njrat | cf317453c3b9c8f13467a034f2a350fac57a7cfe2c038a86d9f706906fb2b6dc

General

Target

7fce93d7a0ba558b2de26cecc8f9d57d.exe
Size

455KB
MD5

7fce93d7a0ba558b2de26cecc8f9d57d
SHA1

e957a6a02e091358888a7ca30e77652df102464e
SHA256

cf317453c3b9c8f13467a034f2a350fac57a7cfe2c038a86d9f706906fb2b6dc
SHA512

7f45fbaefc32e8b24790b137ee77c044e8ca3619c61d71db62a0307ed98e2102da607df496385ca82c49a093d57117de022e5e3d933062cad2e320e8688fbb6f
SSDEEP

6144:Od2/yLTYnbgz2q/ZyKphVdvoe77GUZqKCXF1x3HOb2YyPPD71lhNlOQ5JmpD:F/yPYb6wGv+U7cXOBQD3/e

Score

10^/10

njrat 14.04.2017 evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

14.04.2017

C2

ytka.duckdns.org:1604

Mutex

ed423977d6a5549373be05c39703ea7d

Attributes

reg_key
ed423977d6a5549373be05c39703ea7d
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

4604 netsh.exe

pid	process
4604	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7fce93d7a0ba558b2de26cecc8f9d57d.execonhost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	7fce93d7a0ba558b2de26cecc8f9d57d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	conhost.exe

Drops startup file 1 IoCs

Processes:

doclan.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\luk.lnk doclan.exe
Executes dropped EXE 4 IoCs

Processes:

BitsProg.exedoclan.execonhost.execonhost.exe

pid process

1596 BitsProg.exe
212 doclan.exe
452 conhost.exe
4076 conhost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\luk.lnk	doclan.exe

pid	process
1596	BitsProg.exe
212	doclan.exe
452	conhost.exe
4076	conhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

conhost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ed423977d6a5549373be05c39703ea7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\conhost.exe\" .."	conhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ed423977d6a5549373be05c39703ea7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\conhost.exe\" .."	conhost.exe

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

conhost.exe

description	ioc	process
File created	F:\autorun.inf	conhost.exe
File opened for modification	F:\autorun.inf	conhost.exe
File created	C:\autorun.inf	conhost.exe
File opened for modification	C:\autorun.inf	conhost.exe
File created	D:\autorun.inf	conhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\ProgramData\doclan.exe	nsis_installer_1
C:\ProgramData\doclan.exe	nsis_installer_2

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3580 taskkill.exe

pid	process
3580	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

conhost.exe

pid	process
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe
4076	conhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

conhost.exe

pid process

4076 conhost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

taskkill.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	3580	taskkill.exe
Token: SeDebugPrivilege	4076	conhost.exe
Token: 33	4076	conhost.exe
Token: SeIncBasePriorityPrivilege	4076	conhost.exe
Token: 33	4076	conhost.exe
Token: SeIncBasePriorityPrivilege	4076	conhost.exe
Token: 33	4076	conhost.exe
Token: SeIncBasePriorityPrivilege	4076	conhost.exe
Token: 33	4076	conhost.exe
Token: SeIncBasePriorityPrivilege	4076	conhost.exe
Token: 33	4076	conhost.exe
Token: SeIncBasePriorityPrivilege	4076	conhost.exe
Token: 33	4076	conhost.exe
Token: SeIncBasePriorityPrivilege	4076	conhost.exe
Token: 33	4076	conhost.exe
Token: SeIncBasePriorityPrivilege	4076	conhost.exe
Token: 33	4076	conhost.exe
Token: SeIncBasePriorityPrivilege	4076	conhost.exe
Token: 33	4076	conhost.exe
Token: SeIncBasePriorityPrivilege	4076	conhost.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

7fce93d7a0ba558b2de26cecc8f9d57d.exedoclan.execonhost.execonhost.exe

description	pid	process	target process
PID 4924 wrote to memory of 1596	4924	7fce93d7a0ba558b2de26cecc8f9d57d.exe	BitsProg.exe
PID 4924 wrote to memory of 1596	4924	7fce93d7a0ba558b2de26cecc8f9d57d.exe	BitsProg.exe
PID 4924 wrote to memory of 212	4924	7fce93d7a0ba558b2de26cecc8f9d57d.exe	doclan.exe
PID 4924 wrote to memory of 212	4924	7fce93d7a0ba558b2de26cecc8f9d57d.exe	doclan.exe
PID 4924 wrote to memory of 212	4924	7fce93d7a0ba558b2de26cecc8f9d57d.exe	doclan.exe
PID 212 wrote to memory of 452	212	doclan.exe	conhost.exe
PID 212 wrote to memory of 452	212	doclan.exe	conhost.exe
PID 452 wrote to memory of 4076	452	conhost.exe	conhost.exe
PID 452 wrote to memory of 4076	452	conhost.exe	conhost.exe
PID 4076 wrote to memory of 4604	4076	conhost.exe	netsh.exe
PID 4076 wrote to memory of 4604	4076	conhost.exe	netsh.exe
PID 4076 wrote to memory of 3580	4076	conhost.exe	taskkill.exe
PID 4076 wrote to memory of 3580	4076	conhost.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\7fce93d7a0ba558b2de26cecc8f9d57d.exe
"C:\Users\Admin\AppData\Local\Temp\7fce93d7a0ba558b2de26cecc8f9d57d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4924

C:\ProgramData\BitsProg.exe
"C:\ProgramData\BitsProg.exe"
2⤵
- Executes dropped EXE
PID:1596

C:\ProgramData\doclan.exe
"C:\ProgramData\doclan.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212

C:\Users\Admin\AppData\Roaming\conhost.exe
C:\Users\Admin\AppData\Roaming\conhost.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:452

C:\Users\Admin\AppData\Local\Temp\conhost.exe
"C:\Users\Admin\AppData\Local\Temp\conhost.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SYSTEM32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\conhost.exe" "conhost.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:4604

C:\Windows\SYSTEM32\taskkill.exe
taskkill /F /IM cmd.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3580

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BitsProg.exe
Filesize
46KB

MD5
4aba833aab8032707642515bebc59d1b

SHA1
d5079efd8335aa23162f0165abf426d21a105607

SHA256
822c77973808a0c96608824606d38dcf7b48684919fc2ba57965b6d45dd4b6ad

SHA512
25c86a5e9af0f951c6a5851a3e7330d517a63bdbdd245f8eb0fd3668208c585bcb121cab91ae3583a31940b15eb26711a8a424e98731c7804221d6b26a9d5a14

Download Submit
C:\ProgramData\doclan.exe
Filesize
396KB

MD5
b9388102124c0d070b2ae86908938b41

SHA1
bfc1a3713f25ba86ca80ed325c5ff30066ecfcc6

SHA256
f877ac762828cd7ceeb48028eb6b291a105d8c615912f86d256a6c5f48ccc779

SHA512
f417a1e4160ca7491341de5ee2413f0ca21a6d5757f05d25d176b6ab8b4ede8557891a6d2f051c4710e6714ba16a4cf1f608e5ecc32c3b10b37c3d5bac322438

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe
Filesize
409KB

MD5
3f7505a47a226e431bc813de5d359695

SHA1
d767624f41e9cf5691c3ca507ca3967de3eae659

SHA256
fa4b7115ed091455b4f5bc4cd0f0c5d034e88b495d6a888fba49253bb4847fc2

SHA512
2254202f53f8c78a5e8a37e2d3fa0a517bb569dac2dcdbb0a51500c007d20dda9719bd2efdfeb285fbe9bf7d0d0576d97cdf621e6707e43b9493f76f9dbca07b

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe
Filesize
336KB

MD5
dda6cd90c77ab497488748a1f7c268fe

SHA1
50512fa43993d7433400f791fa649febfd19186c

SHA256
7b667f5ff9e73d34c38bcfe8b9bbe50393948697dc5c5c897f7b64aa61ffe119

SHA512
a6795c0497a4e755c98af7eae2ea692fbf8213ec7f8f0dfe3746a440c91fb5dc40f06ff8f329f4be08a0f51372ef62fdefb51b9e3a2757300dd8a657c179f70b

Download Submit
C:\Users\Admin\AppData\Roaming\conhost.exe
Filesize
1.0MB

MD5
00a9e6fdd884f9276c09c478a3b1d101

SHA1
3be2b06abfec17151b86bb172eba193f968a4ebc

SHA256
7e8e4fe2adb306db8d5785949c4c0e00c2c6bcc13606d78a3e1fccd0d20dd134

SHA512
23f46750190d1da38fdc91bd6b767a6125d5443d9b751736d5f02c7dfd5446e4a2b9dfc63ac8199f7893add1e651ac9b6e9d4d6e6348362262bb7034afeeea4d

Download Submit
memory/452-39-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/452-38-0x00007FFECC6E0000-0x00007FFECD1A1000-memory.dmp

Filesize
10.8MB

Download
memory/452-44-0x000000001B760000-0x000000001B77E000-memory.dmp

Filesize
120KB

Download
memory/452-41-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/452-30-0x0000000000060000-0x0000000000170000-memory.dmp

Filesize
1.1MB

Download
memory/452-33-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/452-31-0x00007FFECC6E0000-0x00007FFECD1A1000-memory.dmp

Filesize
10.8MB

Download
memory/452-43-0x000000001A600000-0x000000001A610000-memory.dmp

Filesize
64KB

Download
memory/452-35-0x000000001D9F0000-0x000000001DF18000-memory.dmp

Filesize
5.2MB

Download
memory/452-42-0x000000001B7E0000-0x000000001B856000-memory.dmp

Filesize
472KB

Download
memory/452-58-0x00007FFECC6E0000-0x00007FFECD1A1000-memory.dmp

Filesize
10.8MB

Download
memory/1596-36-0x00007FFECC6E0000-0x00007FFECD1A1000-memory.dmp

Filesize
10.8MB

Download
memory/1596-24-0x000001AD47E20000-0x000001AD47E30000-memory.dmp

Filesize
64KB

Download
memory/1596-22-0x00007FFECC6E0000-0x00007FFECD1A1000-memory.dmp

Filesize
10.8MB

Download
memory/1596-37-0x000001AD47E20000-0x000001AD47E30000-memory.dmp

Filesize
64KB

Download
memory/1596-21-0x000001AD461A0000-0x000001AD461B0000-memory.dmp

Filesize
64KB

Download
memory/1596-34-0x000001AD47E20000-0x000001AD47E30000-memory.dmp

Filesize
64KB

Download
memory/1596-40-0x000001AD47E20000-0x000001AD47E30000-memory.dmp

Filesize
64KB

Download
memory/4076-63-0x000000001ADD0000-0x000000001ADE0000-memory.dmp

Filesize
64KB

Download
memory/4076-57-0x00007FFECC6E0000-0x00007FFECD1A1000-memory.dmp

Filesize
10.8MB

Download
memory/4076-59-0x000000001ADD0000-0x000000001ADE0000-memory.dmp

Filesize
64KB

Download
memory/4076-60-0x00007FFECC6E0000-0x00007FFECD1A1000-memory.dmp

Filesize
10.8MB

Download
memory/4076-61-0x000000001ADD0000-0x000000001ADE0000-memory.dmp

Filesize
64KB

Download
memory/4076-62-0x000000001ADD0000-0x000000001ADE0000-memory.dmp

Filesize
64KB

Download
memory/4924-15-0x00007FFECC6E0000-0x00007FFECD1A1000-memory.dmp

Filesize
10.8MB

Download
memory/4924-0-0x00000000000D0000-0x0000000000146000-memory.dmp

Filesize
472KB

Download
memory/4924-23-0x00007FFECC6E0000-0x00007FFECD1A1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads