njrat | a4f78e77907d8ea06d93912ebc29d191629c47270d87882ed9e8948a3bbb77c2

General

Target

a4f78e77907d8ea06d93912ebc29d191629c47270d87882ed9e8948a3bbb77c2.exe
Size

61KB
MD5

944c114e02b1d7fdc46e0b495cfc01c3
SHA1

0b810447828a36ce22d905c0a5ca8ce6f38700ba
SHA256

a4f78e77907d8ea06d93912ebc29d191629c47270d87882ed9e8948a3bbb77c2
SHA512

c5c30fdd8d2dbda2cfa1a10d56d7a7485cd0d565e49542fa6f9dd9c05ce2606feaef4855656ceab4e8f3bb60dd13f4fc564e6566ec23dcec8d8aca8d6b2d071c
SSDEEP

1536:6weoCsTr2cg+H32CP4Gr+D12uYew4spdA4GSuw1:l2R+RED1IKedv

Score

10^/10

njrat @ hacking by dr west @evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

@ HaCkInG By Dr WeSt @

C2

w187.ddns.net:2020

Mutex

4ef9538b5a577a1bd3c1a578ea50c133

Attributes

reg_key
4ef9538b5a577a1bd3c1a578ea50c133
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2116 netsh.exe

pid	process
2116	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a4f78e77907d8ea06d93912ebc29d191629c47270d87882ed9e8948a3bbb77c2.exe[Mr.Abu Hani].exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	a4f78e77907d8ea06d93912ebc29d191629c47270d87882ed9e8948a3bbb77c2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	[Mr.Abu Hani].exe

Drops startup file 2 IoCs

Processes:

Windows Audio Device Graph Isolation .exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4ef9538b5a577a1bd3c1a578ea50c133.exe	Windows Audio Device Graph Isolation .exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4ef9538b5a577a1bd3c1a578ea50c133.exe	Windows Audio Device Graph Isolation .exe

Executes dropped EXE 2 IoCs

Processes:

[Mr.Abu Hani].exeWindows Audio Device Graph Isolation .exe

pid process

4848 [Mr.Abu Hani].exe
4064 Windows Audio Device Graph Isolation .exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4848	[Mr.Abu Hani].exe
4064	Windows Audio Device Graph Isolation .exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

Windows Audio Device Graph Isolation .exe

description	pid	process
Token: SeDebugPrivilege	4064	Windows Audio Device Graph Isolation .exe
Token: 33	4064	Windows Audio Device Graph Isolation .exe
Token: SeIncBasePriorityPrivilege	4064	Windows Audio Device Graph Isolation .exe
Token: 33	4064	Windows Audio Device Graph Isolation .exe
Token: SeIncBasePriorityPrivilege	4064	Windows Audio Device Graph Isolation .exe
Token: 33	4064	Windows Audio Device Graph Isolation .exe
Token: SeIncBasePriorityPrivilege	4064	Windows Audio Device Graph Isolation .exe
Token: 33	4064	Windows Audio Device Graph Isolation .exe
Token: SeIncBasePriorityPrivilege	4064	Windows Audio Device Graph Isolation .exe
Token: 33	4064	Windows Audio Device Graph Isolation .exe
Token: SeIncBasePriorityPrivilege	4064	Windows Audio Device Graph Isolation .exe
Token: 33	4064	Windows Audio Device Graph Isolation .exe
Token: SeIncBasePriorityPrivilege	4064	Windows Audio Device Graph Isolation .exe
Token: 33	4064	Windows Audio Device Graph Isolation .exe
Token: SeIncBasePriorityPrivilege	4064	Windows Audio Device Graph Isolation .exe
Token: 33	4064	Windows Audio Device Graph Isolation .exe
Token: SeIncBasePriorityPrivilege	4064	Windows Audio Device Graph Isolation .exe
Token: 33	4064	Windows Audio Device Graph Isolation .exe
Token: SeIncBasePriorityPrivilege	4064	Windows Audio Device Graph Isolation .exe
Token: 33	4064	Windows Audio Device Graph Isolation .exe
Token: SeIncBasePriorityPrivilege	4064	Windows Audio Device Graph Isolation .exe
Token: 33	4064	Windows Audio Device Graph Isolation .exe
Token: SeIncBasePriorityPrivilege	4064	Windows Audio Device Graph Isolation .exe
Token: 33	4064	Windows Audio Device Graph Isolation .exe
Token: SeIncBasePriorityPrivilege	4064	Windows Audio Device Graph Isolation .exe
Token: 33	4064	Windows Audio Device Graph Isolation .exe
Token: SeIncBasePriorityPrivilege	4064	Windows Audio Device Graph Isolation .exe
Token: 33	4064	Windows Audio Device Graph Isolation .exe
Token: SeIncBasePriorityPrivilege	4064	Windows Audio Device Graph Isolation .exe
Token: 33	4064	Windows Audio Device Graph Isolation .exe
Token: SeIncBasePriorityPrivilege	4064	Windows Audio Device Graph Isolation .exe
Token: 33	4064	Windows Audio Device Graph Isolation .exe
Token: SeIncBasePriorityPrivilege	4064	Windows Audio Device Graph Isolation .exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a4f78e77907d8ea06d93912ebc29d191629c47270d87882ed9e8948a3bbb77c2.exe[Mr.Abu Hani].exeWindows Audio Device Graph Isolation .exe

description	pid	process	target process
PID 4944 wrote to memory of 4848	4944	a4f78e77907d8ea06d93912ebc29d191629c47270d87882ed9e8948a3bbb77c2.exe	[Mr.Abu Hani].exe
PID 4944 wrote to memory of 4848	4944	a4f78e77907d8ea06d93912ebc29d191629c47270d87882ed9e8948a3bbb77c2.exe	[Mr.Abu Hani].exe
PID 4944 wrote to memory of 4848	4944	a4f78e77907d8ea06d93912ebc29d191629c47270d87882ed9e8948a3bbb77c2.exe	[Mr.Abu Hani].exe
PID 4848 wrote to memory of 4064	4848	[Mr.Abu Hani].exe	Windows Audio Device Graph Isolation .exe
PID 4848 wrote to memory of 4064	4848	[Mr.Abu Hani].exe	Windows Audio Device Graph Isolation .exe
PID 4848 wrote to memory of 4064	4848	[Mr.Abu Hani].exe	Windows Audio Device Graph Isolation .exe
PID 4064 wrote to memory of 2116	4064	Windows Audio Device Graph Isolation .exe	netsh.exe
PID 4064 wrote to memory of 2116	4064	Windows Audio Device Graph Isolation .exe	netsh.exe
PID 4064 wrote to memory of 2116	4064	Windows Audio Device Graph Isolation .exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\a4f78e77907d8ea06d93912ebc29d191629c47270d87882ed9e8948a3bbb77c2.exe
"C:\Users\Admin\AppData\Local\Temp\a4f78e77907d8ea06d93912ebc29d191629c47270d87882ed9e8948a3bbb77c2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4944

C:\Users\Admin\AppData\Local\Temp\[Mr.Abu Hani].exe
"C:\Users\Admin\AppData\Local\Temp\[Mr.Abu Hani].exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848

C:\Users\Admin\AppData\Roaming\Windows Audio Device Graph Isolation .exe
"C:\Users\Admin\AppData\Roaming\Windows Audio Device Graph Isolation .exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4064

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Windows Audio Device Graph Isolation .exe" "Windows Audio Device Graph Isolation .exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:2116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=3084,i,14217130992253490921,11543335378077656547,262144 --variations-seed-version /prefetch:8
1⤵
PID:2240

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\[Mr.Abu Hani].exe
Filesize
23KB

MD5
1b6071dc1c6ca35c780dc5dcf5392ba3

SHA1
c331def6c09f8c82bc71826b9df035e8fcc5059d

SHA256
89a5182594c48407f4588d196d1a22dbed83f4a01023a9e5f6730f5b318ff721

SHA512
7b5d03b817025b423d0331a73bd32bb5ec2b5a6fa16bbf40c58695ee193c7dad66187b1574cadd59259799a6c80eabe4031e7d2ea9b22c9333c772d6e4b47c56

Download Submit
memory/4064-29-0x00000000010E0000-0x00000000010F0000-memory.dmp

Filesize
64KB

Download
memory/4064-33-0x00000000010E0000-0x00000000010F0000-memory.dmp

Filesize
64KB

Download
memory/4064-32-0x00000000711A0000-0x0000000071751000-memory.dmp

Filesize
5.7MB

Download
memory/4064-30-0x00000000711A0000-0x0000000071751000-memory.dmp

Filesize
5.7MB

Download
memory/4064-28-0x00000000711A0000-0x0000000071751000-memory.dmp

Filesize
5.7MB

Download
memory/4848-27-0x00000000711A0000-0x0000000071751000-memory.dmp

Filesize
5.7MB

Download
memory/4848-16-0x00000000711A0000-0x0000000071751000-memory.dmp

Filesize
5.7MB

Download
memory/4848-17-0x0000000001180000-0x0000000001190000-memory.dmp

Filesize
64KB

Download
memory/4848-15-0x00000000711A0000-0x0000000071751000-memory.dmp

Filesize
5.7MB

Download
memory/4944-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4944-14-0x0000000075210000-0x00000000759C0000-memory.dmp

Filesize
7.7MB

Download
memory/4944-3-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/4944-2-0x0000000004A30000-0x0000000004FD4000-memory.dmp

Filesize
5.6MB

Download
memory/4944-1-0x0000000075210000-0x00000000759C0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads