njrat | b015c11294a789e3cd9b8a709a817ef0949db2702b943d3b31c27cf392f44bcf

General

Target

ccd5489042e837a771f04a06fc5296535c2fff338e4d7b6d0585f446f2b0ba6b.exe
Size

107KB
MD5

e53219c25838d5d1eba21c5608dba74d
SHA1

63b1c1c5ae014c01986c59a880209083823151b6
SHA256

ccd5489042e837a771f04a06fc5296535c2fff338e4d7b6d0585f446f2b0ba6b
SHA512

f6e3bda1ba52e3d4865cb1e25a3b65091f3fd386d37a2144fee9bbeed331be926cf09e38fd226043416b4e18c2deff30d9ab97b7099532cb3f86d047e0ad6e4b
SSDEEP

1536:orp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4xtKegoxmOE:w5eznsjsguGDFqGx8egoxmOE

Score

10^/10

njrat neuf evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3344 netsh.exe

pid	process
3344	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ccd5489042e837a771f04a06fc5296535c2fff338e4d7b6d0585f446f2b0ba6b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	ccd5489042e837a771f04a06fc5296535c2fff338e4d7b6d0585f446f2b0ba6b.exe

Executes dropped EXE 2 IoCs

Processes:

chargeable.exechargeable.exe

pid process

2544 chargeable.exe
4380 chargeable.exe

pid	process
2544	chargeable.exe
4380	chargeable.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ccd5489042e837a771f04a06fc5296535c2fff338e4d7b6d0585f446f2b0ba6b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	ccd5489042e837a771f04a06fc5296535c2fff338e4d7b6d0585f446f2b0ba6b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ccd5489042e837a771f04a06fc5296535c2fff338e4d7b6d0585f446f2b0ba6b.exe"	ccd5489042e837a771f04a06fc5296535c2fff338e4d7b6d0585f446f2b0ba6b.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

chargeable.exe

description pid process target process

PID 2544 set thread context of 4380 2544 chargeable.exe chargeable.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2544 set thread context of 4380	2544	chargeable.exe	chargeable.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

chargeable.exe

description	pid	process
Token: SeDebugPrivilege	4380	chargeable.exe
Token: 33	4380	chargeable.exe
Token: SeIncBasePriorityPrivilege	4380	chargeable.exe
Token: 33	4380	chargeable.exe
Token: SeIncBasePriorityPrivilege	4380	chargeable.exe
Token: 33	4380	chargeable.exe
Token: SeIncBasePriorityPrivilege	4380	chargeable.exe
Token: 33	4380	chargeable.exe
Token: SeIncBasePriorityPrivilege	4380	chargeable.exe
Token: 33	4380	chargeable.exe
Token: SeIncBasePriorityPrivilege	4380	chargeable.exe
Token: 33	4380	chargeable.exe
Token: SeIncBasePriorityPrivilege	4380	chargeable.exe
Token: 33	4380	chargeable.exe
Token: SeIncBasePriorityPrivilege	4380	chargeable.exe
Token: 33	4380	chargeable.exe
Token: SeIncBasePriorityPrivilege	4380	chargeable.exe
Token: 33	4380	chargeable.exe
Token: SeIncBasePriorityPrivilege	4380	chargeable.exe
Token: 33	4380	chargeable.exe
Token: SeIncBasePriorityPrivilege	4380	chargeable.exe
Token: 33	4380	chargeable.exe
Token: SeIncBasePriorityPrivilege	4380	chargeable.exe
Token: 33	4380	chargeable.exe
Token: SeIncBasePriorityPrivilege	4380	chargeable.exe
Token: 33	4380	chargeable.exe
Token: SeIncBasePriorityPrivilege	4380	chargeable.exe
Token: 33	4380	chargeable.exe
Token: SeIncBasePriorityPrivilege	4380	chargeable.exe
Token: 33	4380	chargeable.exe
Token: SeIncBasePriorityPrivilege	4380	chargeable.exe
Token: 33	4380	chargeable.exe
Token: SeIncBasePriorityPrivilege	4380	chargeable.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

ccd5489042e837a771f04a06fc5296535c2fff338e4d7b6d0585f446f2b0ba6b.exechargeable.exechargeable.exe

description	pid	process	target process
PID 2284 wrote to memory of 2544	2284	ccd5489042e837a771f04a06fc5296535c2fff338e4d7b6d0585f446f2b0ba6b.exe	chargeable.exe
PID 2284 wrote to memory of 2544	2284	ccd5489042e837a771f04a06fc5296535c2fff338e4d7b6d0585f446f2b0ba6b.exe	chargeable.exe
PID 2284 wrote to memory of 2544	2284	ccd5489042e837a771f04a06fc5296535c2fff338e4d7b6d0585f446f2b0ba6b.exe	chargeable.exe
PID 2544 wrote to memory of 4380	2544	chargeable.exe	chargeable.exe
PID 2544 wrote to memory of 4380	2544	chargeable.exe	chargeable.exe
PID 2544 wrote to memory of 4380	2544	chargeable.exe	chargeable.exe
PID 2544 wrote to memory of 4380	2544	chargeable.exe	chargeable.exe
PID 2544 wrote to memory of 4380	2544	chargeable.exe	chargeable.exe
PID 2544 wrote to memory of 4380	2544	chargeable.exe	chargeable.exe
PID 2544 wrote to memory of 4380	2544	chargeable.exe	chargeable.exe
PID 2544 wrote to memory of 4380	2544	chargeable.exe	chargeable.exe
PID 4380 wrote to memory of 3344	4380	chargeable.exe	netsh.exe
PID 4380 wrote to memory of 3344	4380	chargeable.exe	netsh.exe
PID 4380 wrote to memory of 3344	4380	chargeable.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\ccd5489042e837a771f04a06fc5296535c2fff338e4d7b6d0585f446f2b0ba6b.exe
"C:\Users\Admin\AppData\Local\Temp\ccd5489042e837a771f04a06fc5296535c2fff338e4d7b6d0585f446f2b0ba6b.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2284

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2544

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4380

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:3344

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
Filesize
107KB

MD5
4cc98e7a1b77a0e833f68020e855273f

SHA1
e347a239fa17a31a08163011ecffa8c3e0b032cf

SHA256
b0ff66881bada5726b248c5f7fa3d0a784e41646d93be89f4c915eba5eefc299

SHA512
1a0ea22e9f41025148995f308d62b33c05c08a66bdd52a87dc98658fe5cf7b2aa2c1a0c0f1807a75c6ba8a4d7af3d98556c3994fba6e482ac918a1928e47e121

Download Submit
memory/2284-1-0x0000000000D20000-0x0000000000D30000-memory.dmp

Filesize
64KB

Download
memory/2284-2-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/2284-18-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/2284-0-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/2544-24-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/2544-17-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/4380-19-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4380-23-0x0000000001400000-0x0000000001410000-memory.dmp

Filesize
64KB

Download
memory/4380-25-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/4380-22-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/4380-26-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download
memory/4380-27-0x0000000001400000-0x0000000001410000-memory.dmp

Filesize
64KB

Download
memory/4380-28-0x0000000074810000-0x0000000074DC1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads