njrat | 484e1d434e1896d2a44909d531a91b5083a1ebad3f726d5fd3b3a3105f8c3111

General

Target

stub.exe_xor-packed.exe
Size

60KB
MD5

f70109842c9126e15d1761576c307db3
SHA1

de3c99dbf7d5459a6e1ac4509d24cfe5504a3a99
SHA256

484e1d434e1896d2a44909d531a91b5083a1ebad3f726d5fd3b3a3105f8c3111
SHA512

ad35e7ffde96b5c9648fda4f89640a8bc5d1f88dd8caea0638d050e041268c23271ecb67ad165a2ba34b26475dac01996fe1bd4cf1b30f54a33d4d95a946a04d
SSDEEP

768:svW9wNRqQ9XIdHZ4fc/kexyGW2j+VwD+deiwqJf2tmEMotwJymFQypKwhafuxmsU:79w+MO45ex7V+mDsJ52cEJmmdiXYuOF

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

HacKed

C2

127.0.0.1:9017

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
|Ghost|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

stub.exe_xor-packed.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation	stub.exe_xor-packed.exe

Drops startup file 3 IoCs

Processes:

Client.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url	Client.exe

Executes dropped EXE 2 IoCs

Processes:

Client.exeClient.exe

pid process

1432 Client.exe
3092 Client.exe

pid	process
1432	Client.exe
3092	Client.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Client.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Client.exe\" .."	Client.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Client.exe\" .."	Client.exe

Drops file in System32 directory 1 IoCs

Processes:

stub.exe_xor-packed.exe

description ioc process

File created C:\windows\system32\fq5tjb.exe stub.exe_xor-packed.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

996 schtasks.exe
5100 schtasks.exe
Kills process with taskkill 8 IoCs
evasion

Processes:

TASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exetaskkill.exeTASKKILL.exeTASKKILL.exetaskkill.exe

pid process

2008 TASKKILL.exe
4300 TASKKILL.exe
2332 TASKKILL.exe
4548 TASKKILL.exe
4788 taskkill.exe
1744 TASKKILL.exe
3136 TASKKILL.exe
888 taskkill.exe

description	ioc	process
File created	C:\windows\system32\fq5tjb.exe	stub.exe_xor-packed.exe

pid	process
996	schtasks.exe
5100	schtasks.exe

pid	process
2008	TASKKILL.exe
4300	TASKKILL.exe
2332	TASKKILL.exe
4548	TASKKILL.exe
4788	taskkill.exe
1744	TASKKILL.exe
3136	TASKKILL.exe
888	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

stub.exe_xor-packed.exeClient.exeClient.exe

pid	process
3216	stub.exe_xor-packed.exe
3216	stub.exe_xor-packed.exe
3216	stub.exe_xor-packed.exe
3216	stub.exe_xor-packed.exe
3216	stub.exe_xor-packed.exe
3216	stub.exe_xor-packed.exe
3216	stub.exe_xor-packed.exe
3216	stub.exe_xor-packed.exe
3216	stub.exe_xor-packed.exe
3216	stub.exe_xor-packed.exe
3216	stub.exe_xor-packed.exe
3216	stub.exe_xor-packed.exe
3216	stub.exe_xor-packed.exe
3216	stub.exe_xor-packed.exe
3216	stub.exe_xor-packed.exe
3216	stub.exe_xor-packed.exe
3216	stub.exe_xor-packed.exe
3216	stub.exe_xor-packed.exe
3216	stub.exe_xor-packed.exe
3216	stub.exe_xor-packed.exe
3216	stub.exe_xor-packed.exe
3216	stub.exe_xor-packed.exe
3216	stub.exe_xor-packed.exe
3216	stub.exe_xor-packed.exe
3216	stub.exe_xor-packed.exe
3216	stub.exe_xor-packed.exe
3216	stub.exe_xor-packed.exe
3216	stub.exe_xor-packed.exe
3216	stub.exe_xor-packed.exe
1432	Client.exe
1432	Client.exe
1432	Client.exe
1432	Client.exe
1432	Client.exe
1432	Client.exe
1432	Client.exe
1432	Client.exe
1432	Client.exe
1432	Client.exe
1432	Client.exe
1432	Client.exe
1432	Client.exe
1432	Client.exe
1432	Client.exe
1432	Client.exe
1432	Client.exe
1432	Client.exe
1432	Client.exe
1432	Client.exe
1432	Client.exe
1432	Client.exe
1432	Client.exe
1432	Client.exe
1432	Client.exe
1432	Client.exe
1432	Client.exe
3092	Client.exe
3092	Client.exe
3092	Client.exe
3092	Client.exe
3092	Client.exe
3092	Client.exe
3092	Client.exe
3092	Client.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

stub.exe_xor-packed.exeTASKKILL.exeTASKKILL.exeClient.exeTASKKILL.exeTASKKILL.exeClient.exeTASKKILL.exeTASKKILL.exe

description	pid	process
Token: SeDebugPrivilege	3216	stub.exe_xor-packed.exe
Token: SeDebugPrivilege	2008	TASKKILL.exe
Token: SeDebugPrivilege	4300	TASKKILL.exe
Token: SeDebugPrivilege	1432	Client.exe
Token: SeDebugPrivilege	4548	TASKKILL.exe
Token: SeDebugPrivilege	2332	TASKKILL.exe
Token: 33	1432	Client.exe
Token: SeIncBasePriorityPrivilege	1432	Client.exe
Token: 33	1432	Client.exe
Token: SeIncBasePriorityPrivilege	1432	Client.exe
Token: 33	1432	Client.exe
Token: SeIncBasePriorityPrivilege	1432	Client.exe
Token: SeDebugPrivilege	3092	Client.exe
Token: SeDebugPrivilege	1744	TASKKILL.exe
Token: SeDebugPrivilege	3136	TASKKILL.exe
Token: 33	1432	Client.exe
Token: SeIncBasePriorityPrivilege	1432	Client.exe
Token: 33	1432	Client.exe
Token: SeIncBasePriorityPrivilege	1432	Client.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

stub.exe_xor-packed.exeClient.exeClient.exe

description	pid	process	target process
PID 3216 wrote to memory of 2008	3216	stub.exe_xor-packed.exe	TASKKILL.exe
PID 3216 wrote to memory of 2008	3216	stub.exe_xor-packed.exe	TASKKILL.exe
PID 3216 wrote to memory of 4300	3216	stub.exe_xor-packed.exe	TASKKILL.exe
PID 3216 wrote to memory of 4300	3216	stub.exe_xor-packed.exe	TASKKILL.exe
PID 3216 wrote to memory of 1432	3216	stub.exe_xor-packed.exe	Client.exe
PID 3216 wrote to memory of 1432	3216	stub.exe_xor-packed.exe	Client.exe
PID 1432 wrote to memory of 2332	1432	Client.exe	TASKKILL.exe
PID 1432 wrote to memory of 2332	1432	Client.exe	TASKKILL.exe
PID 1432 wrote to memory of 4548	1432	Client.exe	TASKKILL.exe
PID 1432 wrote to memory of 4548	1432	Client.exe	TASKKILL.exe
PID 1432 wrote to memory of 4788	1432	Client.exe	taskkill.exe
PID 1432 wrote to memory of 4788	1432	Client.exe	taskkill.exe
PID 1432 wrote to memory of 2648	1432	Client.exe	schtasks.exe
PID 1432 wrote to memory of 2648	1432	Client.exe	schtasks.exe
PID 1432 wrote to memory of 996	1432	Client.exe	schtasks.exe
PID 1432 wrote to memory of 996	1432	Client.exe	schtasks.exe
PID 3092 wrote to memory of 1744	3092	Client.exe	TASKKILL.exe
PID 3092 wrote to memory of 1744	3092	Client.exe	TASKKILL.exe
PID 3092 wrote to memory of 3136	3092	Client.exe	TASKKILL.exe
PID 3092 wrote to memory of 3136	3092	Client.exe	TASKKILL.exe
PID 1432 wrote to memory of 888	1432	Client.exe	taskkill.exe
PID 1432 wrote to memory of 888	1432	Client.exe	taskkill.exe
PID 1432 wrote to memory of 380	1432	Client.exe	schtasks.exe
PID 1432 wrote to memory of 380	1432	Client.exe	schtasks.exe
PID 1432 wrote to memory of 5100	1432	Client.exe	schtasks.exe
PID 1432 wrote to memory of 5100	1432	Client.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\stub.exe_xor-packed.exe
"C:\Users\Admin\AppData\Local\Temp\stub.exe_xor-packed.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216

C:\Windows\SYSTEM32\TASKKILL.exe
TASKKILL /F /IM wscript.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\SYSTEM32\TASKKILL.exe
TASKKILL /F /IM cmd.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Users\Admin\AppData\Roaming\Client.exe
"C:\Users\Admin\AppData\Roaming\Client.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SYSTEM32\TASKKILL.exe
TASKKILL /F /IM wscript.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\SYSTEM32\TASKKILL.exe
TASKKILL /F /IM cmd.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Windows\SYSTEM32\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:4788

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:2648

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\Client.exe
3⤵
- Creates scheduled task(s)
PID:996

C:\Windows\SYSTEM32\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:888

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:380

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\Client.exe
3⤵
- Creates scheduled task(s)
PID:5100

C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3092

C:\Windows\system32\TASKKILL.exe
TASKKILL /F /IM wscript.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\system32\TASKKILL.exe
TASKKILL /F /IM cmd.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Client.exe

Filesize
60KB

MD5
f70109842c9126e15d1761576c307db3

SHA1
de3c99dbf7d5459a6e1ac4509d24cfe5504a3a99

SHA256
484e1d434e1896d2a44909d531a91b5083a1ebad3f726d5fd3b3a3105f8c3111

SHA512
ad35e7ffde96b5c9648fda4f89640a8bc5d1f88dd8caea0638d050e041268c23271ecb67ad165a2ba34b26475dac01996fe1bd4cf1b30f54a33d4d95a946a04d

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe

Filesize
60KB

MD5
f70109842c9126e15d1761576c307db3

SHA1
de3c99dbf7d5459a6e1ac4509d24cfe5504a3a99

SHA256
484e1d434e1896d2a44909d531a91b5083a1ebad3f726d5fd3b3a3105f8c3111

SHA512
ad35e7ffde96b5c9648fda4f89640a8bc5d1f88dd8caea0638d050e041268c23271ecb67ad165a2ba34b26475dac01996fe1bd4cf1b30f54a33d4d95a946a04d

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe

Filesize
60KB

MD5
f70109842c9126e15d1761576c307db3

SHA1
de3c99dbf7d5459a6e1ac4509d24cfe5504a3a99

SHA256
484e1d434e1896d2a44909d531a91b5083a1ebad3f726d5fd3b3a3105f8c3111

SHA512
ad35e7ffde96b5c9648fda4f89640a8bc5d1f88dd8caea0638d050e041268c23271ecb67ad165a2ba34b26475dac01996fe1bd4cf1b30f54a33d4d95a946a04d

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe

Filesize
60KB

MD5
f70109842c9126e15d1761576c307db3

SHA1
de3c99dbf7d5459a6e1ac4509d24cfe5504a3a99

SHA256
484e1d434e1896d2a44909d531a91b5083a1ebad3f726d5fd3b3a3105f8c3111

SHA512
ad35e7ffde96b5c9648fda4f89640a8bc5d1f88dd8caea0638d050e041268c23271ecb67ad165a2ba34b26475dac01996fe1bd4cf1b30f54a33d4d95a946a04d

Download Submit
memory/1432-26-0x000000001B6E0000-0x000000001B6F0000-memory.dmp

Filesize
64KB

Download
memory/1432-19-0x00007FFC4D200000-0x00007FFC4DCC1000-memory.dmp

Filesize
10.8MB

Download
memory/1432-21-0x000000001B6E0000-0x000000001B6F0000-memory.dmp

Filesize
64KB

Download
memory/1432-25-0x00007FFC4D200000-0x00007FFC4DCC1000-memory.dmp

Filesize
10.8MB

Download
memory/3092-28-0x00007FFC4D200000-0x00007FFC4DCC1000-memory.dmp

Filesize
10.8MB

Download
memory/3092-29-0x000000001B3D0000-0x000000001B3E0000-memory.dmp

Filesize
64KB

Download
memory/3092-31-0x00007FFC4D200000-0x00007FFC4DCC1000-memory.dmp

Filesize
10.8MB

Download
memory/3216-3-0x0000000001650000-0x0000000001664000-memory.dmp

Filesize
80KB

Download
memory/3216-4-0x000000001BA00000-0x000000001BA10000-memory.dmp

Filesize
64KB

Download
memory/3216-2-0x00007FFC4D200000-0x00007FFC4DCC1000-memory.dmp

Filesize
10.8MB

Download
memory/3216-20-0x00007FFC4D200000-0x00007FFC4DCC1000-memory.dmp

Filesize
10.8MB

Download
memory/3216-0-0x0000000000D70000-0x0000000000D78000-memory.dmp

Filesize
32KB

Download
memory/3216-1-0x0000000001610000-0x0000000001628000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads