njrat | 31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2

General

Target

31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe
Size

106KB
MD5

ed1ea689d80a7fab60271d8d24267a5b
SHA1

cbc58903e5ef9a21f32bd86c158039eead84c2e3
SHA256

31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2
SHA512

1ae6c5549c567994c14301f5808bb835084344574b604dbd6b8e0efc208a7b3b96da55030d9e2f406cabb8e0b486f46e87c670d36308006a0a5142e98f9134ec
SSDEEP

1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoe:w5eznsjsguGDFqGx8egoe

Score

10^/10

njrat neuf evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2744 netsh.exe
Executes dropped EXE 2 IoCs

Processes:

chargeable.exechargeable.exe

pid process

3056 chargeable.exe
2616 chargeable.exe

pid	process
2744	netsh.exe

pid	process
3056	chargeable.exe
2616	chargeable.exe

Loads dropped DLL 2 IoCs

Processes:

31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe

pid	process
2240	31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe
2240	31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe"	31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

chargeable.exe

description pid process target process

PID 3056 set thread context of 2616 3056 chargeable.exe chargeable.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 3056 set thread context of 2616	3056	chargeable.exe	chargeable.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

chargeable.exe

description	pid	process
Token: SeDebugPrivilege	2616	chargeable.exe
Token: 33	2616	chargeable.exe
Token: SeIncBasePriorityPrivilege	2616	chargeable.exe
Token: 33	2616	chargeable.exe
Token: SeIncBasePriorityPrivilege	2616	chargeable.exe
Token: 33	2616	chargeable.exe
Token: SeIncBasePriorityPrivilege	2616	chargeable.exe
Token: 33	2616	chargeable.exe
Token: SeIncBasePriorityPrivilege	2616	chargeable.exe
Token: 33	2616	chargeable.exe
Token: SeIncBasePriorityPrivilege	2616	chargeable.exe
Token: 33	2616	chargeable.exe
Token: SeIncBasePriorityPrivilege	2616	chargeable.exe
Token: 33	2616	chargeable.exe
Token: SeIncBasePriorityPrivilege	2616	chargeable.exe
Token: 33	2616	chargeable.exe
Token: SeIncBasePriorityPrivilege	2616	chargeable.exe
Token: 33	2616	chargeable.exe
Token: SeIncBasePriorityPrivilege	2616	chargeable.exe
Token: 33	2616	chargeable.exe
Token: SeIncBasePriorityPrivilege	2616	chargeable.exe
Token: 33	2616	chargeable.exe
Token: SeIncBasePriorityPrivilege	2616	chargeable.exe
Token: 33	2616	chargeable.exe
Token: SeIncBasePriorityPrivilege	2616	chargeable.exe
Token: 33	2616	chargeable.exe
Token: SeIncBasePriorityPrivilege	2616	chargeable.exe
Token: 33	2616	chargeable.exe
Token: SeIncBasePriorityPrivilege	2616	chargeable.exe
Token: 33	2616	chargeable.exe
Token: SeIncBasePriorityPrivilege	2616	chargeable.exe
Token: 33	2616	chargeable.exe
Token: SeIncBasePriorityPrivilege	2616	chargeable.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exechargeable.exechargeable.exe

description	pid	process	target process
PID 2240 wrote to memory of 3056	2240	31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe	chargeable.exe
PID 2240 wrote to memory of 3056	2240	31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe	chargeable.exe
PID 2240 wrote to memory of 3056	2240	31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe	chargeable.exe
PID 2240 wrote to memory of 3056	2240	31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe	chargeable.exe
PID 3056 wrote to memory of 2616	3056	chargeable.exe	chargeable.exe
PID 3056 wrote to memory of 2616	3056	chargeable.exe	chargeable.exe
PID 3056 wrote to memory of 2616	3056	chargeable.exe	chargeable.exe
PID 3056 wrote to memory of 2616	3056	chargeable.exe	chargeable.exe
PID 3056 wrote to memory of 2616	3056	chargeable.exe	chargeable.exe
PID 3056 wrote to memory of 2616	3056	chargeable.exe	chargeable.exe
PID 3056 wrote to memory of 2616	3056	chargeable.exe	chargeable.exe
PID 3056 wrote to memory of 2616	3056	chargeable.exe	chargeable.exe
PID 3056 wrote to memory of 2616	3056	chargeable.exe	chargeable.exe
PID 2616 wrote to memory of 2744	2616	chargeable.exe	netsh.exe
PID 2616 wrote to memory of 2744	2616	chargeable.exe	netsh.exe
PID 2616 wrote to memory of 2744	2616	chargeable.exe	netsh.exe
PID 2616 wrote to memory of 2744	2616	chargeable.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe
"C:\Users\Admin\AppData\Local\Temp\31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2240

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3056

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:2744

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\confuse\chargeable.exe
Filesize
106KB

MD5
af15e82dcc3a8f173344dbcfeeca8c1a

SHA1
6187ffa0e9d0833819b535b7eb2bbdfc4c160c3d

SHA256
7d6ba86b66f8af5317af5c22358421bfc7767968ee81a041457d860b6ff47516

SHA512
141f8dc7eab9e51e1d6cbf7455a2bb508bff3a8a4e66a5c80a2b48b73bccb3bef1f0bd69c0c85f3e60cc50559127af07d02c5f4995e9ce4d0fb550d12104bc31

Download Submit
memory/2240-0-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/2240-1-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/2240-2-0x0000000000CB0000-0x0000000000CF0000-memory.dmp

Filesize
256KB

Download
memory/2240-15-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/2616-19-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2616-22-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2616-25-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2616-27-0x0000000000330000-0x0000000000370000-memory.dmp

Filesize
256KB

Download
memory/2616-26-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/2616-28-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/2616-29-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/2616-30-0x0000000000330000-0x0000000000370000-memory.dmp

Filesize
256KB

Download
memory/3056-17-0x0000000000420000-0x0000000000460000-memory.dmp

Filesize
256KB

Download
memory/3056-18-0x0000000000420000-0x0000000000460000-memory.dmp

Filesize
256KB

Download
memory/3056-16-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download
memory/3056-23-0x0000000074290000-0x000000007483B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads