d324af58c9
SSDEEP

768:PY3IcRhpC0EoQspgnOmWNW6tsX2JADll2gSXxrjEtCdnl2pi1Rz4Rk3wsGdp/gS7:9cHpVEoKOmWM6sdl4jEwzGi1dDID/gS

Score

10^/10

njrat 2.tcp.eu.ngrok.io evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

2.tcp.eu.ngrok.io

hakim32.ddns.net:2000

2.tcp.eu.ngrok.io:15056

Mutex

23d4a67ca31c94fb2f7e69f8c176876d

Attributes

reg_key
23d4a67ca31c94fb2f7e69f8c176876d
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2904	netsh.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\23d4a67ca31c94fb2f7e69f8c176876dWindows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\23d4a67ca31c94fb2f7e69f8c176876dWindows Update.exe	server.exe

Executes dropped EXE 1 IoCs

pid	Process
2212	server.exe

Loads dropped DLL 2 IoCs

pid	Process
1856	11d49dd9407654efd37f016694461dfc.exe
1856	11d49dd9407654efd37f016694461dfc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2212	server.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	server.exe
Token: 33	2212	server.exe
Token: SeIncBasePriorityPrivilege	2212	server.exe
Token: 33	2212	server.exe
Token: SeIncBasePriorityPrivilege	2212	server.exe
Token: 33	2212	server.exe
Token: SeIncBasePriorityPrivilege	2212	server.exe
Token: 33	2212	server.exe
Token: SeIncBasePriorityPrivilege	2212	server.exe
Token: 33	2212	server.exe
Token: SeIncBasePriorityPrivilege	2212	server.exe
Token: 33	2212	server.exe
Token: SeIncBasePriorityPrivilege	2212	server.exe
Token: 33	2212	server.exe
Token: SeIncBasePriorityPrivilege	2212	server.exe
Token: 33	2212	server.exe
Token: SeIncBasePriorityPrivilege	2212	server.exe
Token: 33	2212	server.exe
Token: SeIncBasePriorityPrivilege	2212	server.exe
Token: 33	2212	server.exe
Token: SeIncBasePriorityPrivilege	2212	server.exe
Token: 33	2212	server.exe
Token: SeIncBasePriorityPrivilege	2212	server.exe
Token: 33	2212	server.exe
Token: SeIncBasePriorityPrivilege	2212	server.exe
Token: 33	2212	server.exe
Token: SeIncBasePriorityPrivilege	2212	server.exe
Token: 33	2212	server.exe
Token: SeIncBasePriorityPrivilege	2212	server.exe
Token: 33	2212	server.exe
Token: SeIncBasePriorityPrivilege	2212	server.exe
Token: 33	2212	server.exe
Token: SeIncBasePriorityPrivilege	2212	server.exe
Token: 33	2212	server.exe
Token: SeIncBasePriorityPrivilege	2212	server.exe
Token: 33	2212	server.exe
Token: SeIncBasePriorityPrivilege	2212	server.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2212	1856	11d49dd9407654efd37f016694461dfc.exe	28
PID 1856 wrote to memory of 2212	1856	11d49dd9407654efd37f016694461dfc.exe	28
PID 1856 wrote to memory of 2212	1856	11d49dd9407654efd37f016694461dfc.exe	28
PID 1856 wrote to memory of 2212	1856	11d49dd9407654efd37f016694461dfc.exe	28
PID 2212 wrote to memory of 2904	2212	server.exe	29
PID 2212 wrote to memory of 2904	2212	server.exe	29
PID 2212 wrote to memory of 2904	2212	server.exe	29
PID 2212 wrote to memory of 2904	2212	server.exe	29

C:\Users\Admin\AppData\Local\Temp\11d49dd9407654efd37f016694461dfc.exe
"C:\Users\Admin\AppData\Local\Temp\11d49dd9407654efd37f016694461dfc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Users\Admin\AppData\Roaming\server.exe
  "C:\Users\Admin\AppData\Roaming\server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
aa3cce4f6c83d5adfcfc45934b274cc6

SHA1
20e102f0ad9f95951786af279e5215d2ecf85126

SHA256
57a8ff317e913b7e08c0a1758997ed0ffc2f1aba0a3b3310c7697bc207fd15e5

SHA512
f9ec7cd14188f6f7cc00d64dfd7781fc425b7dd24d8fa70d9382cd127bbcc657c734812bc50ba0761393b1a89de9dc02f0d90e8377d6387f24e2d36c98d185cf

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
93KB

MD5
11d49dd9407654efd37f016694461dfc

SHA1
55f385dde7de9eb303a6ad158a6150d1322da736

SHA256
a77d89af9f2b35acf31f220c08293373fb7670ae463d114dd9aa0ba76d040d96

SHA512
2c27613c62c759059c17758cc62cada5d08e5fc0382d3c4a64badb85c45301cdc4fe38f87da328e6b98adeb00980d0b503e790b0616ad514ffb5f9d324af58c9

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
93KB

MD5
11d49dd9407654efd37f016694461dfc

SHA1
55f385dde7de9eb303a6ad158a6150d1322da736

SHA256
a77d89af9f2b35acf31f220c08293373fb7670ae463d114dd9aa0ba76d040d96

SHA512
2c27613c62c759059c17758cc62cada5d08e5fc0382d3c4a64badb85c45301cdc4fe38f87da328e6b98adeb00980d0b503e790b0616ad514ffb5f9d324af58c9

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
93KB

MD5
11d49dd9407654efd37f016694461dfc

SHA1
55f385dde7de9eb303a6ad158a6150d1322da736

SHA256
a77d89af9f2b35acf31f220c08293373fb7670ae463d114dd9aa0ba76d040d96

SHA512
2c27613c62c759059c17758cc62cada5d08e5fc0382d3c4a64badb85c45301cdc4fe38f87da328e6b98adeb00980d0b503e790b0616ad514ffb5f9d324af58c9

Download Submit
\Users\Admin\AppData\Roaming\server.exe

Filesize
93KB

MD5
11d49dd9407654efd37f016694461dfc

SHA1
55f385dde7de9eb303a6ad158a6150d1322da736

SHA256
a77d89af9f2b35acf31f220c08293373fb7670ae463d114dd9aa0ba76d040d96

SHA512
2c27613c62c759059c17758cc62cada5d08e5fc0382d3c4a64badb85c45301cdc4fe38f87da328e6b98adeb00980d0b503e790b0616ad514ffb5f9d324af58c9

Download Submit
\Users\Admin\AppData\Roaming\server.exe

Filesize
93KB

MD5
11d49dd9407654efd37f016694461dfc

SHA1
55f385dde7de9eb303a6ad158a6150d1322da736

SHA256
a77d89af9f2b35acf31f220c08293373fb7670ae463d114dd9aa0ba76d040d96

SHA512
2c27613c62c759059c17758cc62cada5d08e5fc0382d3c4a64badb85c45301cdc4fe38f87da328e6b98adeb00980d0b503e790b0616ad514ffb5f9d324af58c9

Download Submit
memory/1856-56-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/1856-54-0x0000000074640000-0x0000000074BEB000-memory.dmp

Filesize
5.7MB

Download
memory/1856-68-0x0000000074640000-0x0000000074BEB000-memory.dmp

Filesize
5.7MB

Download
memory/1856-55-0x0000000074640000-0x0000000074BEB000-memory.dmp

Filesize
5.7MB

Download
memory/2212-70-0x0000000074640000-0x0000000074BEB000-memory.dmp

Filesize
5.7MB

Download
memory/2212-69-0x0000000074640000-0x0000000074BEB000-memory.dmp

Filesize
5.7MB

Download
memory/2212-87-0x0000000074640000-0x0000000074BEB000-memory.dmp

Filesize
5.7MB

Download
memory/2212-88-0x0000000000240000-0x0000000000280000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads