njrat | 35905f3d15f4c53feaec8bf0a3fba99621f8ffb8e02f64a03323d6674976b3b5

General

Target

953cb72ec7feee841757eca646add75d.exe
Size

2.6MB
MD5

953cb72ec7feee841757eca646add75d
SHA1

f594c79a413380cd4f6717097b4003a252f1a84c
SHA256

35905f3d15f4c53feaec8bf0a3fba99621f8ffb8e02f64a03323d6674976b3b5
SHA512

cd8d50039fdf1ade147cbf50dc9b24e1e652a1d1a8eedb4ef2ebb51ebd8dbbef8e1b4fc0e56dc420ec528558a316366157ee5bd3853e0cd7f879bfe63d7d785a
SSDEEP

49152:eFFdWfzEeWY3LvXf5IAjYGoW6qQluP+xsKRbYJlotmqahJBt21:e5IeY37yAjYKP25YJIm5G

Score

10^/10

njrat lammer evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

C2

bp2020.ddns.net:666

Mutex

ca1abf05f66deec6f87b6b8a8e6cac15

Attributes

reg_key
ca1abf05f66deec6f87b6b8a8e6cac15
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2380 netsh.exe

pid	process
2380	netsh.exe

Drops startup file 2 IoCs

Processes:

953cb72ec7feee841757eca646add75d.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ca1abf05f66deec6f87b6b8a8e6cac15.exe	953cb72ec7feee841757eca646add75d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ca1abf05f66deec6f87b6b8a8e6cac15.exe	953cb72ec7feee841757eca646add75d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

953cb72ec7feee841757eca646add75d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ca1abf05f66deec6f87b6b8a8e6cac15 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\953cb72ec7feee841757eca646add75d.exe\" .."	953cb72ec7feee841757eca646add75d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\ca1abf05f66deec6f87b6b8a8e6cac15 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\953cb72ec7feee841757eca646add75d.exe\" .."	953cb72ec7feee841757eca646add75d.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

953cb72ec7feee841757eca646add75d.exe

description	pid	process
Token: SeDebugPrivilege	2180	953cb72ec7feee841757eca646add75d.exe
Token: 33	2180	953cb72ec7feee841757eca646add75d.exe
Token: SeIncBasePriorityPrivilege	2180	953cb72ec7feee841757eca646add75d.exe
Token: 33	2180	953cb72ec7feee841757eca646add75d.exe
Token: SeIncBasePriorityPrivilege	2180	953cb72ec7feee841757eca646add75d.exe
Token: 33	2180	953cb72ec7feee841757eca646add75d.exe
Token: SeIncBasePriorityPrivilege	2180	953cb72ec7feee841757eca646add75d.exe
Token: 33	2180	953cb72ec7feee841757eca646add75d.exe
Token: SeIncBasePriorityPrivilege	2180	953cb72ec7feee841757eca646add75d.exe
Token: 33	2180	953cb72ec7feee841757eca646add75d.exe
Token: SeIncBasePriorityPrivilege	2180	953cb72ec7feee841757eca646add75d.exe
Token: 33	2180	953cb72ec7feee841757eca646add75d.exe
Token: SeIncBasePriorityPrivilege	2180	953cb72ec7feee841757eca646add75d.exe
Token: 33	2180	953cb72ec7feee841757eca646add75d.exe
Token: SeIncBasePriorityPrivilege	2180	953cb72ec7feee841757eca646add75d.exe
Token: 33	2180	953cb72ec7feee841757eca646add75d.exe
Token: SeIncBasePriorityPrivilege	2180	953cb72ec7feee841757eca646add75d.exe
Token: 33	2180	953cb72ec7feee841757eca646add75d.exe
Token: SeIncBasePriorityPrivilege	2180	953cb72ec7feee841757eca646add75d.exe
Token: 33	2180	953cb72ec7feee841757eca646add75d.exe
Token: SeIncBasePriorityPrivilege	2180	953cb72ec7feee841757eca646add75d.exe
Token: 33	2180	953cb72ec7feee841757eca646add75d.exe
Token: SeIncBasePriorityPrivilege	2180	953cb72ec7feee841757eca646add75d.exe
Token: 33	2180	953cb72ec7feee841757eca646add75d.exe
Token: SeIncBasePriorityPrivilege	2180	953cb72ec7feee841757eca646add75d.exe
Token: 33	2180	953cb72ec7feee841757eca646add75d.exe
Token: SeIncBasePriorityPrivilege	2180	953cb72ec7feee841757eca646add75d.exe
Token: 33	2180	953cb72ec7feee841757eca646add75d.exe
Token: SeIncBasePriorityPrivilege	2180	953cb72ec7feee841757eca646add75d.exe
Token: 33	2180	953cb72ec7feee841757eca646add75d.exe
Token: SeIncBasePriorityPrivilege	2180	953cb72ec7feee841757eca646add75d.exe
Token: 33	2180	953cb72ec7feee841757eca646add75d.exe
Token: SeIncBasePriorityPrivilege	2180	953cb72ec7feee841757eca646add75d.exe
Token: 33	2180	953cb72ec7feee841757eca646add75d.exe
Token: SeIncBasePriorityPrivilege	2180	953cb72ec7feee841757eca646add75d.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

953cb72ec7feee841757eca646add75d.exe

description	pid	process	target process
PID 2180 wrote to memory of 2380	2180	953cb72ec7feee841757eca646add75d.exe	netsh.exe
PID 2180 wrote to memory of 2380	2180	953cb72ec7feee841757eca646add75d.exe	netsh.exe
PID 2180 wrote to memory of 2380	2180	953cb72ec7feee841757eca646add75d.exe	netsh.exe
PID 2180 wrote to memory of 2380	2180	953cb72ec7feee841757eca646add75d.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\953cb72ec7feee841757eca646add75d.exe
"C:\Users\Admin\AppData\Local\Temp\953cb72ec7feee841757eca646add75d.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\953cb72ec7feee841757eca646add75d.exe" "953cb72ec7feee841757eca646add75d.exe" ENABLE
2⤵
- Modifies Windows Firewall
PID:2380

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2180-1-0x0000000001010000-0x0000000001272000-memory.dmp

Filesize
2.4MB

Download
memory/2180-0-0x0000000074D50000-0x000000007543E000-memory.dmp

Filesize
6.9MB

Download
memory/2180-2-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-4-0x00000000053B0000-0x00000000053F0000-memory.dmp

Filesize
256KB

Download
memory/2180-5-0x0000000074D50000-0x000000007543E000-memory.dmp

Filesize
6.9MB

Download
memory/2180-6-0x00000000053B0000-0x00000000053F0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads