njrat | b7be6b5b19d828af4d471403cf42208720f3241dc406875530bc6d7a8652923c

General

Target

b7be6b5b19d828af4d471403cf42208720f3241dc406875530bc6d7a8652923c_JC.exe
Size

1.0MB
MD5

dff4dc6bba5c7ee0b6f5dc5952719bd7
SHA1

4d6085c6b2c8d2f33f837d68bc8bee0eed1e48b7
SHA256

b7be6b5b19d828af4d471403cf42208720f3241dc406875530bc6d7a8652923c
SHA512

b794fb619be0a6bce8b25ad440a78f51992bb4f968a4b41a2cfb50f9a53924448eae08b1275a306ebc29b4c13995e72057aea552e590f647e82d6d65983f2a90
SSDEEP

12288:Nq8RG2iNkLNo2+jgC/9scsQVAfLS43gWXd/bbnkLC8jL60QmwXMr6j8vF:NqqG1C7+ZOTQmzdbTke8NQmwc6g

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

185.94.29.109:1111

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	b7be6b5b19d828af4d471403cf42208720f3241dc406875530bc6d7a8652923c_JC.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	b7be6b5b19d828af4d471403cf42208720f3241dc406875530bc6d7a8652923c_JC.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe

Executes dropped EXE 3 IoCs

pid	Process
2232	Payload.exe
3804	Payload.exe
2420	Payload.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe"	b7be6b5b19d828af4d471403cf42208720f3241dc406875530bc6d7a8652923c_JC.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2668 set thread context of 1208	2668	b7be6b5b19d828af4d471403cf42208720f3241dc406875530bc6d7a8652923c_JC.exe	97
PID 2232 set thread context of 2420	2232	Payload.exe	107

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2232	Payload.exe
2232	Payload.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	Payload.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 1208	2668	b7be6b5b19d828af4d471403cf42208720f3241dc406875530bc6d7a8652923c_JC.exe	97
PID 2668 wrote to memory of 1208	2668	b7be6b5b19d828af4d471403cf42208720f3241dc406875530bc6d7a8652923c_JC.exe	97
PID 2668 wrote to memory of 1208	2668	b7be6b5b19d828af4d471403cf42208720f3241dc406875530bc6d7a8652923c_JC.exe	97
PID 2668 wrote to memory of 1208	2668	b7be6b5b19d828af4d471403cf42208720f3241dc406875530bc6d7a8652923c_JC.exe	97
PID 2668 wrote to memory of 1208	2668	b7be6b5b19d828af4d471403cf42208720f3241dc406875530bc6d7a8652923c_JC.exe	97
PID 2668 wrote to memory of 1208	2668	b7be6b5b19d828af4d471403cf42208720f3241dc406875530bc6d7a8652923c_JC.exe	97
PID 2668 wrote to memory of 1208	2668	b7be6b5b19d828af4d471403cf42208720f3241dc406875530bc6d7a8652923c_JC.exe	97
PID 2668 wrote to memory of 1208	2668	b7be6b5b19d828af4d471403cf42208720f3241dc406875530bc6d7a8652923c_JC.exe	97
PID 1208 wrote to memory of 2232	1208	b7be6b5b19d828af4d471403cf42208720f3241dc406875530bc6d7a8652923c_JC.exe	100
PID 1208 wrote to memory of 2232	1208	b7be6b5b19d828af4d471403cf42208720f3241dc406875530bc6d7a8652923c_JC.exe	100
PID 1208 wrote to memory of 2232	1208	b7be6b5b19d828af4d471403cf42208720f3241dc406875530bc6d7a8652923c_JC.exe	100
PID 1208 wrote to memory of 4124	1208	b7be6b5b19d828af4d471403cf42208720f3241dc406875530bc6d7a8652923c_JC.exe	101
PID 1208 wrote to memory of 4124	1208	b7be6b5b19d828af4d471403cf42208720f3241dc406875530bc6d7a8652923c_JC.exe	101
PID 1208 wrote to memory of 4124	1208	b7be6b5b19d828af4d471403cf42208720f3241dc406875530bc6d7a8652923c_JC.exe	101
PID 2232 wrote to memory of 3804	2232	Payload.exe	106
PID 2232 wrote to memory of 3804	2232	Payload.exe	106
PID 2232 wrote to memory of 3804	2232	Payload.exe	106
PID 2232 wrote to memory of 2420	2232	Payload.exe	107
PID 2232 wrote to memory of 2420	2232	Payload.exe	107
PID 2232 wrote to memory of 2420	2232	Payload.exe	107
PID 2232 wrote to memory of 2420	2232	Payload.exe	107
PID 2232 wrote to memory of 2420	2232	Payload.exe	107
PID 2232 wrote to memory of 2420	2232	Payload.exe	107
PID 2232 wrote to memory of 2420	2232	Payload.exe	107
PID 2232 wrote to memory of 2420	2232	Payload.exe	107

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4124	attrib.exe

C:\Users\Admin\AppData\Local\Temp\b7be6b5b19d828af4d471403cf42208720f3241dc406875530bc6d7a8652923c_JC.exe
"C:\Users\Admin\AppData\Local\Temp\b7be6b5b19d828af4d471403cf42208720f3241dc406875530bc6d7a8652923c_JC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Local\Temp\b7be6b5b19d828af4d471403cf42208720f3241dc406875530bc6d7a8652923c_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\b7be6b5b19d828af4d471403cf42208720f3241dc406875530bc6d7a8652923c_JC.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Users\Admin\AppData\Local\Temp\Payload.exe
    "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Users\Admin\AppData\Local\Temp\Payload.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
      4⤵
      Executes dropped EXE
      PID:3804
  - - C:\Users\Admin\AppData\Local\Temp\Payload.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      PID:2420
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
    3⤵
    - Views/modifies file attributes
    PID:4124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\b7be6b5b19d828af4d471403cf42208720f3241dc406875530bc6d7a8652923c_JC.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payload.exe

Filesize
1.0MB

MD5
dff4dc6bba5c7ee0b6f5dc5952719bd7

SHA1
4d6085c6b2c8d2f33f837d68bc8bee0eed1e48b7

SHA256
b7be6b5b19d828af4d471403cf42208720f3241dc406875530bc6d7a8652923c

SHA512
b794fb619be0a6bce8b25ad440a78f51992bb4f968a4b41a2cfb50f9a53924448eae08b1275a306ebc29b4c13995e72057aea552e590f647e82d6d65983f2a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payload.exe

Filesize
1.0MB

MD5
dff4dc6bba5c7ee0b6f5dc5952719bd7

SHA1
4d6085c6b2c8d2f33f837d68bc8bee0eed1e48b7

SHA256
b7be6b5b19d828af4d471403cf42208720f3241dc406875530bc6d7a8652923c

SHA512
b794fb619be0a6bce8b25ad440a78f51992bb4f968a4b41a2cfb50f9a53924448eae08b1275a306ebc29b4c13995e72057aea552e590f647e82d6d65983f2a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payload.exe

Filesize
1.0MB

MD5
dff4dc6bba5c7ee0b6f5dc5952719bd7

SHA1
4d6085c6b2c8d2f33f837d68bc8bee0eed1e48b7

SHA256
b7be6b5b19d828af4d471403cf42208720f3241dc406875530bc6d7a8652923c

SHA512
b794fb619be0a6bce8b25ad440a78f51992bb4f968a4b41a2cfb50f9a53924448eae08b1275a306ebc29b4c13995e72057aea552e590f647e82d6d65983f2a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payload.exe

Filesize
1.0MB

MD5
dff4dc6bba5c7ee0b6f5dc5952719bd7

SHA1
4d6085c6b2c8d2f33f837d68bc8bee0eed1e48b7

SHA256
b7be6b5b19d828af4d471403cf42208720f3241dc406875530bc6d7a8652923c

SHA512
b794fb619be0a6bce8b25ad440a78f51992bb4f968a4b41a2cfb50f9a53924448eae08b1275a306ebc29b4c13995e72057aea552e590f647e82d6d65983f2a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payload.exe

