njrat | c4950c74045abebe52917b078a5b404412468c55eb3f6832ed1079c52ddcd206

General

Target

dfcb89871609972a7830baf6b6840ff7.exe
Size

40KB
MD5

dfcb89871609972a7830baf6b6840ff7
SHA1

52e882a338155be96b05bdbd3ea269ae050379ca
SHA256

c4950c74045abebe52917b078a5b404412468c55eb3f6832ed1079c52ddcd206
SHA512

eecf0f0026e07436c07a2efec5aee3af9e67897a475bccd85b53e230e510de99ed7acfee0b4aa704bd2027f019b27cbe8a16cc26017c90d9cbda2d3aa54f1be3
SSDEEP

384:/TEw7bFh99DtgjqLkJnYSaDr3DwyXYkX:/rzK+LmebHx

Score

10^/10

njrat jaja evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

jaja

C2

127.0.0.1:442

Mutex

74caf6ac20895d0081b0f902a5e18339

Attributes

reg_key
74caf6ac20895d0081b0f902a5e18339
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4712	netsh.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 908 set thread context of 2988	908	dfcb89871609972a7830baf6b6840ff7.exe	96

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	aspnet_compiler.exe
Token: 33	2988	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2988	aspnet_compiler.exe
Token: 33	2988	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2988	aspnet_compiler.exe
Token: 33	2988	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2988	aspnet_compiler.exe
Token: 33	2988	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2988	aspnet_compiler.exe
Token: 33	2988	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2988	aspnet_compiler.exe
Token: 33	2988	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2988	aspnet_compiler.exe
Token: 33	2988	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2988	aspnet_compiler.exe
Token: 33	2988	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2988	aspnet_compiler.exe
Token: 33	2988	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2988	aspnet_compiler.exe
Token: 33	2988	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2988	aspnet_compiler.exe
Token: 33	2988	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2988	aspnet_compiler.exe
Token: 33	2988	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2988	aspnet_compiler.exe
Token: 33	2988	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2988	aspnet_compiler.exe
Token: 33	2988	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2988	aspnet_compiler.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
908	dfcb89871609972a7830baf6b6840ff7.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 908 wrote to memory of 2988	908	dfcb89871609972a7830baf6b6840ff7.exe	96
PID 908 wrote to memory of 2988	908	dfcb89871609972a7830baf6b6840ff7.exe	96
PID 908 wrote to memory of 2988	908	dfcb89871609972a7830baf6b6840ff7.exe	96
PID 908 wrote to memory of 2988	908	dfcb89871609972a7830baf6b6840ff7.exe	96
PID 908 wrote to memory of 2988	908	dfcb89871609972a7830baf6b6840ff7.exe	96
PID 908 wrote to memory of 2988	908	dfcb89871609972a7830baf6b6840ff7.exe	96
PID 908 wrote to memory of 2988	908	dfcb89871609972a7830baf6b6840ff7.exe	96
PID 908 wrote to memory of 2988	908	dfcb89871609972a7830baf6b6840ff7.exe	96
PID 2988 wrote to memory of 4712	2988	aspnet_compiler.exe	99
PID 2988 wrote to memory of 4712	2988	aspnet_compiler.exe	99
PID 2988 wrote to memory of 4712	2988	aspnet_compiler.exe	99

C:\Users\Admin\AppData\Local\Temp\dfcb89871609972a7830baf6b6840ff7.exe
"C:\Users\Admin\AppData\Local\Temp\dfcb89871609972a7830baf6b6840ff7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:908
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe" "aspnet_compiler.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:4712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/908-11-0x00000000738A0000-0x0000000073E51000-memory.dmp

Filesize
5.7MB

Download
memory/908-12-0x00000000738A0000-0x0000000073E51000-memory.dmp

Filesize
5.7MB

Download
memory/908-13-0x0000000004550000-0x0000000004560000-memory.dmp

Filesize
64KB

Download
memory/908-15-0x0000000004550000-0x0000000004560000-memory.dmp

Filesize
64KB

Download
memory/908-21-0x00000000738A0000-0x0000000073E51000-memory.dmp

Filesize
5.7MB

Download
memory/2988-16-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2988-17-0x00000000738A0000-0x0000000073E51000-memory.dmp

Filesize
5.7MB

Download
memory/2988-18-0x0000000001700000-0x0000000001710000-memory.dmp

Filesize
64KB

Download
memory/2988-19-0x00000000738A0000-0x0000000073E51000-memory.dmp

Filesize
5.7MB

Download
memory/2988-22-0x00000000738A0000-0x0000000073E51000-memory.dmp

Filesize
5.7MB

Download
memory/2988-23-0x00000000738A0000-0x0000000073E51000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads