njrat | f16873bf7953ec4a08c62a32dc6365c8a74303c09c723f4548e2ea3452eb0bbc

General

Target

a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Size

23KB
MD5

a65150c7e6a1470efdeb95b92e40a5ea
SHA1

0e876d2c5da0ce4f7887af1f1b48272c13aaf3ec
SHA256

f16873bf7953ec4a08c62a32dc6365c8a74303c09c723f4548e2ea3452eb0bbc
SHA512

a29eb17ff452f54dc0f273114c769f64bcf8aadcf129cc49555905120c7cdb58a8ce06e77852414782c84c2b13cf9118095e5985e33910b655db0c603e228312
SSDEEP

384:upc6ze6e1PAhJVzC3tC1im/BsTx46PgZ0rap9HBmRvR6JZlbw8hqIusZzZAz:ube9EJLN/yRpcnuF

Score

10^/10

njrat evasion trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

2284 netsh.exe

pid	process
2284	netsh.exe

Drops startup file 2 IoCs

Processes:

a65150c7e6a1470efdeb95b92e40a5ea_JC.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\27f71527bed7617b3e2e3f3ed8ecf225.exe	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\27f71527bed7617b3e2e3f3ed8ecf225.exe	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

a65150c7e6a1470efdeb95b92e40a5ea_JC.exe

description	pid	process
Token: SeDebugPrivilege	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: 33	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: SeIncBasePriorityPrivilege	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: 33	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: SeIncBasePriorityPrivilege	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: 33	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: SeIncBasePriorityPrivilege	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: 33	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: SeIncBasePriorityPrivilege	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: 33	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: SeIncBasePriorityPrivilege	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: 33	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: SeIncBasePriorityPrivilege	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: 33	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: SeIncBasePriorityPrivilege	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: 33	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: SeIncBasePriorityPrivilege	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: 33	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: SeIncBasePriorityPrivilege	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: 33	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: SeIncBasePriorityPrivilege	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: 33	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: SeIncBasePriorityPrivilege	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: 33	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: SeIncBasePriorityPrivilege	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: 33	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: SeIncBasePriorityPrivilege	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: 33	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: SeIncBasePriorityPrivilege	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: 33	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: SeIncBasePriorityPrivilege	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: 33	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: SeIncBasePriorityPrivilege	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: 33	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
Token: SeIncBasePriorityPrivilege	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

a65150c7e6a1470efdeb95b92e40a5ea_JC.exe

description	pid	process	target process
PID 1016 wrote to memory of 2284	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe	netsh.exe
PID 1016 wrote to memory of 2284	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe	netsh.exe
PID 1016 wrote to memory of 2284	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe	netsh.exe
PID 1016 wrote to memory of 2284	1016	a65150c7e6a1470efdeb95b92e40a5ea_JC.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\a65150c7e6a1470efdeb95b92e40a5ea_JC.exe
"C:\Users\Admin\AppData\Local\Temp\a65150c7e6a1470efdeb95b92e40a5ea_JC.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\a65150c7e6a1470efdeb95b92e40a5ea_JC.exe" "a65150c7e6a1470efdeb95b92e40a5ea_JC.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1016-0-0x0000000074D00000-0x00000000752AB000-memory.dmp

Filesize
5.7MB

Download
memory/1016-1-0x0000000074D00000-0x00000000752AB000-memory.dmp

Filesize
5.7MB

Download
memory/1016-2-0x0000000000CF0000-0x0000000000D30000-memory.dmp

Filesize
256KB

Download
memory/1016-4-0x0000000074D00000-0x00000000752AB000-memory.dmp

Filesize
5.7MB

Download
memory/1016-5-0x0000000074D00000-0x00000000752AB000-memory.dmp

Filesize
5.7MB

Download
memory/1016-6-0x0000000000CF0000-0x0000000000D30000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads