njrat | 2883ca6aa4128eba9e009482d2e665ff528465c853e099aa87a9324fc343ff64

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-03-2024 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cheat_Bypass_1.6/Cheat_MTA/Cheat_MTA.exe
Size

748KB
MD5

6f165b1eef8c2891e4e9d5e37f9074ec
SHA1

4017b1950461c898c5041c3abe08f80ff3ec668b
SHA256

36711a12941ffc7194605b9664f452fa3179eacc55b5701fd22414eff087b80f
SHA512

2c4c47bb48c87055599ceb0e9ee761de5c33e94bbc58ef3613b008f65b8afaa4522660780a93a9ef553b090d09ef06121e89126627413feca9e6ed7c2cf32bf9
SSDEEP

3072:nLJMjbcHDdMwQy1SZ/yUqnLQZr29SB8baRYX2NCancRuXAlSfZEPCNIj2BMmu/Gu:nlMeBzQ6SRInLQZApPAKNMBpPAKNM

Score

10^/10

njrat 2024 evasion persistence trojan upx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

2024

userdalex2024.ddns.net:4444

Mutex

1c455b7054bf3cdcc6d194b1216e5458

Attributes

reg_key
1c455b7054bf3cdcc6d194b1216e5458
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2408 netsh.exe

pid	process
2408	netsh.exe

Drops startup file 2 IoCs

Processes:

RuntimeBroker.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1c455b7054bf3cdcc6d194b1216e5458.exe	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1c455b7054bf3cdcc6d194b1216e5458.exe	RuntimeBroker.exe

Executes dropped EXE 3 IoCs

Processes:

LocalQjZdVxezHX.exeLocalrBYMYNIqYn.exeRuntimeBroker.exe

pid process

2900 LocalQjZdVxezHX.exe
2940 LocalrBYMYNIqYn.exe
2752 RuntimeBroker.exe
Loads dropped DLL 3 IoCs

Processes:

Cheat_MTA.exeLocalQjZdVxezHX.exe

pid process

1772 Cheat_MTA.exe
1772 Cheat_MTA.exe
2900 LocalQjZdVxezHX.exe

pid	process
2900	LocalQjZdVxezHX.exe
2940	LocalrBYMYNIqYn.exe
2752	RuntimeBroker.exe

pid	process
1772	Cheat_MTA.exe
1772	Cheat_MTA.exe
2900	LocalQjZdVxezHX.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\LocalrBYMYNIqYn.exe	upx
behavioral9/memory/2940-20-0x0000000140000000-0x0000000140027000-memory.dmp	upx
behavioral9/memory/2940-27-0x0000000140000000-0x0000000140027000-memory.dmp	upx
behavioral9/memory/2940-38-0x0000000140000000-0x0000000140027000-memory.dmp	upx
behavioral9/memory/2888-49-0x0000000000030000-0x0000000000130000-memory.dmp	upx
behavioral9/memory/2752-51-0x00000000060F0000-0x0000000006130000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RuntimeBroker.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\1c455b7054bf3cdcc6d194b1216e5458 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RuntimeBroker.exe\" .."	RuntimeBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1c455b7054bf3cdcc6d194b1216e5458 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RuntimeBroker.exe\" .."	RuntimeBroker.exe

Drops file in Program Files directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Program Files (x86)\MTA San Andreas 1.6\server\mods\deathmatch\Bypass.dll cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 4 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid process

2660 timeout.exe
2432 timeout.exe
2748 timeout.exe
2544 timeout.exe

description	ioc	process
File created	C:\Program Files (x86)\MTA San Andreas 1.6\server\mods\deathmatch\Bypass.dll	cmd.exe

pid	process
2660	timeout.exe
2432	timeout.exe
2748	timeout.exe
2544	timeout.exe

Modifies registry class 15 IoCs

Processes:

Xenos64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Cheat_Bypass_1.6\\Cheat_MTA\\Executor\\Xenos64.exe,-135"	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\ = "Run"	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Edit\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Cheat_Bypass_1.6\\Cheat_MTA\\Executor\\Xenos64.exe --load %1"	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Run	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Edit	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Run\command	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xpr64	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\ = "Xenos 64-bit injection profile"	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Edit\command	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\shell\Run\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Cheat_Bypass_1.6\\Cheat_MTA\\Executor\\Xenos64.exe --run %1"	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64\DefaultIcon	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xpr64\ = "XenosProfile64"	Xenos64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xpr64\Content Type = "Application/xml"	Xenos64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XenosProfile64	Xenos64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Xenos64.exe

