Overview

overview

10

Static

static

10

Cheat_Bypa...ss.dll

windows7-x64

1

Cheat_Bypa...ss.dll

windows10-2004-x64

1

Cheat_Bypa...TA.exe

windows7-x64

10

Cheat_Bypa...TA.exe

windows10-2004-x64

10

Cheat_Bypa...64.exe

windows7-x64

1

Cheat_Bypa...64.exe

windows10-2004-x64

1

Cheat_Bypa...ss.dll

windows7-x64

1

Cheat_Bypa...ss.dll

windows10-2004-x64

1

Cheat_Bypa...TA.exe

windows7-x64

10

Cheat_Bypa...TA.exe

windows10-2004-x64

10

Cheat_Bypa...64.exe

windows7-x64

1

Cheat_Bypa...64.exe

windows10-2004-x64

3

PPRE/PPRE.exe

windows7-x64

7

PPRE/PPRE.exe

windows10-2004-x64

7

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

LICENSES.c...m.html

windows7-x64

1

LICENSES.c...m.html

windows10-2004-x64

1

Project.exe

windows7-x64

7

Project.exe

windows10-2004-x64

7

d3dcompiler_47.dll

windows10-2004-x64

1

ffmpeg.dll

windows7-x64

1

ffmpeg.dll

windows10-2004-x64

1

libEGL.dll

windows7-x64

1

libEGL.dll

windows10-2004-x64

1

libGLESv2.dll

windows7-x64

1

libGLESv2.dll

windows10-2004-x64

1

locales/de.ps1

windows7-x64

1

locales/de.ps1

windows10-2004-x64

1

locales/nb.ps1

windows7-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-03-2024 15:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Cheat_Bypass_1.6/Cheat_MTA/Cheat_MTA.exe

  • Size

    748KB

  • MD5

    6f165b1eef8c2891e4e9d5e37f9074ec

  • SHA1

    4017b1950461c898c5041c3abe08f80ff3ec668b

  • SHA256

    36711a12941ffc7194605b9664f452fa3179eacc55b5701fd22414eff087b80f

  • SHA512

    2c4c47bb48c87055599ceb0e9ee761de5c33e94bbc58ef3613b008f65b8afaa4522660780a93a9ef553b090d09ef06121e89126627413feca9e6ed7c2cf32bf9

  • SSDEEP

    3072:nLJMjbcHDdMwQy1SZ/yUqnLQZr29SB8baRYX2NCancRuXAlSfZEPCNIj2BMmu/Gu:nlMeBzQ6SRInLQZApPAKNMBpPAKNM

Score
10/10
njrat2024evasionpersistencetrojanupx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

2024

C2

userdalex2024.ddns.net:4444

Mutex

1c455b7054bf3cdcc6d194b1216e5458

Attributes
  • reg_key

    1c455b7054bf3cdcc6d194b1216e5458

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Cheat_Bypass_1.6\Cheat_MTA\Cheat_MTA.exe
    "C:\Users\Admin\AppData\Local\Temp\Cheat_Bypass_1.6\Cheat_MTA\Cheat_MTA.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:312
    • C:\Users\Admin\AppData\LocalQjZdVxezHX.exe
      "C:\Users\Admin\AppData\LocalQjZdVxezHX.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3376
      • C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2552
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe" "RuntimeBroker.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          PID:804
    • C:\Users\Admin\AppData\LocalrBYMYNIqYn.exe
      "C:\Users\Admin\AppData\LocalrBYMYNIqYn.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2232
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5023.tmp\5024.tmp\5025.bat C:\Users\Admin\AppData\LocalrBYMYNIqYn.exe"
        3⤵
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:4816
        • C:\Windows\system32\timeout.exe
          timeout /t 3 /nobreak
          4⤵
          • Delays execution with timeout.exe
          PID:1460
        • C:\Windows\system32\timeout.exe
          timeout /t 5 /nobreak
          4⤵
          • Delays execution with timeout.exe
          PID:3076
        • C:\Windows\system32\timeout.exe
          timeout /t 3 /nobreak
          4⤵
          • Delays execution with timeout.exe
          PID:1220
        • C:\Windows\system32\timeout.exe
          timeout /t 3 /nobreak
          4⤵
          • Delays execution with timeout.exe
          PID:4500
        • C:\Users\Admin\AppData\Local\Temp\Cheat_Bypass_1.6\Cheat_MTA\Executor\Xenos64.exe
          "Executor\Xenos64.exe"
          4⤵
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          PID:4212

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalQjZdVxezHX.exe
    Filesize

    512KB

    MD5

    f4cefc9edd348a922b7041e0bdfd3315

    SHA1

    9fd37f5427eea7bc27d333c51487beabbb0d0032

    SHA256

    984936c665c5b0e4e0012d1302a4e8b317ceec11719e7bfcdabb4d2cd9e5ba4e

    SHA512

    7745553290296a5d5fd8b07a38f211ee91c1edb4bab7f82fbd3d79d67ea7935c9daa0a44bf415f64eedf7d25e465d25c4970e65af833d2b1b863507848049738

    Download Submit
  • C:\Users\Admin\AppData\LocalQjZdVxezHX.exe
    Filesize

    634KB

    MD5

    4e560a1285920589d854042360fab9c8

    SHA1

    010c6ce1a51ea5a67423e4b37af50effefd6a91b

    SHA256

    ff74d85d8ebff1e82b9e32b8f6b6b5a821582c4da74310e7873854cb050c5ff1

    SHA512

    9ed4c57a4489fe00c43a7ef5de7d53702aa18f20c1fd538dd7d20705bfef134ccad2e8d581d6e42e36ab8adf6053b9016a0884bb145b7cdbb3b256ac1f9530bd

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\5023.tmp\5024.tmp\5025.bat
    Filesize

    774B

    MD5

    9968d05364877e87833258601f604e38

    SHA1

    8cde606096a11883bf13b8617b9e15e1fb8144d6

    SHA256

    303e8297945e14ac06c08ddaca5f2109b67581816189d5c8d761550db76289a7

    SHA512

    249f557dc4220e4b09ddccbcfd2ef7a94f53c88ff34eeb494fe1c1bfaf77a8f397822ef85872f0805a249e49dd121fd176b382859a61b92e5b9392dae6d6fb14

    Download Submit
  • C:\Users\Admin\AppData\LocalrBYMYNIqYn.exe
    Filesize

    55KB

    MD5

    530d8b420991e13d1a66f8e4322066a0

    SHA1

    b09596914770129167a3bdce88b78d7945f31105

    SHA256

    b08506e267fd78912a8c962fcb23097e26ae02222668145b0c2d32cc4896e384

    SHA512

    25a45e65113d3f754b57fa3fc0c08c93904e83063390c747c2f53a35c4ba1248157b091cd9a7934b2596e20d5ca5801daa8c9788f30e9056fef7fef8ae87b914

    Download Submit
  • memory/312-2-0x0000000000BE0000-0x0000000000BF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/312-0-0x00007FFB678C0000-0x00007FFB68261000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/312-23-0x00007FFB678C0000-0x00007FFB68261000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/312-14-0x00007FFB678C0000-0x00007FFB68261000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2232-22-0x0000000140000000-0x0000000140027000-memory.dmp
    Filesize

    156KB

    Download
  • memory/2232-47-0x0000000140000000-0x0000000140027000-memory.dmp
    Filesize

    156KB

    Download
  • memory/2232-46-0x0000000140000000-0x0000000140027000-memory.dmp
    Filesize

    156KB

    Download
  • memory/2552-45-0x0000000074BE0000-0x0000000075390000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2552-63-0x0000000074BE0000-0x0000000075390000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2552-61-0x00000000054C0000-0x00000000054CA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2552-60-0x00000000054F0000-0x0000000005582000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3376-30-0x00000000050A0000-0x00000000050AC000-memory.dmp
    Filesize

    48KB

    Download
  • memory/3376-44-0x0000000074BE0000-0x0000000075390000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3376-31-0x0000000005910000-0x0000000005EB4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3376-27-0x0000000000810000-0x00000000008B6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/3376-29-0x0000000005100000-0x000000000519C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/3376-25-0x0000000074BE0000-0x0000000075390000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4212-58-0x0000000000050000-0x0000000000150000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/4212-65-0x0000000000050000-0x0000000000150000-memory.dmp
    Filesize

    1024KB

    Download