Filesize
1.0MB

MD5
dff4dc6bba5c7ee0b6f5dc5952719bd7

SHA1
4d6085c6b2c8d2f33f837d68bc8bee0eed1e48b7

SHA256
b7be6b5b19d828af4d471403cf42208720f3241dc406875530bc6d7a8652923c

SHA512
b794fb619be0a6bce8b25ad440a78f51992bb4f968a4b41a2cfb50f9a53924448eae08b1275a306ebc29b4c13995e72057aea552e590f647e82d6d65983f2a90

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Filesize
1KB

MD5
57c41a40db174dceeed397f3603ce3b0

SHA1
28d62edfe4d7f58664f5c17a1c36e334fbf09d72

SHA256
10e97d78e4b1e3e3c449f7549fca69f4f7dc27f6733792e599c33287b6b68763

SHA512
a1f38384d4c3f7d4d8578d7746e83978722bdcd9f7fc5ddd6be0f2bb581a8836a302cbae33fa352fd7fafa28c3495add8ceaea1d537a0854d22cf2b5dd6fd9c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Filesize
1KB

MD5
3f20c81c220d7c51e0c2c026fa9eebac

SHA1
490df8bf6e574024bcb09bf288fd4d1c7a8aad05

SHA256
9fae8f505ea3d75e6a915cb98c1791d3acd063d779308a8a2121f9c1c0dde9f3

SHA512
0a4d9f581638d45101d802a4023bbfddd1ba3c9a678a7f6efde32431f754147933ed84e1d34a1a0b132596bc3cb4357a7aa6c7ac837492329e260acd401eaca6

Download Submit
memory/1208-12-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1208-19-0x0000000074E90000-0x0000000075640000-memory.dmp

Filesize
7.7MB

Download
memory/1208-15-0x0000000074E90000-0x0000000075640000-memory.dmp

Filesize
7.7MB

Download
memory/1208-32-0x0000000074E90000-0x0000000075640000-memory.dmp

Filesize
7.7MB

Download
memory/2232-33-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/2232-31-0x0000000074E90000-0x0000000075640000-memory.dmp

Filesize
7.7MB

Download
memory/2232-34-0x0000000074E90000-0x0000000075640000-memory.dmp

Filesize
7.7MB

Download
memory/2232-40-0x0000000074E90000-0x0000000075640000-memory.dmp

Filesize
7.7MB

Download
memory/2420-39-0x0000000074E90000-0x0000000075640000-memory.dmp

Filesize
7.7MB

Download
memory/2668-7-0x0000000005030000-0x000000000503E000-memory.dmp

Filesize
56KB

Download
memory/2668-16-0x0000000074E90000-0x0000000075640000-memory.dmp

Filesize
7.7MB

Download
memory/2668-11-0x0000000007E80000-0x0000000007F10000-memory.dmp

Filesize
576KB

Download
memory/2668-10-0x0000000005050000-0x000000000505A000-memory.dmp

Filesize
40KB

Download
memory/2668-9-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/2668-8-0x0000000074E90000-0x0000000075640000-memory.dmp

Filesize
7.7MB

Download
memory/2668-1-0x00000000003A0000-0x00000000004AE000-memory.dmp

Filesize
1.1MB

Download
memory/2668-6-0x0000000005080000-0x000000000511C000-memory.dmp

Filesize
624KB

Download
memory/2668-5-0x0000000004E10000-0x0000000004E1A000-memory.dmp

Filesize
40KB

Download
memory/2668-4-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/2668-3-0x0000000004D50000-0x0000000004DE2000-memory.dmp

Filesize
584KB

Download
memory/2668-2-0x0000000005250000-0x00000000057F4000-memory.dmp

Filesize
5.6MB

Download
memory/2668-0-0x0000000074E90000-0x0000000075640000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads