njrat | 89925e9162e4a7a2ec8cabed0da1d03552fbdf4d3efb1ffdb96407b66b959fbb

General

Target

0c598e0a1d33a95614cda837f2d8cf55.exe
Size

112KB
MD5

0c598e0a1d33a95614cda837f2d8cf55
SHA1

d125d2b68d6e9152c7de2bfccaff53cabd990e3a
SHA256

89925e9162e4a7a2ec8cabed0da1d03552fbdf4d3efb1ffdb96407b66b959fbb
SHA512

4a4e4887eb5f000ab60fca507af1de2a4ca74ac9e89b52e7bf7539655695d54918774a96b2781a17780e51d94902ede1b8b94fffc336fb08ee6ed23eca4b37dc
SSDEEP

1536:UhWkvHfkmxUS2Bvsi4auMIofmSUbWkdnlJ6iHfLvg1pdtaXXbvihQQ3eNTespMDT:OHfkmxUSCVuMJ3UbvlYAjn7ov3saspMH

Score

10^/10

njrat javaw evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

javaw

C2

kevinmitnick121.duckdns.org:1133

Mutex

7a793c9db4ef3df6f9918c45784e547f

Attributes

reg_key
7a793c9db4ef3df6f9918c45784e547f
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2296	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7a793c9db4ef3df6f9918c45784e547f.exe	javaw.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7a793c9db4ef3df6f9918c45784e547f.exe	javaw.exe

Executes dropped EXE 1 IoCs

pid	Process
2968	javaw.exe

Loads dropped DLL 1 IoCs

pid	Process
2584	0c598e0a1d33a95614cda837f2d8cf55.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\7a793c9db4ef3df6f9918c45784e547f = "\"C:\\Users\\Admin\\javaw.exe\" .."	javaw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\7a793c9db4ef3df6f9918c45784e547f = "\"C:\\Users\\Admin\\javaw.exe\" .."	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2584	0c598e0a1d33a95614cda837f2d8cf55.exe
Token: SeDebugPrivilege	2968	javaw.exe
Token: 33	2968	javaw.exe
Token: SeIncBasePriorityPrivilege	2968	javaw.exe
Token: 33	2968	javaw.exe
Token: SeIncBasePriorityPrivilege	2968	javaw.exe
Token: 33	2968	javaw.exe
Token: SeIncBasePriorityPrivilege	2968	javaw.exe
Token: 33	2968	javaw.exe
Token: SeIncBasePriorityPrivilege	2968	javaw.exe
Token: 33	2968	javaw.exe
Token: SeIncBasePriorityPrivilege	2968	javaw.exe
Token: 33	2968	javaw.exe
Token: SeIncBasePriorityPrivilege	2968	javaw.exe
Token: 33	2968	javaw.exe
Token: SeIncBasePriorityPrivilege	2968	javaw.exe
Token: 33	2968	javaw.exe
Token: SeIncBasePriorityPrivilege	2968	javaw.exe
Token: 33	2968	javaw.exe
Token: SeIncBasePriorityPrivilege	2968	javaw.exe
Token: 33	2968	javaw.exe
Token: SeIncBasePriorityPrivilege	2968	javaw.exe
Token: 33	2968	javaw.exe
Token: SeIncBasePriorityPrivilege	2968	javaw.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 2968	2584	0c598e0a1d33a95614cda837f2d8cf55.exe	29
PID 2584 wrote to memory of 2968	2584	0c598e0a1d33a95614cda837f2d8cf55.exe	29
PID 2584 wrote to memory of 2968	2584	0c598e0a1d33a95614cda837f2d8cf55.exe	29
PID 2584 wrote to memory of 2968	2584	0c598e0a1d33a95614cda837f2d8cf55.exe	29
PID 2968 wrote to memory of 2296	2968	javaw.exe	30
PID 2968 wrote to memory of 2296	2968	javaw.exe	30
PID 2968 wrote to memory of 2296	2968	javaw.exe	30
PID 2968 wrote to memory of 2296	2968	javaw.exe	30

C:\Users\Admin\AppData\Local\Temp\0c598e0a1d33a95614cda837f2d8cf55.exe
"C:\Users\Admin\AppData\Local\Temp\0c598e0a1d33a95614cda837f2d8cf55.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Users\Admin\javaw.exe
  "C:\Users\Admin\javaw.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\javaw.exe" "javaw.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\javaw.exe

Filesize
112KB

MD5
0c598e0a1d33a95614cda837f2d8cf55

SHA1
d125d2b68d6e9152c7de2bfccaff53cabd990e3a

SHA256
89925e9162e4a7a2ec8cabed0da1d03552fbdf4d3efb1ffdb96407b66b959fbb

SHA512
4a4e4887eb5f000ab60fca507af1de2a4ca74ac9e89b52e7bf7539655695d54918774a96b2781a17780e51d94902ede1b8b94fffc336fb08ee6ed23eca4b37dc

Download Submit
memory/2584-0-0x0000000000C30000-0x0000000000C4A000-memory.dmp

Filesize
104KB

Download
memory/2584-1-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download
memory/2584-2-0x0000000002280000-0x00000000022C0000-memory.dmp

Filesize
256KB

Download
memory/2584-3-0x00000000002A0000-0x00000000002AC000-memory.dmp

Filesize
48KB

Download
memory/2584-13-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download
memory/2584-15-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download
memory/2968-11-0x0000000000290000-0x00000000002AA000-memory.dmp

Filesize
104KB

Download
memory/2968-12-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download
memory/2968-14-0x0000000004680000-0x00000000046C0000-memory.dmp

Filesize
256KB

Download
memory/2968-17-0x00000000748F0000-0x0000000074FDE000-memory.dmp

Filesize
6.9MB

Download
memory/2968-18-0x0000000004680000-0x00000000046C0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads