njrat | edba8ccd7dfdd0f156fb80183439684faf4aa2f70f131d4ee192e73e12e72f0f

General

Target

0fbd44c0822387461816967898b57865.exe
Size

636KB
MD5

0fbd44c0822387461816967898b57865
SHA1

5bdff7cd36e866e6d5f122b5d18e871653740ab4
SHA256

edba8ccd7dfdd0f156fb80183439684faf4aa2f70f131d4ee192e73e12e72f0f
SHA512

aa783b078e3a1e65fe8ff3597eb1dffc7d1267cf9bbe50b8d32dc39dcb9673bebcfed7743b4a31114c9dad4a5bd0df35978ad87c83525b7a82d805245fc0e78b
SSDEEP

12288:Uzpeojs6NrsfWa/G2oy9bawFkHaW6Ofm1VHV:UYEE/9baXaW6Oc1

Score

10^/10

njrat destroyer evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Destroyer

C2

plankxd.ddns.net:1177

Mutex

2f806f40c5d4533d860b3bd9e1a2b698

Attributes

reg_key
2f806f40c5d4533d860b3bd9e1a2b698
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2560	netsh.exe

Executes dropped EXE 3 IoCs

pid	Process
2372	LocalLNKqUqNGce.exe
2684	LocalkYYeLRCOkC.exe
2796	server.exe

Loads dropped DLL 1 IoCs

pid	Process
2372	LocalLNKqUqNGce.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\2f806f40c5d4533d860b3bd9e1a2b698 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\2f806f40c5d4533d860b3bd9e1a2b698 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2684	LocalkYYeLRCOkC.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	server.exe
Token: 33	2796	server.exe
Token: SeIncBasePriorityPrivilege	2796	server.exe
Token: 33	2796	server.exe
Token: SeIncBasePriorityPrivilege	2796	server.exe
Token: 33	2796	server.exe
Token: SeIncBasePriorityPrivilege	2796	server.exe
Token: 33	2796	server.exe
Token: SeIncBasePriorityPrivilege	2796	server.exe
Token: 33	2796	server.exe
Token: SeIncBasePriorityPrivilege	2796	server.exe
Token: 33	2796	server.exe
Token: SeIncBasePriorityPrivilege	2796	server.exe
Token: 33	2796	server.exe
Token: SeIncBasePriorityPrivilege	2796	server.exe
Token: 33	2796	server.exe
Token: SeIncBasePriorityPrivilege	2796	server.exe
Token: 33	2796	server.exe
Token: SeIncBasePriorityPrivilege	2796	server.exe
Token: 33	2796	server.exe
Token: SeIncBasePriorityPrivilege	2796	server.exe
Token: 33	2796	server.exe
Token: SeIncBasePriorityPrivilege	2796	server.exe
Token: 33	2796	server.exe
Token: SeIncBasePriorityPrivilege	2796	server.exe
Token: 33	2796	server.exe
Token: SeIncBasePriorityPrivilege	2796	server.exe
Token: 33	2796	server.exe
Token: SeIncBasePriorityPrivilege	2796	server.exe
Token: 33	2796	server.exe
Token: SeIncBasePriorityPrivilege	2796	server.exe
Token: 33	2796	server.exe
Token: SeIncBasePriorityPrivilege	2796	server.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2684	LocalkYYeLRCOkC.exe
2684	LocalkYYeLRCOkC.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2372	1996	0fbd44c0822387461816967898b57865.exe	28
PID 1996 wrote to memory of 2372	1996	0fbd44c0822387461816967898b57865.exe	28
PID 1996 wrote to memory of 2372	1996	0fbd44c0822387461816967898b57865.exe	28
PID 1996 wrote to memory of 2372	1996	0fbd44c0822387461816967898b57865.exe	28
PID 1996 wrote to memory of 2684	1996	0fbd44c0822387461816967898b57865.exe	29
PID 1996 wrote to memory of 2684	1996	0fbd44c0822387461816967898b57865.exe	29
PID 1996 wrote to memory of 2684	1996	0fbd44c0822387461816967898b57865.exe	29
PID 1996 wrote to memory of 2684	1996	0fbd44c0822387461816967898b57865.exe	29
PID 2372 wrote to memory of 2796	2372	LocalLNKqUqNGce.exe	30
PID 2372 wrote to memory of 2796	2372	LocalLNKqUqNGce.exe	30
PID 2372 wrote to memory of 2796	2372	LocalLNKqUqNGce.exe	30
PID 2372 wrote to memory of 2796	2372	LocalLNKqUqNGce.exe	30
PID 2796 wrote to memory of 2560	2796	server.exe	32
PID 2796 wrote to memory of 2560	2796	server.exe	32
PID 2796 wrote to memory of 2560	2796	server.exe	32
PID 2796 wrote to memory of 2560	2796	server.exe	32

C:\Users\Admin\AppData\Local\Temp\0fbd44c0822387461816967898b57865.exe
"C:\Users\Admin\AppData\Local\Temp\0fbd44c0822387461816967898b57865.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\LocalLNKqUqNGce.exe
  "C:\Users\Admin\AppData\LocalLNKqUqNGce.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:2560
- C:\Users\Admin\AppData\LocalkYYeLRCOkC.exe
  "C:\Users\Admin\AppData\LocalkYYeLRCOkC.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLNKqUqNGce.exe

Filesize
23KB

MD5
1b3c1800fc7517344b4d23e0e86cddbc

SHA1
6f22e93be89693f4fe7d401f36c8b99d242d6d62

SHA256
d9b769477d0ebc1b17c213109d89a6b342e4e2e751c74fe9fbefaaab288c7dc8

SHA512
1c09dbc836d563e3656da727315f942bd500b34ce167d8bea8d0e851ed8383bf9378484c9e64a20bb7b26a317fd6a23485ffa7d8805540768a48583b9826813f

Download Submit
C:\Users\Admin\AppData\LocalkYYeLRCOkC.exe

Filesize
393KB

MD5
596f7cf91726c19416bc8bd5b819fdce

SHA1
bd2b52e7d5db524f21fe56415e8b3eb90e74c98f

SHA256
6aeea5e274d01c3f5b86a45c4555c621fecdaa191b67b53768b8405c1c851d48

SHA512
39de29d7764a22ef8e36fdeedde0c2f69dabd280cbc0c6694b798c9cbd4c3e5699f0c124f2ba190f7004d1acc34aa72afc7550aea608688c80f34469b4b97f82

Download Submit
memory/1996-9-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp

Filesize
9.6MB

Download
memory/1996-12-0x0000000002020000-0x00000000020A0000-memory.dmp

Filesize
512KB

Download
memory/1996-14-0x000007FEF5530000-0x000007FEF5ECD000-memory.dmp

Filesize
9.6MB

Download
memory/2372-16-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/2372-15-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/2372-17-0x00000000009F0000-0x0000000000A30000-memory.dmp

Filesize
256KB

Download
memory/2372-25-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/2796-26-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/2796-28-0x0000000000940000-0x0000000000980000-memory.dmp

Filesize
256KB

Download
memory/2796-27-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/2796-29-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/2796-30-0x0000000000940000-0x0000000000980000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads