njrat | e1d7377617ccd1f1c75808e60817946cc29e81a5ea079df2d0f147d8778d58f7

General

Target

Server.exe
Size

43KB
MD5

ba1679841e5fe4d6e57fa247de4774a8
SHA1

8b99c2716c6c5359c452c744382801b6c66ce56c
SHA256

e1d7377617ccd1f1c75808e60817946cc29e81a5ea079df2d0f147d8778d58f7
SHA512

68c75e7f98cbe2ad8bf68f8114f586d5ae0a922459fd9f1ef8b639ccdb7129c779195cdf9aa3970e10375c78ab9e59d50e41890c74f2edbbb44868b7ac0da2a8
SSDEEP

384:/ZyjVK7U8yrKWh7TtpEonj8lJ9UtzDgIij+ZsNO3PlpJKkkjh/TzF7pWn/G/greH:BUcY5rHh7Zvnj8l43uXQ/o33+L

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

returns-vary.gl.at.ply.gg:8188

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

3040 svchost.exe
Loads dropped DLL 1 IoCs

Processes:

Server.exe

pid process

2200 Server.exe

pid	process
3040	svchost.exe

pid	process
2200	Server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

Server.exesvchost.exe

pid process

2200 Server.exe
3040 svchost.exe

pid	process
2200	Server.exe
3040	svchost.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeDebugPrivilege	3040	svchost.exe
Token: 33	3040	svchost.exe
Token: SeIncBasePriorityPrivilege	3040	svchost.exe
Token: 33	3040	svchost.exe
Token: SeIncBasePriorityPrivilege	3040	svchost.exe
Token: 33	3040	svchost.exe
Token: SeIncBasePriorityPrivilege	3040	svchost.exe
Token: 33	3040	svchost.exe
Token: SeIncBasePriorityPrivilege	3040	svchost.exe
Token: 33	3040	svchost.exe
Token: SeIncBasePriorityPrivilege	3040	svchost.exe
Token: 33	3040	svchost.exe
Token: SeIncBasePriorityPrivilege	3040	svchost.exe
Token: 33	3040	svchost.exe
Token: SeIncBasePriorityPrivilege	3040	svchost.exe
Token: 33	3040	svchost.exe
Token: SeIncBasePriorityPrivilege	3040	svchost.exe
Token: 33	3040	svchost.exe
Token: SeIncBasePriorityPrivilege	3040	svchost.exe
Token: 33	3040	svchost.exe
Token: SeIncBasePriorityPrivilege	3040	svchost.exe
Token: 33	3040	svchost.exe
Token: SeIncBasePriorityPrivilege	3040	svchost.exe
Token: 33	3040	svchost.exe
Token: SeIncBasePriorityPrivilege	3040	svchost.exe
Token: 33	3040	svchost.exe
Token: SeIncBasePriorityPrivilege	3040	svchost.exe
Token: 33	3040	svchost.exe
Token: SeIncBasePriorityPrivilege	3040	svchost.exe
Token: 33	3040	svchost.exe
Token: SeIncBasePriorityPrivilege	3040	svchost.exe
Token: 33	3040	svchost.exe
Token: SeIncBasePriorityPrivilege	3040	svchost.exe
Token: 33	3040	svchost.exe
Token: SeIncBasePriorityPrivilege	3040	svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Server.exe

description	pid	process	target process
PID 2200 wrote to memory of 3040	2200	Server.exe	svchost.exe
PID 2200 wrote to memory of 3040	2200	Server.exe	svchost.exe
PID 2200 wrote to memory of 3040	2200	Server.exe	svchost.exe
PID 2200 wrote to memory of 3040	2200	Server.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2200

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3040

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
43KB

MD5
ba1679841e5fe4d6e57fa247de4774a8

SHA1
8b99c2716c6c5359c452c744382801b6c66ce56c

SHA256
e1d7377617ccd1f1c75808e60817946cc29e81a5ea079df2d0f147d8778d58f7

SHA512
68c75e7f98cbe2ad8bf68f8114f586d5ae0a922459fd9f1ef8b639ccdb7129c779195cdf9aa3970e10375c78ab9e59d50e41890c74f2edbbb44868b7ac0da2a8

Download Submit
memory/2200-0-0x0000000000D90000-0x0000000000DA2000-memory.dmp

Filesize
72KB

Download
memory/2200-1-0x00000000743A0000-0x0000000074A8E000-memory.dmp

Filesize
6.9MB

Download
memory/2200-2-0x0000000002240000-0x0000000002280000-memory.dmp

Filesize
256KB

Download
memory/2200-3-0x0000000002240000-0x0000000002280000-memory.dmp

Filesize
256KB

Download
memory/2200-14-0x00000000743A0000-0x0000000074A8E000-memory.dmp

Filesize
6.9MB

Download
memory/3040-11-0x0000000000E70000-0x0000000000E82000-memory.dmp

Filesize
72KB

Download
memory/3040-12-0x00000000743A0000-0x0000000074A8E000-memory.dmp

Filesize
6.9MB

Download
memory/3040-13-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download
memory/3040-15-0x00000000743A0000-0x0000000074A8E000-memory.dmp

Filesize
6.9MB

Download
memory/3040-16-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads