njrat | 70bc725d2a8756ee10547571a59f859bfd4069460bef66b47259d5c3cce8825b | Triage

Analysis

max time kernel
148s
max time network
146s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/01/2024, 22:16 UTC

Sharing

Report Analysis Logs

General

Target

7e25b10edb79b23e598357a9d138ea5e.exe
Size

212KB
MD5

7e25b10edb79b23e598357a9d138ea5e
SHA1

8ac0dabaebfdaba4d13035a2e44609b4a5e04bcd
SHA256

70bc725d2a8756ee10547571a59f859bfd4069460bef66b47259d5c3cce8825b
SHA512

aa070d8614e830fa7c54dd247a762596e55734dcd7be67be43e6130e791f5399a4e8dad427e37d547beeb6cff093f7b8e26817d6ebc3c3cd8e923691caa93173
SSDEEP

3072:3Jacj8v7wQ+ZGx7w8wjjP8I1IU8RjrzzvUWAOZjfKdLnY7:3JPgv7wJZ87wBjYI1IUwrIOZyY7

Score

10^/10

njrat hacked evasion persistence trojan upx

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

Hacked

C2

abdo95.ddns.net:1177

Mutex

ed6e2bf930f6d35b3ac57c049d10ac2c

Attributes

reg_key
ed6e2bf930f6d35b3ac57c049d10ac2c
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

Windows Service

Disable or Modify System Firewall

pid	Process
2664	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ed6e2bf930f6d35b3ac57c049d10ac2c.exe	Explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ed6e2bf930f6d35b3ac57c049d10ac2c.exe	Explorer.exe

Executes dropped EXE 2 IoCs

pid	Process
1612	test.exe
2804	Explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
1992	cmd.exe
1612	test.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2612-0-0x0000000000400000-0x0000000000498000-memory.dmp	upx
behavioral1/memory/2612-19-0x0000000000400000-0x0000000000498000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\ed6e2bf930f6d35b3ac57c049d10ac2c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Explorer.exe\" .."	Explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ed6e2bf930f6d35b3ac57c049d10ac2c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Explorer.exe\" .."	Explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2804	Explorer.exe
2804	Explorer.exe
2804	Explorer.exe
2804	Explorer.exe
2804	Explorer.exe
2804	Explorer.exe
2804	Explorer.exe
2804	Explorer.exe
2804	Explorer.exe
2804	Explorer.exe
2804	Explorer.exe
2804	Explorer.exe
2804	Explorer.exe
2804	Explorer.exe
2804	Explorer.exe
2804	Explorer.exe
2804	Explorer.exe
2804	Explorer.exe
2804	Explorer.exe
2804	Explorer.exe
2804	Explorer.exe
2804	Explorer.exe
2804	Explorer.exe
2804	Explorer.exe
2804	Explorer.exe
2804	Explorer.exe
2804	Explorer.exe
2804	Explorer.exe
2804	Explorer.exe
2804	Explorer.exe
2804	Explorer.exe
2804	Explorer.exe
2804	Explorer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	Explorer.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 1992	2612	7e25b10edb79b23e598357a9d138ea5e.exe	29
PID 2612 wrote to memory of 1992	2612	7e25b10edb79b23e598357a9d138ea5e.exe	29
PID 2612 wrote to memory of 1992	2612	7e25b10edb79b23e598357a9d138ea5e.exe	29
PID 2612 wrote to memory of 1992	2612	7e25b10edb79b23e598357a9d138ea5e.exe	29
PID 1992 wrote to memory of 1612	1992	cmd.exe	30
PID 1992 wrote to memory of 1612	1992	cmd.exe	30
PID 1992 wrote to memory of 1612	1992	cmd.exe	30
PID 1992 wrote to memory of 1612	1992	cmd.exe	30
PID 1612 wrote to memory of 2804	1612	test.exe	33
PID 1612 wrote to memory of 2804	1612	test.exe	33
PID 1612 wrote to memory of 2804	1612	test.exe	33
PID 1612 wrote to memory of 2804	1612	test.exe	33
PID 2804 wrote to memory of 2664	2804	Explorer.exe	32
PID 2804 wrote to memory of 2664	2804	Explorer.exe	32
PID 2804 wrote to memory of 2664	2804	Explorer.exe	32
PID 2804 wrote to memory of 2664	2804	Explorer.exe	32

C:\Users\Admin\AppData\Local\Temp\7e25b10edb79b23e598357a9d138ea5e.exe
"C:\Users\Admin\AppData\Local\Temp\7e25b10edb79b23e598357a9d138ea5e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c test.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    test.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\Explorer.exe
      "C:\Users\Admin\AppData\Local\Temp\Explorer.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2804

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Explorer.exe" "Explorer.exe" ENABLE
1⤵
- Modifies Windows Firewall
PID:2664

Network

DNS

abdo95.ddns.net

Explorer.exe

Remote address:

8.8.8.8:53

Request

abdo95.ddns.net

IN A

Response

No results found

8.8.8.8:53

abdo95.ddns.net

dns

Explorer.exe

61 B
121 B
1
1

DNS Request

abdo95.ddns.net

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
29KB

MD5
fc42513e45503d510fb011bbb309e51e

SHA1
e9741466f6e68dadb9e874f12d5b62fe14693741

SHA256
766240fd9026a04e4a7f20240f699133eef24a969e242afdd471ad0a179cefe3

SHA512
0f2a88f96a8a47abe062ccca986d2b3d98310374629c9067b19dbfeb73f23ba411b3ca5ae3877684770fb2d25947305b42c38a913a329e6220de6cd5d539a8ca

Download Submit
memory/1612-5-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/1612-6-0x0000000000AC0000-0x0000000000B00000-memory.dmp

Filesize
256KB

Download
memory/1612-7-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/1612-16-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/2612-0-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2612-19-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2804-17-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/2804-18-0x0000000000E50000-0x0000000000E90000-memory.dmp

Filesize
256KB

Download
memory/2804-20-0x0000000074AD0000-0x000000007507B000-memory.dmp

Filesize
5.7MB

Download
memory/2804-21-0x0000000000E50000-0x0000000000E90000-memory.dmp

Filesize
256KB

Download