njrat | ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4

General

Target

ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe
Size

25KB
MD5

0aa1ade344f3ae78bc65f3d506d99706
SHA1

dae7b9c5b1a82b5fc415cfe04a9bebc305454862
SHA256

ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4
SHA512

7edcd977d77e868671f34030b38b6ec2b119cea86669895862262dcea0978f37c57e85b0f3f15db1c32fba491871db7fd874795c5961b346828d025ebabeb732
SSDEEP

384:5vcTzm3sU97IM7LFmEewqhXYYTO+VE+PTLhe557mA6VkMJpeC2agkxiVNQKTjoq:5vkgj98MfEEnXMbV7PAKlkcgZGK3oq

Score

10^/10

njrat system persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

system

C2

127.0.0.1:5552

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe

Drops startup file 2 IoCs

Processes:

systemupdate.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Update.exe	systemupdate.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Update.exe	systemupdate.exe

Executes dropped EXE 1 IoCs

Processes:

systemupdate.exe

pid process

1964 systemupdate.exe

pid	process
1964	systemupdate.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

systemupdate.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\systemupdate.exe\" .."	systemupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\systemupdate.exe\" .."	systemupdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exesystemupdate.exe

pid process

2368 ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe
1964 systemupdate.exe

pid	process
2368	ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe
1964	systemupdate.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

systemupdate.exe

description	pid	process
Token: SeDebugPrivilege	1964	systemupdate.exe
Token: 33	1964	systemupdate.exe
Token: SeIncBasePriorityPrivilege	1964	systemupdate.exe
Token: 33	1964	systemupdate.exe
Token: SeIncBasePriorityPrivilege	1964	systemupdate.exe
Token: 33	1964	systemupdate.exe
Token: SeIncBasePriorityPrivilege	1964	systemupdate.exe
Token: 33	1964	systemupdate.exe
Token: SeIncBasePriorityPrivilege	1964	systemupdate.exe
Token: 33	1964	systemupdate.exe
Token: SeIncBasePriorityPrivilege	1964	systemupdate.exe
Token: 33	1964	systemupdate.exe
Token: SeIncBasePriorityPrivilege	1964	systemupdate.exe
Token: 33	1964	systemupdate.exe
Token: SeIncBasePriorityPrivilege	1964	systemupdate.exe
Token: 33	1964	systemupdate.exe
Token: SeIncBasePriorityPrivilege	1964	systemupdate.exe
Token: 33	1964	systemupdate.exe
Token: SeIncBasePriorityPrivilege	1964	systemupdate.exe
Token: 33	1964	systemupdate.exe
Token: SeIncBasePriorityPrivilege	1964	systemupdate.exe
Token: 33	1964	systemupdate.exe
Token: SeIncBasePriorityPrivilege	1964	systemupdate.exe
Token: 33	1964	systemupdate.exe
Token: SeIncBasePriorityPrivilege	1964	systemupdate.exe
Token: 33	1964	systemupdate.exe
Token: SeIncBasePriorityPrivilege	1964	systemupdate.exe
Token: 33	1964	systemupdate.exe
Token: SeIncBasePriorityPrivilege	1964	systemupdate.exe
Token: 33	1964	systemupdate.exe
Token: SeIncBasePriorityPrivilege	1964	systemupdate.exe
Token: 33	1964	systemupdate.exe
Token: SeIncBasePriorityPrivilege	1964	systemupdate.exe
Token: 33	1964	systemupdate.exe
Token: SeIncBasePriorityPrivilege	1964	systemupdate.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe

description	pid	process	target process
PID 2368 wrote to memory of 1964	2368	ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe	systemupdate.exe
PID 2368 wrote to memory of 1964	2368	ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe	systemupdate.exe

C:\Users\Admin\AppData\Local\Temp\ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe
"C:\Users\Admin\AppData\Local\Temp\ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2368

C:\Users\Admin\AppData\Roaming\systemupdate.exe
"C:\Users\Admin\AppData\Roaming\systemupdate.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1964

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\systemupdate.exe
Filesize
25KB

MD5
0aa1ade344f3ae78bc65f3d506d99706

SHA1
dae7b9c5b1a82b5fc415cfe04a9bebc305454862

SHA256
ef0c9669aa9399413c6684f2420e43ff7db980f50d86323dc059439518f5ccd4

SHA512
7edcd977d77e868671f34030b38b6ec2b119cea86669895862262dcea0978f37c57e85b0f3f15db1c32fba491871db7fd874795c5961b346828d025ebabeb732

Download Submit
memory/1964-21-0x0000000000DF0000-0x0000000000DF8000-memory.dmp

Filesize
32KB

Download
memory/1964-19-0x00007FFE5F020000-0x00007FFE5F9C1000-memory.dmp

Filesize
9.6MB

Download
memory/1964-25-0x0000000000E50000-0x0000000000E60000-memory.dmp

Filesize
64KB

Download
memory/1964-24-0x0000000000E50000-0x0000000000E60000-memory.dmp

Filesize
64KB

Download
memory/1964-18-0x0000000000DD0000-0x0000000000DE2000-memory.dmp

Filesize
72KB

Download
memory/1964-23-0x00007FFE5F020000-0x00007FFE5F9C1000-memory.dmp

Filesize
9.6MB

Download
memory/1964-22-0x0000000000E50000-0x0000000000E60000-memory.dmp

Filesize
64KB

Download
memory/1964-16-0x00007FFE5F020000-0x00007FFE5F9C1000-memory.dmp

Filesize
9.6MB

Download
memory/2368-5-0x000000001BBF0000-0x000000001BC96000-memory.dmp

Filesize
664KB

Download
memory/2368-17-0x00007FFE5F020000-0x00007FFE5F9C1000-memory.dmp

Filesize
9.6MB

Download
memory/2368-1-0x00007FFE5F020000-0x00007FFE5F9C1000-memory.dmp

Filesize
9.6MB

Download
memory/2368-0-0x00007FFE5F020000-0x00007FFE5F9C1000-memory.dmp

Filesize
9.6MB

Download
memory/2368-2-0x0000000001700000-0x0000000001710000-memory.dmp

Filesize
64KB

Download
memory/2368-6-0x000000001CD50000-0x000000001CDEC000-memory.dmp

Filesize
624KB

Download
memory/2368-4-0x00000000011F0000-0x0000000001202000-memory.dmp

Filesize
72KB

Download
memory/2368-3-0x000000001C250000-0x000000001C71E000-memory.dmp

Filesize
4.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads