njrat | 2ff91319fbcc02e9dd7d80e21f5f7f48e0ae24b99a1b26625d344ab4812f37c4

General

Target

97d72efbb1f6fea3f158b136c330689d.exe
Size

67KB
MD5

97d72efbb1f6fea3f158b136c330689d
SHA1

43c884250ed032ced44d72d932518e831a34161d
SHA256

2ff91319fbcc02e9dd7d80e21f5f7f48e0ae24b99a1b26625d344ab4812f37c4
SHA512

a9937e30d19ebf33ebe4c20792f7499e79996f06b5e3bc6f28d506ba4440640ebc923d424184007f2f111c3706876c029f6d4e41d5ed144c2b8e666b32689596
SSDEEP

1536:uuKlhoxbyGiiKkTvTiCUU8b+a1fJ3l4fLU2cjdFZPvf9G95T8KCc4:NKOyGxKIiCV8aa1fJV4zMF54ra

Score

10^/10

njrat victim evasion trojan

Malware Config

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

Victim

C2

0.tcp.eu.ngrok.io:18350

Mutex

f2d4732908d59805d830a49d36974ac0

Attributes

reg_key
f2d4732908d59805d830a49d36974ac0
splitter
Y262SUCZ4UJJ

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

4 0.tcp.eu.ngrok.io
13 0.tcp.eu.ngrok.io
33 0.tcp.eu.ngrok.io
47 0.tcp.eu.ngrok.io
2 pastebin.com
3 pastebin.com
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2648 sc.exe
2640 sc.exe
2872 sc.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2760 powershell.exe

flow	ioc
4	0.tcp.eu.ngrok.io
13	0.tcp.eu.ngrok.io
33	0.tcp.eu.ngrok.io
47	0.tcp.eu.ngrok.io
2	pastebin.com
3	pastebin.com

pid	process
2648	sc.exe
2640	sc.exe
2872	sc.exe

pid	process
2760	powershell.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

powershell.exe97d72efbb1f6fea3f158b136c330689d.exe

description	pid	process
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: 33	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: SeIncBasePriorityPrivilege	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: 33	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: SeIncBasePriorityPrivilege	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: 33	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: SeIncBasePriorityPrivilege	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: 33	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: SeIncBasePriorityPrivilege	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: 33	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: SeIncBasePriorityPrivilege	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: 33	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: SeIncBasePriorityPrivilege	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: 33	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: SeIncBasePriorityPrivilege	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: 33	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: SeIncBasePriorityPrivilege	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: 33	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: SeIncBasePriorityPrivilege	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: 33	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: SeIncBasePriorityPrivilege	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: 33	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: SeIncBasePriorityPrivilege	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: 33	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: SeIncBasePriorityPrivilege	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: 33	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: SeIncBasePriorityPrivilege	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: 33	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: SeIncBasePriorityPrivilege	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: 33	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: SeIncBasePriorityPrivilege	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: 33	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: SeIncBasePriorityPrivilege	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: 33	2204	97d72efbb1f6fea3f158b136c330689d.exe
Token: SeIncBasePriorityPrivilege	2204	97d72efbb1f6fea3f158b136c330689d.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

97d72efbb1f6fea3f158b136c330689d.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2204 wrote to memory of 2224	2204	97d72efbb1f6fea3f158b136c330689d.exe	cmd.exe
PID 2204 wrote to memory of 2224	2204	97d72efbb1f6fea3f158b136c330689d.exe	cmd.exe
PID 2204 wrote to memory of 2224	2204	97d72efbb1f6fea3f158b136c330689d.exe	cmd.exe
PID 2224 wrote to memory of 2760	2224	cmd.exe	powershell.exe
PID 2224 wrote to memory of 2760	2224	cmd.exe	powershell.exe
PID 2224 wrote to memory of 2760	2224	cmd.exe	powershell.exe
PID 2204 wrote to memory of 2976	2204	97d72efbb1f6fea3f158b136c330689d.exe	cmd.exe
PID 2204 wrote to memory of 2976	2204	97d72efbb1f6fea3f158b136c330689d.exe	cmd.exe
PID 2204 wrote to memory of 2976	2204	97d72efbb1f6fea3f158b136c330689d.exe	cmd.exe
PID 2976 wrote to memory of 2648	2976	cmd.exe	sc.exe
PID 2976 wrote to memory of 2648	2976	cmd.exe	sc.exe
PID 2976 wrote to memory of 2648	2976	cmd.exe	sc.exe
PID 2204 wrote to memory of 2656	2204	97d72efbb1f6fea3f158b136c330689d.exe	cmd.exe
PID 2204 wrote to memory of 2656	2204	97d72efbb1f6fea3f158b136c330689d.exe	cmd.exe
PID 2204 wrote to memory of 2656	2204	97d72efbb1f6fea3f158b136c330689d.exe	cmd.exe
PID 2656 wrote to memory of 2640	2656	cmd.exe	sc.exe
PID 2656 wrote to memory of 2640	2656	cmd.exe	sc.exe
PID 2656 wrote to memory of 2640	2656	cmd.exe	sc.exe
PID 2204 wrote to memory of 2684	2204	97d72efbb1f6fea3f158b136c330689d.exe	cmd.exe
PID 2204 wrote to memory of 2684	2204	97d72efbb1f6fea3f158b136c330689d.exe	cmd.exe
PID 2204 wrote to memory of 2684	2204	97d72efbb1f6fea3f158b136c330689d.exe	cmd.exe
PID 2684 wrote to memory of 2872	2684	cmd.exe	sc.exe
PID 2684 wrote to memory of 2872	2684	cmd.exe	sc.exe
PID 2684 wrote to memory of 2872	2684	cmd.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\97d72efbb1f6fea3f158b136c330689d.exe
"C:\Users\Admin\AppData\Local\Temp\97d72efbb1f6fea3f158b136c330689d.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\system32\cmd.exe
cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\system32\cmd.exe
cmd /c sc query windefend
2⤵
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\system32\sc.exe
sc query windefend
3⤵
- Launches sc.exe
PID:2648

C:\Windows\system32\cmd.exe
cmd /c sc stop windefend
2⤵
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\system32\sc.exe
sc stop windefend
3⤵
- Launches sc.exe
PID:2640

C:\Windows\system32\cmd.exe
cmd /c sc delete windefend
2⤵
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\system32\sc.exe
sc delete windefend
3⤵
- Launches sc.exe
PID:2872

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Service Stop

1

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2204-0-0x000007FEF636E000-0x000007FEF636F000-memory.dmp

Filesize
4KB

Download
memory/2204-1-0x0000000000200000-0x000000000021C000-memory.dmp

Filesize
112KB

Download
memory/2204-2-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

Filesize
9.6MB

Download
memory/2204-16-0x000007FEF636E000-0x000007FEF636F000-memory.dmp

Filesize
4KB

Download
memory/2204-15-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-9-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2760-10-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-12-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-11-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-13-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-14-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-7-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-8-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing