njrat | 31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2

General

Target

31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe
Size

106KB
MD5

ed1ea689d80a7fab60271d8d24267a5b
SHA1

cbc58903e5ef9a21f32bd86c158039eead84c2e3
SHA256

31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2
SHA512

1ae6c5549c567994c14301f5808bb835084344574b604dbd6b8e0efc208a7b3b96da55030d9e2f406cabb8e0b486f46e87c670d36308006a0a5142e98f9134ec
SSDEEP

1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoe:w5eznsjsguGDFqGx8egoe

Score

10^/10

njrat neuf evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3764 netsh.exe

pid	process
3764	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe

Executes dropped EXE 2 IoCs

Processes:

chargeable.exechargeable.exe

pid process

384 chargeable.exe
2912 chargeable.exe

pid	process
384	chargeable.exe
2912	chargeable.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe"	31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

chargeable.exe

description pid process target process

PID 384 set thread context of 2912 384 chargeable.exe chargeable.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 384 set thread context of 2912	384	chargeable.exe	chargeable.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

chargeable.exe

description	pid	process
Token: SeDebugPrivilege	2912	chargeable.exe
Token: 33	2912	chargeable.exe
Token: SeIncBasePriorityPrivilege	2912	chargeable.exe
Token: 33	2912	chargeable.exe
Token: SeIncBasePriorityPrivilege	2912	chargeable.exe
Token: 33	2912	chargeable.exe
Token: SeIncBasePriorityPrivilege	2912	chargeable.exe
Token: 33	2912	chargeable.exe
Token: SeIncBasePriorityPrivilege	2912	chargeable.exe
Token: 33	2912	chargeable.exe
Token: SeIncBasePriorityPrivilege	2912	chargeable.exe
Token: 33	2912	chargeable.exe
Token: SeIncBasePriorityPrivilege	2912	chargeable.exe
Token: 33	2912	chargeable.exe
Token: SeIncBasePriorityPrivilege	2912	chargeable.exe
Token: 33	2912	chargeable.exe
Token: SeIncBasePriorityPrivilege	2912	chargeable.exe
Token: 33	2912	chargeable.exe
Token: SeIncBasePriorityPrivilege	2912	chargeable.exe
Token: 33	2912	chargeable.exe
Token: SeIncBasePriorityPrivilege	2912	chargeable.exe
Token: 33	2912	chargeable.exe
Token: SeIncBasePriorityPrivilege	2912	chargeable.exe
Token: 33	2912	chargeable.exe
Token: SeIncBasePriorityPrivilege	2912	chargeable.exe
Token: 33	2912	chargeable.exe
Token: SeIncBasePriorityPrivilege	2912	chargeable.exe
Token: 33	2912	chargeable.exe
Token: SeIncBasePriorityPrivilege	2912	chargeable.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exechargeable.exechargeable.exe

description	pid	process	target process
PID 1600 wrote to memory of 384	1600	31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe	chargeable.exe
PID 1600 wrote to memory of 384	1600	31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe	chargeable.exe
PID 1600 wrote to memory of 384	1600	31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe	chargeable.exe
PID 384 wrote to memory of 2912	384	chargeable.exe	chargeable.exe
PID 384 wrote to memory of 2912	384	chargeable.exe	chargeable.exe
PID 384 wrote to memory of 2912	384	chargeable.exe	chargeable.exe
PID 384 wrote to memory of 2912	384	chargeable.exe	chargeable.exe
PID 384 wrote to memory of 2912	384	chargeable.exe	chargeable.exe
PID 384 wrote to memory of 2912	384	chargeable.exe	chargeable.exe
PID 384 wrote to memory of 2912	384	chargeable.exe	chargeable.exe
PID 384 wrote to memory of 2912	384	chargeable.exe	chargeable.exe
PID 2912 wrote to memory of 3764	2912	chargeable.exe	netsh.exe
PID 2912 wrote to memory of 3764	2912	chargeable.exe	netsh.exe
PID 2912 wrote to memory of 3764	2912	chargeable.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe
"C:\Users\Admin\AppData\Local\Temp\31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1600

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:384

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:3764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4056 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:3836

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log
Filesize
400B

MD5
0a9b4592cd49c3c21f6767c2dabda92f

SHA1
f534297527ae5ccc0ecb2221ddeb8e58daeb8b74

SHA256
c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd

SHA512
6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

Download Submit
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
Filesize
106KB

MD5
2b8f9366b9d9545a12195648c260162a

SHA1
e2bd79b49aa5eb8a3f60918fdbf45cc3dc000118

SHA256
8e4000d87c8208514892358a60b5f2c1f9417b5103bba7b2f160003baad92c1d

SHA512
6bfec9c81f7e59519ac225e85821975090228b081437f2a33400a13589ef65ce729e9f665c76ba6582271c2123373f9d93ee14b87ea958038dc9581d6a2dc0e7

Download Submit
memory/384-25-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/384-17-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/384-18-0x0000000000EF0000-0x0000000000F00000-memory.dmp

Filesize
64KB

Download
memory/384-20-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/1600-1-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/1600-2-0x0000000001530000-0x0000000001540000-memory.dmp

Filesize
64KB

Download
memory/1600-19-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/1600-0-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/2912-21-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2912-26-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/2912-27-0x0000000000E50000-0x0000000000E60000-memory.dmp

Filesize
64KB

Download
memory/2912-28-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/2912-29-0x00000000750D0000-0x0000000075681000-memory.dmp

Filesize
5.7MB

Download
memory/2912-30-0x0000000000E50000-0x0000000000E60000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads