njrat | 7f9690a0ca91cfd371100be8d22540405315508650093ab356570bf236abe0ed

General

Target

207A0A0F98F554F4B8CE5715F07514C6.exe
Size

113KB
MD5

207a0a0f98f554f4b8ce5715f07514c6
SHA1

693f287b916c2376573aeff102827961ee1352f4
SHA256

7f9690a0ca91cfd371100be8d22540405315508650093ab356570bf236abe0ed
SHA512

a7607294b616d99fc4f345bbcf0c038d0aeae3d207a340adccc0c20022168d71fe9e55fe3f2b0d9d8f6b00242f7995333761df3a47951ec124c9de501ca8a243
SSDEEP

1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMiaH:P5eznsjsguGDFqGZ2rZ

Score

10^/10

njrat neuf evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4620 netsh.exe

pid	process
4620	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

207A0A0F98F554F4B8CE5715F07514C6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	207A0A0F98F554F4B8CE5715F07514C6.exe

Executes dropped EXE 2 IoCs

Processes:

chargeable.exechargeable.exe

pid process

4536 chargeable.exe
3768 chargeable.exe

pid	process
4536	chargeable.exe
3768	chargeable.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

207A0A0F98F554F4B8CE5715F07514C6.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	207A0A0F98F554F4B8CE5715F07514C6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\207A0A0F98F554F4B8CE5715F07514C6.exe"	207A0A0F98F554F4B8CE5715F07514C6.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

chargeable.exe

description pid process target process

PID 4536 set thread context of 3768 4536 chargeable.exe chargeable.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 4536 set thread context of 3768	4536	chargeable.exe	chargeable.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

chargeable.exe

description	pid	process
Token: SeDebugPrivilege	3768	chargeable.exe
Token: 33	3768	chargeable.exe
Token: SeIncBasePriorityPrivilege	3768	chargeable.exe
Token: 33	3768	chargeable.exe
Token: SeIncBasePriorityPrivilege	3768	chargeable.exe
Token: 33	3768	chargeable.exe
Token: SeIncBasePriorityPrivilege	3768	chargeable.exe
Token: 33	3768	chargeable.exe
Token: SeIncBasePriorityPrivilege	3768	chargeable.exe
Token: 33	3768	chargeable.exe
Token: SeIncBasePriorityPrivilege	3768	chargeable.exe
Token: 33	3768	chargeable.exe
Token: SeIncBasePriorityPrivilege	3768	chargeable.exe
Token: 33	3768	chargeable.exe
Token: SeIncBasePriorityPrivilege	3768	chargeable.exe
Token: 33	3768	chargeable.exe
Token: SeIncBasePriorityPrivilege	3768	chargeable.exe
Token: 33	3768	chargeable.exe
Token: SeIncBasePriorityPrivilege	3768	chargeable.exe
Token: 33	3768	chargeable.exe
Token: SeIncBasePriorityPrivilege	3768	chargeable.exe
Token: 33	3768	chargeable.exe
Token: SeIncBasePriorityPrivilege	3768	chargeable.exe
Token: 33	3768	chargeable.exe
Token: SeIncBasePriorityPrivilege	3768	chargeable.exe
Token: 33	3768	chargeable.exe
Token: SeIncBasePriorityPrivilege	3768	chargeable.exe
Token: 33	3768	chargeable.exe
Token: SeIncBasePriorityPrivilege	3768	chargeable.exe
Token: 33	3768	chargeable.exe
Token: SeIncBasePriorityPrivilege	3768	chargeable.exe
Token: 33	3768	chargeable.exe
Token: SeIncBasePriorityPrivilege	3768	chargeable.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

207A0A0F98F554F4B8CE5715F07514C6.exechargeable.exechargeable.exe

description	pid	process	target process
PID 3252 wrote to memory of 4536	3252	207A0A0F98F554F4B8CE5715F07514C6.exe	chargeable.exe
PID 3252 wrote to memory of 4536	3252	207A0A0F98F554F4B8CE5715F07514C6.exe	chargeable.exe
PID 3252 wrote to memory of 4536	3252	207A0A0F98F554F4B8CE5715F07514C6.exe	chargeable.exe
PID 4536 wrote to memory of 3768	4536	chargeable.exe	chargeable.exe
PID 4536 wrote to memory of 3768	4536	chargeable.exe	chargeable.exe
PID 4536 wrote to memory of 3768	4536	chargeable.exe	chargeable.exe
PID 4536 wrote to memory of 3768	4536	chargeable.exe	chargeable.exe
PID 4536 wrote to memory of 3768	4536	chargeable.exe	chargeable.exe
PID 4536 wrote to memory of 3768	4536	chargeable.exe	chargeable.exe
PID 4536 wrote to memory of 3768	4536	chargeable.exe	chargeable.exe
PID 4536 wrote to memory of 3768	4536	chargeable.exe	chargeable.exe
PID 3768 wrote to memory of 4620	3768	chargeable.exe	netsh.exe
PID 3768 wrote to memory of 4620	3768	chargeable.exe	netsh.exe
PID 3768 wrote to memory of 4620	3768	chargeable.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\207A0A0F98F554F4B8CE5715F07514C6.exe
"C:\Users\Admin\AppData\Local\Temp\207A0A0F98F554F4B8CE5715F07514C6.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3252

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4536

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3768

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:4620

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log
Filesize
400B

MD5
0a9b4592cd49c3c21f6767c2dabda92f

SHA1
f534297527ae5ccc0ecb2221ddeb8e58daeb8b74

SHA256
c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd

SHA512
6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

Download Submit
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
Filesize
113KB

MD5
de66964529c518c15474179e39c85840

SHA1
464efdabd2a3c66b79b5105f4b964f25ae88dede

SHA256
a4657a5437543e044d96d1d1427c49c031c821a4bcf34229c178443f42fd0ace

SHA512
81d337777a3dabe996832c989acf92ae62072ba2920110265bea4406d12d3742f80df8ef8d42a95f6e1ed16bd3d3ed83fcf7188fe72dc3d2473b7b96490142ad

Download Submit
memory/3252-0-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/3252-1-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/3252-2-0x0000000001660000-0x0000000001670000-memory.dmp

Filesize
64KB

Download
memory/3252-17-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/3768-21-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3768-25-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/3768-27-0x0000000001500000-0x0000000001510000-memory.dmp

Filesize
64KB

Download
memory/3768-28-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/3768-29-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/3768-30-0x0000000001500000-0x0000000001510000-memory.dmp

Filesize
64KB

Download
memory/4536-20-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/4536-19-0x0000000000E80000-0x0000000000E90000-memory.dmp

Filesize
64KB

Download
memory/4536-18-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download
memory/4536-26-0x0000000075350000-0x0000000075901000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads