njrat | 85f3edacf251c85385541993bc690fabcfc80625b22ec330f4dd6f31c0573454

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2023, 17:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

85f3edacf251c85385541993bc690fabcfc80625b22ec330f4dd6f31c0573454.exe
Size

37KB
MD5

e19f65989c0f892cebe323f2067ce4af
SHA1

07ee79b18fe3aa6c6823052ddffa770f18788a74
SHA256

85f3edacf251c85385541993bc690fabcfc80625b22ec330f4dd6f31c0573454
SHA512

5a110a6cdeba10cc124444c57ab49e26e9ac697de202178661fae9a228485575bcce69503ecd79d51d93e5524f59728e4b8c18663f2f7cc6f64dcac3acf3f8f8
SSDEEP

384:acHsiDrT95hL5YyUvRD/zOo46Al1lrAF+rMRTyN/0L+EcoinblneHQM3epzX5Nr2:Fnv5zUvRDLlAblrM+rMRa8Nuzot

Score

10^/10

njrat windows evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Windows

2.tcp.eu.ngrok.io:19440

Mutex

a9916e265f04c5cbbcb09972457528f5

Attributes

reg_key
a9916e265f04c5cbbcb09972457528f5
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2604	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	85f3edacf251c85385541993bc690fabcfc80625b22ec330f4dd6f31c0573454.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a9916e265f04c5cbbcb09972457528f5.exe	Windows.server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a9916e265f04c5cbbcb09972457528f5.exe	Windows.server.exe

Executes dropped EXE 1 IoCs

pid	Process
5108	Windows.server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a9916e265f04c5cbbcb09972457528f5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.server.exe\" .."	Windows.server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\a9916e265f04c5cbbcb09972457528f5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows.server.exe\" .."	Windows.server.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	Windows.server.exe
File opened for modification	C:\autorun.inf	Windows.server.exe
File created	D:\autorun.inf	Windows.server.exe
File created	F:\autorun.inf	Windows.server.exe
File opened for modification	F:\autorun.inf	Windows.server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
4984	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe
5108	Windows.server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5108	Windows.server.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	5108	Windows.server.exe
Token: SeDebugPrivilege	4984	taskkill.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe
Token: 33	5108	Windows.server.exe
Token: SeIncBasePriorityPrivilege	5108	Windows.server.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 5108	3920	85f3edacf251c85385541993bc690fabcfc80625b22ec330f4dd6f31c0573454.exe	89
PID 3920 wrote to memory of 5108	3920	85f3edacf251c85385541993bc690fabcfc80625b22ec330f4dd6f31c0573454.exe	89
PID 3920 wrote to memory of 5108	3920	85f3edacf251c85385541993bc690fabcfc80625b22ec330f4dd6f31c0573454.exe	89
PID 5108 wrote to memory of 2604	5108	Windows.server.exe	95
PID 5108 wrote to memory of 2604	5108	Windows.server.exe	95
PID 5108 wrote to memory of 2604	5108	Windows.server.exe	95
PID 5108 wrote to memory of 4984	5108	Windows.server.exe	97
PID 5108 wrote to memory of 4984	5108	Windows.server.exe	97
PID 5108 wrote to memory of 4984	5108	Windows.server.exe	97

C:\Users\Admin\AppData\Local\Temp\85f3edacf251c85385541993bc690fabcfc80625b22ec330f4dd6f31c0573454.exe
"C:\Users\Admin\AppData\Local\Temp\85f3edacf251c85385541993bc690fabcfc80625b22ec330f4dd6f31c0573454.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Users\Admin\AppData\Local\Temp\Windows.server.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows.server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops autorun.inf file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows.server.exe" "Windows.server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:2604
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM Exsample.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Windows.server.exe

Filesize
37KB

MD5
e19f65989c0f892cebe323f2067ce4af

SHA1
07ee79b18fe3aa6c6823052ddffa770f18788a74

SHA256
85f3edacf251c85385541993bc690fabcfc80625b22ec330f4dd6f31c0573454

SHA512
5a110a6cdeba10cc124444c57ab49e26e9ac697de202178661fae9a228485575bcce69503ecd79d51d93e5524f59728e4b8c18663f2f7cc6f64dcac3acf3f8f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows.server.exe

Filesize
37KB

MD5
e19f65989c0f892cebe323f2067ce4af

SHA1
07ee79b18fe3aa6c6823052ddffa770f18788a74

SHA256
85f3edacf251c85385541993bc690fabcfc80625b22ec330f4dd6f31c0573454

SHA512
5a110a6cdeba10cc124444c57ab49e26e9ac697de202178661fae9a228485575bcce69503ecd79d51d93e5524f59728e4b8c18663f2f7cc6f64dcac3acf3f8f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows.server.exe

Filesize
37KB

MD5
e19f65989c0f892cebe323f2067ce4af

SHA1
07ee79b18fe3aa6c6823052ddffa770f18788a74

SHA256
85f3edacf251c85385541993bc690fabcfc80625b22ec330f4dd6f31c0573454

SHA512
5a110a6cdeba10cc124444c57ab49e26e9ac697de202178661fae9a228485575bcce69503ecd79d51d93e5524f59728e4b8c18663f2f7cc6f64dcac3acf3f8f8

Download Submit
memory/3920-0-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/3920-1-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/3920-2-0x0000000001A10000-0x0000000001A20000-memory.dmp

Filesize
64KB

Download
memory/3920-12-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/5108-13-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/5108-14-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/5108-24-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download
memory/5108-25-0x0000000074710000-0x0000000074CC1000-memory.dmp

Filesize
5.7MB

Download