njrat | e9cafe0e597dea98a327b31ceb7bcf8a6a90c90d729b6709c0b8819efb53ceec

General

Target

64e03ce9d4db10ad22af9fdecf8e750b.exe
Size

230KB
MD5

64e03ce9d4db10ad22af9fdecf8e750b
SHA1

b9fe3564b39f85feac38877320562d345fa31300
SHA256

e9cafe0e597dea98a327b31ceb7bcf8a6a90c90d729b6709c0b8819efb53ceec
SHA512

815d7f97eb088e3dee422b1fdf7ad9fae6796ad1d7648c46942610d48074042d7d6ea2073ca6d65df86d91b6b8e16c5d03d90a042272c5ea74783f3e62c69ec1
SSDEEP

1536:e/gDBnYi9bV1BZV0CbD/csMunng0P5JkcrOGEoUjMJC:e4ZYi9bV1BZV0C3csjnbJkoVBUg8

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

79.224.89.201:5552

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	64e03ce9d4db10ad22af9fdecf8e750b.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	64e03ce9d4db10ad22af9fdecf8e750b.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Payload.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Payload.exe

Executes dropped EXE 1 IoCs

pid	Process
2272	Payload.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe"	64e03ce9d4db10ad22af9fdecf8e750b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2272	Payload.exe
Token: 33	2272	Payload.exe
Token: SeIncBasePriorityPrivilege	2272	Payload.exe
Token: 33	2272	Payload.exe
Token: SeIncBasePriorityPrivilege	2272	Payload.exe
Token: 33	2272	Payload.exe
Token: SeIncBasePriorityPrivilege	2272	Payload.exe
Token: 33	2272	Payload.exe
Token: SeIncBasePriorityPrivilege	2272	Payload.exe
Token: 33	2272	Payload.exe
Token: SeIncBasePriorityPrivilege	2272	Payload.exe
Token: 33	2272	Payload.exe
Token: SeIncBasePriorityPrivilege	2272	Payload.exe
Token: 33	2272	Payload.exe
Token: SeIncBasePriorityPrivilege	2272	Payload.exe
Token: 33	2272	Payload.exe
Token: SeIncBasePriorityPrivilege	2272	Payload.exe
Token: 33	2272	Payload.exe
Token: SeIncBasePriorityPrivilege	2272	Payload.exe
Token: 33	2272	Payload.exe
Token: SeIncBasePriorityPrivilege	2272	Payload.exe
Token: 33	2272	Payload.exe
Token: SeIncBasePriorityPrivilege	2272	Payload.exe
Token: 33	2272	Payload.exe
Token: SeIncBasePriorityPrivilege	2272	Payload.exe
Token: 33	2272	Payload.exe
Token: SeIncBasePriorityPrivilege	2272	Payload.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 2272	1500	64e03ce9d4db10ad22af9fdecf8e750b.exe	99
PID 1500 wrote to memory of 2272	1500	64e03ce9d4db10ad22af9fdecf8e750b.exe	99
PID 1500 wrote to memory of 2272	1500	64e03ce9d4db10ad22af9fdecf8e750b.exe	99
PID 1500 wrote to memory of 3248	1500	64e03ce9d4db10ad22af9fdecf8e750b.exe	101
PID 1500 wrote to memory of 3248	1500	64e03ce9d4db10ad22af9fdecf8e750b.exe	101
PID 1500 wrote to memory of 3248	1500	64e03ce9d4db10ad22af9fdecf8e750b.exe	101

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3248	attrib.exe

C:\Users\Admin\AppData\Local\Temp\64e03ce9d4db10ad22af9fdecf8e750b.exe
"C:\Users\Admin\AppData\Local\Temp\64e03ce9d4db10ad22af9fdecf8e750b.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Users\Admin\AppData\Local\Temp\Payload.exe
  "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
  2⤵
  - Views/modifies file attributes
  PID:3248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Payload.exe

Filesize
85KB

MD5
68b3d2c03ac17264282cd7f4a675f4c7

SHA1
d494d51a59e1c18836d5d6fc2b19ee98fa919cf8

SHA256
ad03e2931c0c11f22535eb33c6b265164effd92cb39fda1820eddfaa61158c3e

SHA512
37df63b61656c43ea905f851f9ccaf26b75f87249ffc05ad68d94715de61bee184764c4047bddd491e9c1bb41b978441617918a9be0882d5f0c953e615c4a049

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payload.exe

Filesize
57KB

MD5
1142d08b49b6c3f66a2f1460bb084fa8

SHA1
1e03bf6321deb05c8a1b07f16a42df26923e8553

SHA256
d2ae12ba45a0dbf077cbf69b0289ddfaa133e24761b821d4822298e178f1d1c4

SHA512
9f162dcd7c1c3eab8e4842e5033987d89a22542dd999ee67334a4d531609d54111d35c73b44e6ea29a099ab13a7ed88f855168530e274dbcfcb2774ec092479d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payload.exe

Filesize
92KB

MD5
ca1e7c8ab5b1d897214a4124cc15508d

SHA1
4a1d0cfb83062a6279d98071ed4d8d533f08b875

SHA256
948421805b3eab8614f969550954e1b4f54cc9e208126a4c01a3768af0500cda

SHA512
b05af9e205e875a03353e12f590c4110a9e14af43844552b5261c6af7c71833fb510a2baf049d06a225886f7e5b48493ab91eea9872affe61e1d3438ec9076c0

Download Submit
memory/1500-2-0x0000000001220000-0x0000000001230000-memory.dmp

Filesize
64KB

Download
memory/1500-1-0x0000000074F80000-0x0000000075531000-memory.dmp

Filesize
5.7MB

Download
memory/1500-5-0x0000000074F80000-0x0000000075531000-memory.dmp

Filesize
5.7MB

Download
memory/1500-7-0x0000000001220000-0x0000000001230000-memory.dmp

Filesize
64KB

Download
memory/1500-0-0x0000000074F80000-0x0000000075531000-memory.dmp

Filesize
5.7MB

Download
memory/1500-18-0x0000000074F80000-0x0000000075531000-memory.dmp

Filesize
5.7MB

Download
memory/2272-16-0x0000000074F80000-0x0000000075531000-memory.dmp

Filesize
5.7MB

Download
memory/2272-17-0x00000000014D0000-0x00000000014E0000-memory.dmp

Filesize
64KB

Download
memory/2272-19-0x0000000074F80000-0x0000000075531000-memory.dmp

Filesize
5.7MB

Download
memory/2272-25-0x0000000074F80000-0x0000000075531000-memory.dmp

Filesize
5.7MB

Download
memory/2272-26-0x00000000014D0000-0x00000000014E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads