njrat | 7d830ebb0a9aa4b17c5a471633e1b354bdefd35e5297716c5ecefbc6cd4b4982

General

Target

4a5fdda9ee07e884e1d89612b56a932acb9c812b72cccacde885da0f9b4eab31.exe
Size

23KB
MD5

26f75dde198f77866dbc6167cc101f2d
SHA1

056d49fc62c8ce9efcedf4ea3e4b8b357e3a23f9
SHA256

4a5fdda9ee07e884e1d89612b56a932acb9c812b72cccacde885da0f9b4eab31
SHA512

a42ca275b2f6ea334adab73a63adef6da64acb8b1663b3658d33c21f187ac1e0ec1cbe2d5b935c1c0c8da024979bf57ff2abc6b610b74aec956ed66a615ba77d
SSDEEP

384:D3gexUw/L+JrgUon5b9uSDMwT9Pfg6NgrWoBYi51mRvR6JZlbw8hqIusZzZ5Hoz:7IAKG91DP1hPRpcnukW

Score

10^/10

njrat hacked by jmrh evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Hacked by JmRh

C2

0.tcp.eu.ngrok.io:15422

Mutex

255adf5996e3bf23b41adff1252970bf

Attributes

reg_key
255adf5996e3bf23b41adff1252970bf
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2560	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\255adf5996e3bf23b41adff1252970bf.exe	Amk 3nDe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\255adf5996e3bf23b41adff1252970bf.exe	Amk 3nDe.exe

Executes dropped EXE 1 IoCs

pid	Process
2512	Amk 3nDe.exe

Loads dropped DLL 1 IoCs

pid	Process
3024	4a5fdda9ee07e884e1d89612b56a932acb9c812b72cccacde885da0f9b4eab31.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\255adf5996e3bf23b41adff1252970bf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Amk 3nDe.exe\" .."	Amk 3nDe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\255adf5996e3bf23b41adff1252970bf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Amk 3nDe.exe\" .."	Amk 3nDe.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	0.tcp.eu.ngrok.io
31	0.tcp.eu.ngrok.io
45	0.tcp.eu.ngrok.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2512	Amk 3nDe.exe
Token: 33	2512	Amk 3nDe.exe
Token: SeIncBasePriorityPrivilege	2512	Amk 3nDe.exe
Token: 33	2512	Amk 3nDe.exe
Token: SeIncBasePriorityPrivilege	2512	Amk 3nDe.exe
Token: 33	2512	Amk 3nDe.exe
Token: SeIncBasePriorityPrivilege	2512	Amk 3nDe.exe
Token: 33	2512	Amk 3nDe.exe
Token: SeIncBasePriorityPrivilege	2512	Amk 3nDe.exe
Token: 33	2512	Amk 3nDe.exe
Token: SeIncBasePriorityPrivilege	2512	Amk 3nDe.exe
Token: 33	2512	Amk 3nDe.exe
Token: SeIncBasePriorityPrivilege	2512	Amk 3nDe.exe
Token: 33	2512	Amk 3nDe.exe
Token: SeIncBasePriorityPrivilege	2512	Amk 3nDe.exe
Token: 33	2512	Amk 3nDe.exe
Token: SeIncBasePriorityPrivilege	2512	Amk 3nDe.exe
Token: 33	2512	Amk 3nDe.exe
Token: SeIncBasePriorityPrivilege	2512	Amk 3nDe.exe
Token: 33	2512	Amk 3nDe.exe
Token: SeIncBasePriorityPrivilege	2512	Amk 3nDe.exe
Token: 33	2512	Amk 3nDe.exe
Token: SeIncBasePriorityPrivilege	2512	Amk 3nDe.exe
Token: 33	2512	Amk 3nDe.exe
Token: SeIncBasePriorityPrivilege	2512	Amk 3nDe.exe
Token: 33	2512	Amk 3nDe.exe
Token: SeIncBasePriorityPrivilege	2512	Amk 3nDe.exe
Token: 33	2512	Amk 3nDe.exe
Token: SeIncBasePriorityPrivilege	2512	Amk 3nDe.exe
Token: 33	2512	Amk 3nDe.exe
Token: SeIncBasePriorityPrivilege	2512	Amk 3nDe.exe
Token: 33	2512	Amk 3nDe.exe
Token: SeIncBasePriorityPrivilege	2512	Amk 3nDe.exe
Token: 33	2512	Amk 3nDe.exe
Token: SeIncBasePriorityPrivilege	2512	Amk 3nDe.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2512	3024	4a5fdda9ee07e884e1d89612b56a932acb9c812b72cccacde885da0f9b4eab31.exe	28
PID 3024 wrote to memory of 2512	3024	4a5fdda9ee07e884e1d89612b56a932acb9c812b72cccacde885da0f9b4eab31.exe	28
PID 3024 wrote to memory of 2512	3024	4a5fdda9ee07e884e1d89612b56a932acb9c812b72cccacde885da0f9b4eab31.exe	28
PID 3024 wrote to memory of 2512	3024	4a5fdda9ee07e884e1d89612b56a932acb9c812b72cccacde885da0f9b4eab31.exe	28
PID 2512 wrote to memory of 2560	2512	Amk 3nDe.exe	29
PID 2512 wrote to memory of 2560	2512	Amk 3nDe.exe	29
PID 2512 wrote to memory of 2560	2512	Amk 3nDe.exe	29
PID 2512 wrote to memory of 2560	2512	Amk 3nDe.exe	29

C:\Users\Admin\AppData\Local\Temp\4a5fdda9ee07e884e1d89612b56a932acb9c812b72cccacde885da0f9b4eab31.exe
"C:\Users\Admin\AppData\Local\Temp\4a5fdda9ee07e884e1d89612b56a932acb9c812b72cccacde885da0f9b4eab31.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Users\Admin\AppData\Local\Temp\Amk 3nDe.exe
  "C:\Users\Admin\AppData\Local\Temp\Amk 3nDe.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Amk 3nDe.exe" "Amk 3nDe.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Amk 3nDe.exe

Filesize
23KB

MD5
26f75dde198f77866dbc6167cc101f2d

SHA1
056d49fc62c8ce9efcedf4ea3e4b8b357e3a23f9

SHA256
4a5fdda9ee07e884e1d89612b56a932acb9c812b72cccacde885da0f9b4eab31

SHA512
a42ca275b2f6ea334adab73a63adef6da64acb8b1663b3658d33c21f187ac1e0ec1cbe2d5b935c1c0c8da024979bf57ff2abc6b610b74aec956ed66a615ba77d

Download Submit
memory/2512-10-0x0000000074D30000-0x00000000752DB000-memory.dmp

Filesize
5.7MB

Download
memory/2512-11-0x00000000020B0000-0x00000000020F0000-memory.dmp

Filesize
256KB

Download
memory/2512-14-0x0000000074D30000-0x00000000752DB000-memory.dmp

Filesize
5.7MB

Download
memory/3024-0-0x0000000074D30000-0x00000000752DB000-memory.dmp

Filesize
5.7MB

Download
memory/3024-1-0x0000000074D30000-0x00000000752DB000-memory.dmp

Filesize
5.7MB

Download
memory/3024-2-0x0000000000BD0000-0x0000000000C10000-memory.dmp

Filesize
256KB

Download
memory/3024-12-0x0000000074D30000-0x00000000752DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads