ebdff179265008e86994c47f5363698930f2ed571184bf37d379814e732ffa4f

Analysis

max time kernel
1479s
max time network
1506s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
12-05-2024 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NJRAT-main/NJRAT 0.7D/NJRAT 0.7D.exe
Size

1.8MB
MD5

51f09307cf869fd8d38a887e215f68f1
SHA1

1e712db1c8e4f85f8a9c3c0df269c33a591eb7de
SHA256

ffe4de68cf4b6a1f23bbb4097ad6a29c6a2dbd2f1b609a7b15d38fd8478496ed
SHA512

9394a5a852b574666b2ffe6ed0fc075fa40a4d677a89969339450ec1f7784c2d4b8a10e457c0fe325f24bbbd341bfb3149bec65a24bb7241fc688ab473be0aec
SSDEEP

49152:5ZB1G8Ycd66Dk7UcGZr8dr9urHhiF4VX5//:r3GKAcVejujhiF0XB/

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1672	GeoIP.exe
1140	NJRAT.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1948	1672	WerFault.exe	78

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3752	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3752	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1140	NJRAT.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1140	NJRAT.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 1672	2664	NJRAT 0.7D.exe	78
PID 2664 wrote to memory of 1672	2664	NJRAT 0.7D.exe	78
PID 2664 wrote to memory of 1672	2664	NJRAT 0.7D.exe	78
PID 2664 wrote to memory of 1140	2664	NJRAT 0.7D.exe	85
PID 2664 wrote to memory of 1140	2664	NJRAT 0.7D.exe	85

C:\Users\Admin\AppData\Local\Temp\NJRAT-main\NJRAT 0.7D\NJRAT 0.7D.exe
"C:\Users\Admin\AppData\Local\Temp\NJRAT-main\NJRAT 0.7D\NJRAT 0.7D.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\NJRAT\GeoIP.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\NJRAT\GeoIP.exe" /GeoIP.exe
  2⤵
  - Executes dropped EXE
  PID:1672
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 1020
    3⤵
    - Program crash
    PID:1948
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\NJRAT\NJRAT.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\NJRAT\NJRAT.exe" /NJRAT.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1672 -ip 1672
1⤵
PID:1868

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004C0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\NJRAT\GeoIP.dat

Filesize
1.2MB

MD5
797b96cc417d0cde72e5c25d0898e95e

SHA1
8c63d0cc8a3a09c1fe50c856b8e5170a63d62f13

SHA256
8a0675001b5bc63d8389fc7ed80b4a7b0f9538c744350f00162533519e106426

SHA512
9bb0c40c83551000577f8cf0b8a7c344bc105328a2c564df70fabec978ad267fa42e248c11fb78166855b0816d2ef3ec2c12fe52f8cc0b83e366e46301340882

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NJRAT\GeoIP.exe

Filesize
18KB

MD5
016fb288619fb9b7513ecf087cf14535

SHA1
5699d0cda6add8c96aa21eaab5d0f67b3765acd5

SHA256
882289d1bc625d30610d44c9739362d4d340d0c5d9024a24f01c5bd7ed8fde93

SHA512
61880ae28966a21f5a26a808f6146cda3e099793ade739cc5b49f3582aa5da0db70c687a89f422a637516d75d674a2f262fdcce51323625e5852967fec433f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NJRAT\NJRAT.exe

Filesize
1.6MB

MD5
473e1a7be89c3a727176d4f9f5a64b69

SHA1
501eb2c1432ff2b4e5ff582ad82d0fca152adebc

SHA256
bf853789b938bdc5da8aaeb52511379a332c7cf238266a21bfcb0318a62e85cb

SHA512
4d0ef049c83fe2790e8c201c643b68be26ae854feaeb154e7b1703c9f7c7250abc7307cef035f723fe8d5cf9d85175ff19a7bd37c403536617c8df9f9a7079fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NJRAT\WinMM.Net.dll

Filesize
43KB

MD5
d4b80052c7b4093e10ce1f40ce74f707

SHA1
2494a38f1c0d3a0aa9b31cf0650337cacc655697

SHA256
59e2ac1b79840274bdfcef412a10058654e42f4285d732d1487e65e60ffbfb46

SHA512
3813b81f741ae3adb07ae370e817597ed2803680841ccc7549babb727910c7bff4f8450670d0ca19a0d09e06f133a1aaefecf5b5620e1b0bdb6bcd409982c450

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NJRAT\plugin\cam.dll

Filesize
63KB

MD5
a73edb60b80a2dfa86735d821bea7b19

SHA1
f39a54d7bc25425578a2b800033e4508714a73ed

SHA256
7a4977b024d048b71bcc8f1cc65fb06e4353821323f852dc6740b79b9ab75c98

SHA512
283e9206d0b56c1f8b0741375ccd0a184410cf89f5f42dfe91e7438c5fd0ac7fa4afbb84b8b7ea448b3093397552fd3731b9be74c67b846d946da486dcf0df68

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NJRAT\plugin\ch.dll

Filesize
12KB

MD5
e747fa3339c1f138b6bfce707b541d03

SHA1
b95c54fbd6eb20ba4b4e69736b574baa2699ab8e

SHA256
6e31148cc1b3235b71731c3944a7b06f861e104e978708d12c695ec09b5b3760

SHA512
b970c3e8bf6a2e3ae920bc8bd014edb86ca92c85a2bccff732c7e5eb2f81ffbd902a34a0a68bd51545954b5f4d6dd1bb84b5c005868c0659717eba2892a67355

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NJRAT\plugin\mic.dll

Filesize
50KB

MD5
d4c5ddc00f27162fc0947830e0e762b7

SHA1
7769be616d752e95d80e167f2ef4cc6b8c3c21fe

SHA256
b6fb6b66821e70a27a4750b0cd0393e4ee2603a47feac48d6a3d66d1c1cb56d5

SHA512
9555f800213f2f4a857b4558aa4d030edf41485b8366812d5a6b9adcc77fc21584e30d2dd9ce515846f3a809c85038958cb8174bf362cf6fed97ca99a826e379

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NJRAT\plugin\plg.dll

Filesize
28KB

MD5
0cbc2d9703feead9783439e551c2b673

SHA1
4f8f4addd6f9e60598a7f4a191a89a52201394a8

SHA256
ea9ecf8723788feef6492bf938cdfab1266a1558dffe75e1f78a998320f96e39

SHA512
06f55b542000e23f5eeba45ea5ff9ffaddddd102935e039e4496af5e5083f257129dab2f346eeae4ee864f54db57d3c73cf6ed1d3568087411203769cf0ddd66

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NJRAT\plugin\pw.dll

Filesize
39KB

MD5
db87daf76c15f3808cec149f639aa64f

SHA1
d67f84a44ddc25432ce179aeba9cff778af746ee

SHA256
a3e4bee1b6944aa9266bd58de3f534a4c1896df621881a5252a0d355a6e67c70

SHA512
ad7dc75254180ff7c988b7f394ad76b696384002457d558469d2c6401dd97cba54c532245bb555ab28d2beda3ab504736bb2b89040a21ba6598929392daab473

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NJRAT\plugin\sc2.dll

Filesize
12KB

MD5
19967e886edcd2f22f8d4a58c8ea3773

SHA1
bf6e0e908eaad659fdd32572e9d73c5476ca26ec

SHA256
3e5141c75b7746c0eb2b332082a165deacb943cef26bd84668e6b79b47bdfd93

SHA512
d471df3f0d69909e8ef9f947da62c77c3ff1eb97ac1dd53a74ad09fb4d74ec26c3c22facc18ec04f26df3b85b0c70863119f5baa090b110ab25383fcdb4e9d6e

Download Submit
memory/1140-53-0x000000001C4A0000-0x000000001C53C000-memory.dmp

Filesize
624KB

Download
memory/1140-67-0x00007FFAC4835000-0x00007FFAC4836000-memory.dmp

Filesize
4KB

Download
memory/1140-51-0x000000001BF00000-0x000000001C3CE000-memory.dmp

Filesize
4.8MB

Download
memory/1140-55-0x0000000001340000-0x0000000001348000-memory.dmp

Filesize
32KB

Download
memory/1140-56-0x000000001C600000-0x000000001C64C000-memory.dmp

Filesize
304KB

Download
memory/1140-57-0x00007FFAC4580000-0x00007FFAC4F21000-memory.dmp

Filesize
9.6MB

Download
memory/1140-52-0x00007FFAC4835000-0x00007FFAC4836000-memory.dmp

Filesize
4KB

Download
memory/1140-59-0x000000001CFB0000-0x000000001CFC2000-memory.dmp

Filesize
72KB

Download
memory/1140-50-0x000000001B980000-0x000000001BA26000-memory.dmp

Filesize
664KB

Download
memory/1140-54-0x00007FFAC4580000-0x00007FFAC4F21000-memory.dmp

Filesize
9.6MB

Download
memory/1140-68-0x00007FFAC4580000-0x00007FFAC4F21000-memory.dmp

Filesize
9.6MB

Download
memory/1672-39-0x00000000745C0000-0x0000000074D71000-memory.dmp

Filesize
7.7MB

Download
memory/1672-36-0x0000000004AF0000-0x0000000004B0A000-memory.dmp

Filesize
104KB

Download
memory/1672-35-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/1672-34-0x00000000745CE000-0x00000000745CF000-memory.dmp

Filesize
4KB

Download
memory/1672-37-0x0000000004B80000-0x0000000004BE6000-memory.dmp

Filesize
408KB

Download
memory/1672-38-0x00000000745C0000-0x0000000074D71000-memory.dmp

Filesize
7.7MB

Download