pid process

2888 Xenos64.exe

pid	process
2888	Xenos64.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

Xenos64.exeRuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	2888	Xenos64.exe
Token: SeLoadDriverPrivilege	2888	Xenos64.exe
Token: SeDebugPrivilege	2752	RuntimeBroker.exe
Token: 33	2752	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	2752	RuntimeBroker.exe
Token: 33	2752	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	2752	RuntimeBroker.exe
Token: 33	2752	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	2752	RuntimeBroker.exe
Token: 33	2752	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	2752	RuntimeBroker.exe
Token: 33	2752	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	2752	RuntimeBroker.exe
Token: 33	2752	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	2752	RuntimeBroker.exe
Token: 33	2752	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	2752	RuntimeBroker.exe
Token: 33	2752	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	2752	RuntimeBroker.exe
Token: 33	2752	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	2752	RuntimeBroker.exe
Token: 33	2752	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	2752	RuntimeBroker.exe
Token: 33	2752	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	2752	RuntimeBroker.exe
Token: 33	2752	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	2752	RuntimeBroker.exe
Token: 33	2752	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	2752	RuntimeBroker.exe
Token: 33	2752	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	2752	RuntimeBroker.exe
Token: 33	2752	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	2752	RuntimeBroker.exe
Token: 33	2752	RuntimeBroker.exe
Token: SeIncBasePriorityPrivilege	2752	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

Cheat_MTA.exeLocalrBYMYNIqYn.execmd.exeLocalQjZdVxezHX.exeRuntimeBroker.exe

description	pid	process	target process
PID 1772 wrote to memory of 2900	1772	Cheat_MTA.exe	LocalQjZdVxezHX.exe
PID 1772 wrote to memory of 2900	1772	Cheat_MTA.exe	LocalQjZdVxezHX.exe
PID 1772 wrote to memory of 2900	1772	Cheat_MTA.exe	LocalQjZdVxezHX.exe
PID 1772 wrote to memory of 2900	1772	Cheat_MTA.exe	LocalQjZdVxezHX.exe
PID 1772 wrote to memory of 2940	1772	Cheat_MTA.exe	LocalrBYMYNIqYn.exe
PID 1772 wrote to memory of 2940	1772	Cheat_MTA.exe	LocalrBYMYNIqYn.exe
PID 1772 wrote to memory of 2940	1772	Cheat_MTA.exe	LocalrBYMYNIqYn.exe
PID 2940 wrote to memory of 2792	2940	LocalrBYMYNIqYn.exe	cmd.exe
PID 2940 wrote to memory of 2792	2940	LocalrBYMYNIqYn.exe	cmd.exe
PID 2940 wrote to memory of 2792	2940	LocalrBYMYNIqYn.exe	cmd.exe
PID 2792 wrote to memory of 2660	2792	cmd.exe	timeout.exe
PID 2792 wrote to memory of 2660	2792	cmd.exe	timeout.exe
PID 2792 wrote to memory of 2660	2792	cmd.exe	timeout.exe
PID 2792 wrote to memory of 2432	2792	cmd.exe	timeout.exe
PID 2792 wrote to memory of 2432	2792	cmd.exe	timeout.exe
PID 2792 wrote to memory of 2432	2792	cmd.exe	timeout.exe
PID 2792 wrote to memory of 2748	2792	cmd.exe	timeout.exe
PID 2792 wrote to memory of 2748	2792	cmd.exe	timeout.exe
PID 2792 wrote to memory of 2748	2792	cmd.exe	timeout.exe
PID 2900 wrote to memory of 2752	2900	LocalQjZdVxezHX.exe	RuntimeBroker.exe
PID 2900 wrote to memory of 2752	2900	LocalQjZdVxezHX.exe	RuntimeBroker.exe
PID 2900 wrote to memory of 2752	2900	LocalQjZdVxezHX.exe	RuntimeBroker.exe
PID 2900 wrote to memory of 2752	2900	LocalQjZdVxezHX.exe	RuntimeBroker.exe
PID 2792 wrote to memory of 2544	2792	cmd.exe	timeout.exe
PID 2792 wrote to memory of 2544	2792	cmd.exe	timeout.exe
PID 2792 wrote to memory of 2544	2792	cmd.exe	timeout.exe
PID 2792 wrote to memory of 2888	2792	cmd.exe	Xenos64.exe
PID 2792 wrote to memory of 2888	2792	cmd.exe	Xenos64.exe
PID 2792 wrote to memory of 2888	2792	cmd.exe	Xenos64.exe
PID 2752 wrote to memory of 2408	2752	RuntimeBroker.exe	netsh.exe
PID 2752 wrote to memory of 2408	2752	RuntimeBroker.exe	netsh.exe
PID 2752 wrote to memory of 2408	2752	RuntimeBroker.exe	netsh.exe
PID 2752 wrote to memory of 2408	2752	RuntimeBroker.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\Cheat_Bypass_1.6\Cheat_MTA\Cheat_MTA.exe
"C:\Users\Admin\AppData\Local\Temp\Cheat_Bypass_1.6\Cheat_MTA\Cheat_MTA.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772

C:\Users\Admin\AppData\LocalQjZdVxezHX.exe
"C:\Users\Admin\AppData\LocalQjZdVxezHX.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900

C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
"C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe" "RuntimeBroker.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:2408

C:\Users\Admin\AppData\LocalrBYMYNIqYn.exe
"C:\Users\Admin\AppData\LocalrBYMYNIqYn.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9BF1.tmp\9BF2.tmp\9BF3.bat C:\Users\Admin\AppData\LocalrBYMYNIqYn.exe"
3⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
4⤵
- Delays execution with timeout.exe
PID:2660

C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
4⤵
- Delays execution with timeout.exe
PID:2432

C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
4⤵
- Delays execution with timeout.exe
PID:2748

C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
4⤵
- Delays execution with timeout.exe
PID:2544

C:\Users\Admin\AppData\Local\Temp\Cheat_Bypass_1.6\Cheat_MTA\Executor\Xenos64.exe
"Executor\Xenos64.exe"
4⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2888

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalQjZdVxezHX.exe
Filesize
634KB

MD5
4e560a1285920589d854042360fab9c8

SHA1
010c6ce1a51ea5a67423e4b37af50effefd6a91b

SHA256
ff74d85d8ebff1e82b9e32b8f6b6b5a821582c4da74310e7873854cb050c5ff1

SHA512
9ed4c57a4489fe00c43a7ef5de7d53702aa18f20c1fd538dd7d20705bfef134ccad2e8d581d6e42e36ab8adf6053b9016a0884bb145b7cdbb3b256ac1f9530bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\9BF1.tmp\9BF2.tmp\9BF3.bat
Filesize
774B

MD5
9968d05364877e87833258601f604e38

SHA1
8cde606096a11883bf13b8617b9e15e1fb8144d6

SHA256
303e8297945e14ac06c08ddaca5f2109b67581816189d5c8d761550db76289a7

SHA512
249f557dc4220e4b09ddccbcfd2ef7a94f53c88ff34eeb494fe1c1bfaf77a8f397822ef85872f0805a249e49dd121fd176b382859a61b92e5b9392dae6d6fb14

Download Submit
C:\Users\Admin\AppData\LocalrBYMYNIqYn.exe
Filesize
55KB

MD5
530d8b420991e13d1a66f8e4322066a0

SHA1
b09596914770129167a3bdce88b78d7945f31105

SHA256
b08506e267fd78912a8c962fcb23097e26ae02222668145b0c2d32cc4896e384

SHA512
25a45e65113d3f754b57fa3fc0c08c93904e83063390c747c2f53a35c4ba1248157b091cd9a7934b2596e20d5ca5801daa8c9788f30e9056fef7fef8ae87b914

Download Submit
memory/1772-3-0x0000000001F00000-0x0000000001F80000-memory.dmp

Filesize
512KB

Download
memory/1772-9-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp

Filesize
9.6MB

Download
memory/1772-18-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp

Filesize
9.6MB

Download
memory/1772-19-0x0000000140000000-0x0000000140027000-memory.dmp

Filesize
156KB

Download
memory/1772-2-0x000007FEF5110000-0x000007FEF5AAD000-memory.dmp

Filesize
9.6MB

Download
memory/1772-17-0x0000000140000000-0x0000000140027000-memory.dmp

Filesize
156KB

Download
memory/2752-34-0x00000000003E0000-0x0000000000486000-memory.dmp

Filesize
664KB

Download
memory/2752-51-0x00000000060F0000-0x0000000006130000-memory.dmp

Filesize
256KB

Download
memory/2752-54-0x00000000060F0000-0x0000000006130000-memory.dmp

Filesize
256KB

Download
memory/2752-52-0x0000000073E70000-0x000000007455E000-memory.dmp

Filesize
6.9MB

Download
memory/2752-36-0x0000000073E70000-0x000000007455E000-memory.dmp

Filesize
6.9MB

Download
memory/2888-49-0x0000000000030000-0x0000000000130000-memory.dmp

Filesize
1024KB

Download
memory/2888-53-0x0000000000030000-0x0000000000130000-memory.dmp

Filesize
1024KB

Download
memory/2900-35-0x0000000073E70000-0x000000007455E000-memory.dmp

Filesize
6.9MB

Download
memory/2900-23-0x0000000001280000-0x0000000001326000-memory.dmp

Filesize
664KB

Download
memory/2900-25-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2900-24-0x0000000073E70000-0x000000007455E000-memory.dmp

Filesize
6.9MB

Download
memory/2940-20-0x0000000140000000-0x0000000140027000-memory.dmp

Filesize
156KB

Download
memory/2940-27-0x0000000140000000-0x0000000140027000-memory.dmp

Filesize
156KB

Download
memory/2940-38-0x0000000140000000-0x0000000140027000-memory.dmp

Filesize
156KB

Download