njrat | a2437edff6ad2572fb977153bbd6f31f45f5507657e1bf450db84203e7e2cf0e

General

Target

7f9690a0ca91cfd371100be8d22540405315508650093ab356570bf236abe0ed.exe
Size

113KB
MD5

207a0a0f98f554f4b8ce5715f07514c6
SHA1

693f287b916c2376573aeff102827961ee1352f4
SHA256

7f9690a0ca91cfd371100be8d22540405315508650093ab356570bf236abe0ed
SHA512

a7607294b616d99fc4f345bbcf0c038d0aeae3d207a340adccc0c20022168d71fe9e55fe3f2b0d9d8f6b00242f7995333761df3a47951ec124c9de501ca8a243
SSDEEP

1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMiaH:P5eznsjsguGDFqGZ2rZ

Score

10^/10

njrat neuf evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2172	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	7f9690a0ca91cfd371100be8d22540405315508650093ab356570bf236abe0ed.exe

Executes dropped EXE 2 IoCs

pid	Process
4628	chargeable.exe
2328	chargeable.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	7f9690a0ca91cfd371100be8d22540405315508650093ab356570bf236abe0ed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7f9690a0ca91cfd371100be8d22540405315508650093ab356570bf236abe0ed.exe"	7f9690a0ca91cfd371100be8d22540405315508650093ab356570bf236abe0ed.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4628 set thread context of 2328	4628	chargeable.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	chargeable.exe
Token: 33	2328	chargeable.exe
Token: SeIncBasePriorityPrivilege	2328	chargeable.exe
Token: 33	2328	chargeable.exe
Token: SeIncBasePriorityPrivilege	2328	chargeable.exe
Token: 33	2328	chargeable.exe
Token: SeIncBasePriorityPrivilege	2328	chargeable.exe
Token: 33	2328	chargeable.exe
Token: SeIncBasePriorityPrivilege	2328	chargeable.exe
Token: 33	2328	chargeable.exe
Token: SeIncBasePriorityPrivilege	2328	chargeable.exe
Token: 33	2328	chargeable.exe
Token: SeIncBasePriorityPrivilege	2328	chargeable.exe
Token: 33	2328	chargeable.exe
Token: SeIncBasePriorityPrivilege	2328	chargeable.exe
Token: 33	2328	chargeable.exe
Token: SeIncBasePriorityPrivilege	2328	chargeable.exe
Token: 33	2328	chargeable.exe
Token: SeIncBasePriorityPrivilege	2328	chargeable.exe
Token: 33	2328	chargeable.exe
Token: SeIncBasePriorityPrivilege	2328	chargeable.exe
Token: 33	2328	chargeable.exe
Token: SeIncBasePriorityPrivilege	2328	chargeable.exe
Token: 33	2328	chargeable.exe
Token: SeIncBasePriorityPrivilege	2328	chargeable.exe
Token: 33	2328	chargeable.exe
Token: SeIncBasePriorityPrivilege	2328	chargeable.exe
Token: 33	2328	chargeable.exe
Token: SeIncBasePriorityPrivilege	2328	chargeable.exe
Token: 33	2328	chargeable.exe
Token: SeIncBasePriorityPrivilege	2328	chargeable.exe
Token: 33	2328	chargeable.exe
Token: SeIncBasePriorityPrivilege	2328	chargeable.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 4628	1900	7f9690a0ca91cfd371100be8d22540405315508650093ab356570bf236abe0ed.exe	92
PID 1900 wrote to memory of 4628	1900	7f9690a0ca91cfd371100be8d22540405315508650093ab356570bf236abe0ed.exe	92
PID 1900 wrote to memory of 4628	1900	7f9690a0ca91cfd371100be8d22540405315508650093ab356570bf236abe0ed.exe	92
PID 4628 wrote to memory of 2328	4628	chargeable.exe	97
PID 4628 wrote to memory of 2328	4628	chargeable.exe	97
PID 4628 wrote to memory of 2328	4628	chargeable.exe	97
PID 4628 wrote to memory of 2328	4628	chargeable.exe	97
PID 4628 wrote to memory of 2328	4628	chargeable.exe	97
PID 4628 wrote to memory of 2328	4628	chargeable.exe	97
PID 4628 wrote to memory of 2328	4628	chargeable.exe	97
PID 4628 wrote to memory of 2328	4628	chargeable.exe	97
PID 2328 wrote to memory of 2172	2328	chargeable.exe	100
PID 2328 wrote to memory of 2172	2328	chargeable.exe	100
PID 2328 wrote to memory of 2172	2328	chargeable.exe	100

C:\Users\Admin\AppData\Local\Temp\7f9690a0ca91cfd371100be8d22540405315508650093ab356570bf236abe0ed.exe
"C:\Users\Admin\AppData\Local\Temp\7f9690a0ca91cfd371100be8d22540405315508650093ab356570bf236abe0ed.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
  "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log

Filesize
400B

MD5
0a9b4592cd49c3c21f6767c2dabda92f

SHA1
f534297527ae5ccc0ecb2221ddeb8e58daeb8b74

SHA256
c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd

SHA512
6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

Download Submit
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Filesize
113KB

MD5
a100100f9315cd27107ddd00898ac8c0

SHA1
782aa2d1a90eb6d6cf6aec58483b40fec97754d8

SHA256
c926f7d19dee284fdd3289d1eb7ef581523f34058cd0aead9a6c7b059a2897c2

SHA512
1f7aa8a5a65dd0db1c2342d082a4f4463a48b64d9ba58f32bd7524209fab9250fc4692af6e95d7e7fe3e08d854aeed55077aeabb5d1740f505f79c01ec1ad66d

Download Submit
memory/1900-1-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/1900-2-0x00000000018D0000-0x00000000018E0000-memory.dmp

Filesize
64KB

Download
memory/1900-0-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/1900-17-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/2328-26-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/2328-31-0x0000000001170000-0x0000000001180000-memory.dmp

Filesize
64KB

Download
memory/2328-30-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/2328-29-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/2328-22-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2328-27-0x0000000001170000-0x0000000001180000-memory.dmp

Filesize
64KB

Download
memory/4628-18-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/4628-21-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/4628-28-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/4628-20-0x00000000748C0000-0x0000000074E71000-memory.dmp

Filesize
5.7MB

Download
memory/4628-19-0x0000000000DF0000-0x0000000000E00000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads