njrat | ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4

General

Target

ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe
Size

25KB
MD5

0aa1ade344f3ae78bc65f3d506d99706
SHA1

dae7b9c5b1a82b5fc415cfe04a9bebc305454862
SHA256

ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4
SHA512

7edcd977d77e868671f34030b38b6ec2b119cea86669895862262dcea0978f37c57e85b0f3f15db1c32fba491871db7fd874795c5961b346828d025ebabeb732
SSDEEP

384:5vcTzm3sU97IM7LFmEewqhXYYTO+VE+PTLhe557mA6VkMJpeC2agkxiVNQKTjoq:5vkgj98MfEEnXMbV7PAKlkcgZGK3oq

Score

10^/10

njrat system persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

system

C2

127.0.0.1:5552

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 2 IoCs

Processes:

systemupdate.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Update.exe	systemupdate.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Update.exe	systemupdate.exe

Executes dropped EXE 1 IoCs

Processes:

systemupdate.exe

pid process

3016 systemupdate.exe

pid	process
3016	systemupdate.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

systemupdate.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\systemupdate.exe\" .."	systemupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\systemupdate.exe\" .."	systemupdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exesystemupdate.exe

pid process

3064 ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe
3016 systemupdate.exe

pid	process
3064	ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe
3016	systemupdate.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

systemupdate.exe

description	pid	process
Token: SeDebugPrivilege	3016	systemupdate.exe
Token: 33	3016	systemupdate.exe
Token: SeIncBasePriorityPrivilege	3016	systemupdate.exe
Token: 33	3016	systemupdate.exe
Token: SeIncBasePriorityPrivilege	3016	systemupdate.exe
Token: 33	3016	systemupdate.exe
Token: SeIncBasePriorityPrivilege	3016	systemupdate.exe
Token: 33	3016	systemupdate.exe
Token: SeIncBasePriorityPrivilege	3016	systemupdate.exe
Token: 33	3016	systemupdate.exe
Token: SeIncBasePriorityPrivilege	3016	systemupdate.exe
Token: 33	3016	systemupdate.exe
Token: SeIncBasePriorityPrivilege	3016	systemupdate.exe
Token: 33	3016	systemupdate.exe
Token: SeIncBasePriorityPrivilege	3016	systemupdate.exe
Token: 33	3016	systemupdate.exe
Token: SeIncBasePriorityPrivilege	3016	systemupdate.exe
Token: 33	3016	systemupdate.exe
Token: SeIncBasePriorityPrivilege	3016	systemupdate.exe
Token: 33	3016	systemupdate.exe
Token: SeIncBasePriorityPrivilege	3016	systemupdate.exe
Token: 33	3016	systemupdate.exe
Token: SeIncBasePriorityPrivilege	3016	systemupdate.exe
Token: 33	3016	systemupdate.exe
Token: SeIncBasePriorityPrivilege	3016	systemupdate.exe
Token: 33	3016	systemupdate.exe
Token: SeIncBasePriorityPrivilege	3016	systemupdate.exe
Token: 33	3016	systemupdate.exe
Token: SeIncBasePriorityPrivilege	3016	systemupdate.exe
Token: 33	3016	systemupdate.exe
Token: SeIncBasePriorityPrivilege	3016	systemupdate.exe
Token: 33	3016	systemupdate.exe
Token: SeIncBasePriorityPrivilege	3016	systemupdate.exe
Token: 33	3016	systemupdate.exe
Token: SeIncBasePriorityPrivilege	3016	systemupdate.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe

description	pid	process	target process
PID 3064 wrote to memory of 3016	3064	ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe	systemupdate.exe
PID 3064 wrote to memory of 3016	3064	ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe	systemupdate.exe
PID 3064 wrote to memory of 3016	3064	ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe	systemupdate.exe

C:\Users\Admin\AppData\Local\Temp\ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe
"C:\Users\Admin\AppData\Local\Temp\ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3064

C:\Users\Admin\AppData\Roaming\systemupdate.exe
"C:\Users\Admin\AppData\Roaming\systemupdate.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3016

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\systemupdate.exe
Filesize
25KB

MD5
0aa1ade344f3ae78bc65f3d506d99706

SHA1
dae7b9c5b1a82b5fc415cfe04a9bebc305454862

SHA256
ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4

SHA512
7edcd977d77e868671f34030b38b6ec2b119cea86669895862262dcea0978f37c57e85b0f3f15db1c32fba491871db7fd874795c5961b346828d025ebabeb732

Download Submit
memory/3016-10-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

Filesize
9.6MB

Download
memory/3016-11-0x0000000001FF0000-0x0000000002070000-memory.dmp

Filesize
512KB

Download
memory/3016-12-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

Filesize
9.6MB

Download
memory/3016-14-0x0000000001FF0000-0x0000000002070000-memory.dmp

Filesize
512KB

Download
memory/3016-15-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

Filesize
9.6MB

Download
memory/3016-16-0x0000000001FF0000-0x0000000002070000-memory.dmp

Filesize
512KB

Download
memory/3064-0-0x0000000000490000-0x00000000004A2000-memory.dmp

Filesize
72KB

Download
memory/3064-2-0x0000000000A20000-0x0000000000AA0000-memory.dmp

Filesize
512KB

Download
memory/3064-1-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

Filesize
9.6MB

Download
memory/3064-3-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

Filesize
9.6MB

Download
memory/3064-9-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads