njrat | 87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4

General

Target

AVI Reader.exe
Size

49KB
MD5

c3ec94cb1c15fbfd213aa5d5854b8e3f
SHA1

65726604b29227377aadef41da87a7306c852f0c
SHA256

87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4
SHA512

e9cc11eb5e5e7426f9b8109e73194fccf989bfba3c04b73b78094946e79c5c31f3bb85d75193bc370b192836932a6bd8fdda1f3b5ff7b027a911b9bd7612aebf
SSDEEP

1536:a7dS1EAd8II28ca2zhmamGJCKDRMcyEQXGNEPRbw1Rl:igEA6II2Da2zPf/XyEQSiRby

Score

10^/10

njrat cheats persistence trojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

Cheats

C2

127.0.0.1:1

Mutex

smss.exe

Attributes

reg_key
smss.exe
splitter
|Ghost|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 3 IoCs

Processes:

smss.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smss.exe	smss.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smss.exe	smss.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smss.url	smss.exe

Executes dropped EXE 1 IoCs

Processes:

smss.exe

pid process

4988 smss.exe

pid	process
4988	smss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

smss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\smss.exe\" .."	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\smss.exe\" .."	smss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1284 schtasks.exe

pid	process
1284	schtasks.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

smss.exe

description	pid	process
Token: SeDebugPrivilege	4988	smss.exe
Token: 33	4988	smss.exe
Token: SeIncBasePriorityPrivilege	4988	smss.exe
Token: 33	4988	smss.exe
Token: SeIncBasePriorityPrivilege	4988	smss.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

AVI Reader.execmd.exesmss.exe

description	pid	process	target process
PID 2752 wrote to memory of 4988	2752	AVI Reader.exe	smss.exe
PID 2752 wrote to memory of 4988	2752	AVI Reader.exe	smss.exe
PID 2752 wrote to memory of 1972	2752	AVI Reader.exe	cmd.exe
PID 2752 wrote to memory of 1972	2752	AVI Reader.exe	cmd.exe
PID 1972 wrote to memory of 5084	1972	cmd.exe	choice.exe
PID 1972 wrote to memory of 5084	1972	cmd.exe	choice.exe
PID 4988 wrote to memory of 4588	4988	smss.exe	schtasks.exe
PID 4988 wrote to memory of 4588	4988	smss.exe	schtasks.exe
PID 4988 wrote to memory of 1284	4988	smss.exe	schtasks.exe
PID 4988 wrote to memory of 1284	4988	smss.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\AVI Reader.exe
"C:\Users\Admin\AppData\Local\Temp\AVI Reader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2752

C:\Users\Admin\AppData\Local\Temp\smss.exe
"C:\Users\Admin\AppData\Local\Temp\smss.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:4588

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Local\Temp\smss.exe
3⤵
- Creates scheduled task(s)
PID:1284

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\AVI Reader.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 5
3⤵
PID:5084

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\smss.exe
Filesize
49KB

MD5
c3ec94cb1c15fbfd213aa5d5854b8e3f

SHA1
65726604b29227377aadef41da87a7306c852f0c

SHA256
87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4

SHA512
e9cc11eb5e5e7426f9b8109e73194fccf989bfba3c04b73b78094946e79c5c31f3bb85d75193bc370b192836932a6bd8fdda1f3b5ff7b027a911b9bd7612aebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\smss.exe
Filesize
49KB

MD5
c3ec94cb1c15fbfd213aa5d5854b8e3f

SHA1
65726604b29227377aadef41da87a7306c852f0c

SHA256
87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4

SHA512
e9cc11eb5e5e7426f9b8109e73194fccf989bfba3c04b73b78094946e79c5c31f3bb85d75193bc370b192836932a6bd8fdda1f3b5ff7b027a911b9bd7612aebf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smss.exe
Filesize
49KB

MD5
c3ec94cb1c15fbfd213aa5d5854b8e3f

SHA1
65726604b29227377aadef41da87a7306c852f0c

SHA256
87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4

SHA512
e9cc11eb5e5e7426f9b8109e73194fccf989bfba3c04b73b78094946e79c5c31f3bb85d75193bc370b192836932a6bd8fdda1f3b5ff7b027a911b9bd7612aebf

Download Submit
memory/2752-4-0x00000000032A0000-0x00000000032B0000-memory.dmp

Filesize
64KB

Download
memory/2752-1-0x00007FFCF8690000-0x00007FFCF9030000-memory.dmp

Filesize
9.6MB

Download
memory/2752-6-0x000000001CF80000-0x000000001D026000-memory.dmp

Filesize
664KB

Download
memory/2752-5-0x0000000001920000-0x0000000001938000-memory.dmp

Filesize
96KB

Download
memory/2752-3-0x00007FFCF8690000-0x00007FFCF9030000-memory.dmp

Filesize
9.6MB

Download
memory/2752-2-0x000000001C4E0000-0x000000001C9AE000-memory.dmp

Filesize
4.8MB

Download
memory/2752-0-0x0000000000FF0000-0x0000000000FFA000-memory.dmp

Filesize
40KB

Download
memory/2752-15-0x00007FFCF8690000-0x00007FFCF9030000-memory.dmp

Filesize
9.6MB

Download
memory/4988-16-0x00007FFCF8690000-0x00007FFCF9030000-memory.dmp

Filesize
9.6MB

Download
memory/4988-14-0x0000000003100000-0x0000000003200000-memory.dmp

Filesize
1024KB

Download
memory/4988-13-0x00007FFCF8690000-0x00007FFCF9030000-memory.dmp

Filesize
9.6MB

Download
memory/4988-20-0x000000001CF00000-0x000000001CF9C000-memory.dmp

Filesize
624KB

Download
memory/4988-21-0x0000000000DE0000-0x0000000000DE8000-memory.dmp

Filesize
32KB

Download
memory/4988-22-0x00007FFCF8690000-0x00007FFCF9030000-memory.dmp

Filesize
9.6MB

Download
memory/4988-23-0x0000000003100000-0x0000000003200000-memory.dmp

Filesize
1024KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads