Analysis Overview
SHA256
91f01488d2602ac9c3139c22fe0ff48212d8da63be4f9fa33f48ad9ac778a974
Threat Level: Known bad
The file jjj.exe was found to be: Known bad.
Malicious Activity Summary
Njrat family
njRAT/Bladabindi
Modifies Windows Firewall
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-24 04:27
Signatures
Njrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-24 04:27
Reported
2024-02-24 04:30
Platform
win7-20240221-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ver.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jjj.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2172 wrote to memory of 3068 | N/A | C:\Users\Admin\AppData\Local\Temp\jjj.exe | C:\Users\Admin\AppData\Roaming\ver.exe |
| PID 2172 wrote to memory of 3068 | N/A | C:\Users\Admin\AppData\Local\Temp\jjj.exe | C:\Users\Admin\AppData\Roaming\ver.exe |
| PID 2172 wrote to memory of 3068 | N/A | C:\Users\Admin\AppData\Local\Temp\jjj.exe | C:\Users\Admin\AppData\Roaming\ver.exe |
| PID 2172 wrote to memory of 3068 | N/A | C:\Users\Admin\AppData\Local\Temp\jjj.exe | C:\Users\Admin\AppData\Roaming\ver.exe |
| PID 3068 wrote to memory of 1976 | N/A | C:\Users\Admin\AppData\Roaming\ver.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 3068 wrote to memory of 1976 | N/A | C:\Users\Admin\AppData\Roaming\ver.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 3068 wrote to memory of 1976 | N/A | C:\Users\Admin\AppData\Roaming\ver.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 3068 wrote to memory of 1976 | N/A | C:\Users\Admin\AppData\Roaming\ver.exe | C:\Windows\SysWOW64\netsh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\jjj.exe
"C:\Users\Admin\AppData\Local\Temp\jjj.exe"
C:\Users\Admin\AppData\Roaming\ver.exe
"C:\Users\Admin\AppData\Roaming\ver.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\ver.exe" "ver.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nature-dawn.gl.at.ply.gg | udp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
Files
memory/2172-0-0x0000000074520000-0x0000000074ACB000-memory.dmp
memory/2172-1-0x0000000074520000-0x0000000074ACB000-memory.dmp
memory/2172-2-0x0000000000C20000-0x0000000000C60000-memory.dmp
\Users\Admin\AppData\Roaming\ver.exe
| MD5 | 1b6f416c01dab81fc69ba006b4cfd768 |
| SHA1 | ce5f59bcd9ab11d17e5c6dcc5024722f5275328a |
| SHA256 | 91f01488d2602ac9c3139c22fe0ff48212d8da63be4f9fa33f48ad9ac778a974 |
| SHA512 | 94c083810adc76efd0d8928a93622f2001961efcb0fb002f9dfe77aad9c07eefe4fab768be35f2a674c97c0008f5dc1e5f392c0ce4a1c2a3435ee7f07b8d3ea7 |
memory/3068-12-0x0000000000B60000-0x0000000000BA0000-memory.dmp
memory/3068-11-0x0000000074520000-0x0000000074ACB000-memory.dmp
memory/2172-10-0x0000000074520000-0x0000000074ACB000-memory.dmp
memory/3068-13-0x0000000074520000-0x0000000074ACB000-memory.dmp
memory/3068-14-0x0000000074520000-0x0000000074ACB000-memory.dmp
memory/3068-15-0x0000000000B60000-0x0000000000BA0000-memory.dmp
memory/3068-16-0x0000000074520000-0x0000000074ACB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-24 04:27
Reported
2024-02-24 04:30
Platform
win10v2004-20240221-en
Max time kernel
150s
Max time network
157s
Command Line
Signatures
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\jjj.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ver.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4788 wrote to memory of 1820 | N/A | C:\Users\Admin\AppData\Local\Temp\jjj.exe | C:\Users\Admin\AppData\Roaming\ver.exe |
| PID 4788 wrote to memory of 1820 | N/A | C:\Users\Admin\AppData\Local\Temp\jjj.exe | C:\Users\Admin\AppData\Roaming\ver.exe |
| PID 4788 wrote to memory of 1820 | N/A | C:\Users\Admin\AppData\Local\Temp\jjj.exe | C:\Users\Admin\AppData\Roaming\ver.exe |
| PID 1820 wrote to memory of 1828 | N/A | C:\Users\Admin\AppData\Roaming\ver.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 1820 wrote to memory of 1828 | N/A | C:\Users\Admin\AppData\Roaming\ver.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 1820 wrote to memory of 1828 | N/A | C:\Users\Admin\AppData\Roaming\ver.exe | C:\Windows\SysWOW64\netsh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\jjj.exe
"C:\Users\Admin\AppData\Local\Temp\jjj.exe"
C:\Users\Admin\AppData\Roaming\ver.exe
"C:\Users\Admin\AppData\Roaming\ver.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\ver.exe" "ver.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nature-dawn.gl.at.ply.gg | udp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 18.221.185.147.in-addr.arpa | udp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 107.116.69.13.in-addr.arpa | udp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
| US | 147.185.221.18:80 | nature-dawn.gl.at.ply.gg | tcp |
Files
memory/4788-0-0x0000000074950000-0x0000000074F01000-memory.dmp
memory/4788-1-0x0000000074950000-0x0000000074F01000-memory.dmp
memory/4788-2-0x0000000000BE0000-0x0000000000BF0000-memory.dmp
C:\Users\Admin\AppData\Roaming\ver.exe
| MD5 | 1b6f416c01dab81fc69ba006b4cfd768 |
| SHA1 | ce5f59bcd9ab11d17e5c6dcc5024722f5275328a |
| SHA256 | 91f01488d2602ac9c3139c22fe0ff48212d8da63be4f9fa33f48ad9ac778a974 |
| SHA512 | 94c083810adc76efd0d8928a93622f2001961efcb0fb002f9dfe77aad9c07eefe4fab768be35f2a674c97c0008f5dc1e5f392c0ce4a1c2a3435ee7f07b8d3ea7 |
memory/1820-12-0x0000000074950000-0x0000000074F01000-memory.dmp
memory/4788-13-0x0000000074950000-0x0000000074F01000-memory.dmp
memory/1820-14-0x0000000074950000-0x0000000074F01000-memory.dmp
memory/1820-15-0x0000000001250000-0x0000000001260000-memory.dmp
memory/1820-16-0x0000000074950000-0x0000000074F01000-memory.dmp
memory/1820-17-0x0000000001250000-0x0000000001260000-memory.dmp