arkei | a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d

General

Target

a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exe
Size

312KB
MD5

ae68f525110174d36fd0a78f728ec1ac
SHA1

a1e118f23dfc15269400bd059d5960caf01a6ebe
SHA256

a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d
SHA512

acdb4617b5c8aca3cab43d5af963f076d14bd9a55b4b0ad95f65490ee125022424453a1b0fd71776205027b1fc266e5918db44a7b81bb0d29befb34b1d8d741b
SSDEEP

6144:yMNCha6O+chMWnhE/deKaG6+9DzZzNIT9OsUp9kBbCSCH/:yMNCha6O+EMcKFJ6+93ZuokBWS

Score

10^/10

arkei njrat default evasion persistence stealer trojan

Malware Config

Extracted

Family

arkei

Botnet

Default

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2584	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ee29faf3a82dae4ce355ef93c3d73702.exe	Javaupdt.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ee29faf3a82dae4ce355ef93c3d73702.exe	Javaupdt.exe

Executes dropped EXE 3 IoCs

pid	Process
2600	LocalrjJXIAUZat.exe
2520	LocalXOdtfnFxis.exe
2580	Javaupdt.exe

Loads dropped DLL 6 IoCs

pid	Process
2448	WerFault.exe
2448	WerFault.exe
2448	WerFault.exe
2448	WerFault.exe
2600	LocalrjJXIAUZat.exe
2600	LocalrjJXIAUZat.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\ee29faf3a82dae4ce355ef93c3d73702 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Javaupdt.exe\" .."	Javaupdt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ee29faf3a82dae4ce355ef93c3d73702 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Javaupdt.exe\" .."	Javaupdt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2448	2520	WerFault.exe	29

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	2600	LocalrjJXIAUZat.exe
Token: SeDebugPrivilege	2580	Javaupdt.exe
Token: 33	2580	Javaupdt.exe
Token: SeIncBasePriorityPrivilege	2580	Javaupdt.exe
Token: 33	2580	Javaupdt.exe
Token: SeIncBasePriorityPrivilege	2580	Javaupdt.exe
Token: 33	2580	Javaupdt.exe
Token: SeIncBasePriorityPrivilege	2580	Javaupdt.exe
Token: 33	2580	Javaupdt.exe
Token: SeIncBasePriorityPrivilege	2580	Javaupdt.exe
Token: 33	2580	Javaupdt.exe
Token: SeIncBasePriorityPrivilege	2580	Javaupdt.exe
Token: 33	2580	Javaupdt.exe
Token: SeIncBasePriorityPrivilege	2580	Javaupdt.exe
Token: 33	2580	Javaupdt.exe
Token: SeIncBasePriorityPrivilege	2580	Javaupdt.exe
Token: 33	2580	Javaupdt.exe
Token: SeIncBasePriorityPrivilege	2580	Javaupdt.exe
Token: 33	2580	Javaupdt.exe
Token: SeIncBasePriorityPrivilege	2580	Javaupdt.exe
Token: 33	2580	Javaupdt.exe
Token: SeIncBasePriorityPrivilege	2580	Javaupdt.exe
Token: 33	2580	Javaupdt.exe
Token: SeIncBasePriorityPrivilege	2580	Javaupdt.exe
Token: 33	2580	Javaupdt.exe
Token: SeIncBasePriorityPrivilege	2580	Javaupdt.exe
Token: 33	2580	Javaupdt.exe
Token: SeIncBasePriorityPrivilege	2580	Javaupdt.exe
Token: 33	2580	Javaupdt.exe
Token: SeIncBasePriorityPrivilege	2580	Javaupdt.exe
Token: 33	2580	Javaupdt.exe
Token: SeIncBasePriorityPrivilege	2580	Javaupdt.exe
Token: 33	2580	Javaupdt.exe
Token: SeIncBasePriorityPrivilege	2580	Javaupdt.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2600	3040	a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exe	28
PID 3040 wrote to memory of 2600	3040	a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exe	28
PID 3040 wrote to memory of 2600	3040	a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exe	28
PID 3040 wrote to memory of 2600	3040	a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exe	28
PID 3040 wrote to memory of 2520	3040	a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exe	29
PID 3040 wrote to memory of 2520	3040	a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exe	29
PID 3040 wrote to memory of 2520	3040	a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exe	29
PID 3040 wrote to memory of 2520	3040	a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exe	29
PID 2520 wrote to memory of 2448	2520	LocalXOdtfnFxis.exe	30
PID 2520 wrote to memory of 2448	2520	LocalXOdtfnFxis.exe	30
PID 2520 wrote to memory of 2448	2520	LocalXOdtfnFxis.exe	30
PID 2520 wrote to memory of 2448	2520	LocalXOdtfnFxis.exe	30
PID 2600 wrote to memory of 2580	2600	LocalrjJXIAUZat.exe	31
PID 2600 wrote to memory of 2580	2600	LocalrjJXIAUZat.exe	31
PID 2600 wrote to memory of 2580	2600	LocalrjJXIAUZat.exe	31
PID 2600 wrote to memory of 2580	2600	LocalrjJXIAUZat.exe	31
PID 2580 wrote to memory of 2584	2580	Javaupdt.exe	32
PID 2580 wrote to memory of 2584	2580	Javaupdt.exe	32
PID 2580 wrote to memory of 2584	2580	Javaupdt.exe	32
PID 2580 wrote to memory of 2584	2580	Javaupdt.exe	32

C:\Users\Admin\AppData\Local\Temp\a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exe
"C:\Users\Admin\AppData\Local\Temp\a5e7d573e91033eb9bc300186f754394a91a114c73a6661d31dfb8225209030d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\LocalrjJXIAUZat.exe
  "C:\Users\Admin\AppData\LocalrjJXIAUZat.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Users\Admin\AppData\Local\Temp\Javaupdt.exe
    "C:\Users\Admin\AppData\Local\Temp\Javaupdt.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Javaupdt.exe" "Javaupdt.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:2584
- C:\Users\Admin\AppData\LocalXOdtfnFxis.exe
  "C:\Users\Admin\AppData\LocalXOdtfnFxis.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 72
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalXOdtfnFxis.exe

Filesize
107KB

MD5
41c1fb2f4bd3c65cb0030b1f47a46084

SHA1
199420219f0096cfb156945a54933a03144da70d

SHA256
f335705b83540e68ddd17c68232c2f5ca67b0479cdc3ad8ff11931db6c134764

SHA512
93d4778a35b766b17824c62817421ac224027d6b699afde1281aaaedff7443d3d2c29d1ded98dc1dc318a67d51c2ad3f3b6df83b1c247da9e534f27ae7b0abfe

Download Submit
C:\Users\Admin\AppData\LocalrjJXIAUZat.exe

Filesize
104KB

MD5
4fe3cecb0627425f48b4832768beda71

SHA1
956c71fa6ccc7c7d3dd7b79d624117d580a7c7fb

SHA256
2c3cdb3cd330732b2dc485aee38d30b07ac006765b861adccc76b62aa29d2dff

SHA512
a9067a9c418c276423e5c5b18e474a070c641d729b83a84a40a6df6df670bda0a42d3c59e1c1310f6bff289327f53948ba721f6326d254a66b78723b634f413c

Download Submit
memory/2520-18-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2580-43-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/2580-41-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2580-40-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/2580-39-0x0000000000B30000-0x0000000000B70000-memory.dmp

Filesize
256KB

Download
memory/2580-37-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/2600-21-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2600-22-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2600-20-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/2600-38-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/2600-19-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/3040-17-0x00000000009C0000-0x0000000000A40000-memory.dmp

Filesize
512KB

Download
memory/3040-16-0x000007FEF5680000-0x000007FEF601D000-memory.dmp

Filesize
9.6MB

Download
memory/3040-15-0x000007FEF5680000-0x000007FEF601D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads