njrat | 2018fc40b0faeb1ddd7406ec68677a55164633ee245966a07688329459f6da7d

General

Target

Cheat.exe
Size

65KB
MD5

596bb1dd5ae0ac50a9218910d193d4cf
SHA1

377563b67e5601266d711345f78df4a7d95cad27
SHA256

2018fc40b0faeb1ddd7406ec68677a55164633ee245966a07688329459f6da7d
SHA512

b543f966b174f59384e0579935ae194bff479576007ef966c7bf1a3e3f256e9686383c21f5c239df9e28970106f7770b09fbb498400b7a26cc981a37a9555299
SSDEEP

1536:fj+u2LoN36tcQviFw1A+HIBnvbLfLteF3nLrB9z3nUaF9b6S9vM:fj+uIoN36tcQviFC9oBnnfWl9zkaF9bC

Score

10^/10

njrat njrat persistence trojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

njRat

C2

127.0.0.1:21679

Mutex

HDAudio.exe

Attributes

reg_key
HDAudio.exe
splitter
|Ghost|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 3 IoCs

Processes:

HDAudio.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudio.exe	HDAudio.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudio.exe	HDAudio.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudio.url	HDAudio.exe

Executes dropped EXE 4 IoCs

Processes:

HDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exe

pid process

2568 HDAudio.exe
2460 HDAudio.exe
2628 HDAudio.exe
1544 HDAudio.exe

pid	process
2568	HDAudio.exe
2460	HDAudio.exe
2628	HDAudio.exe
1544	HDAudio.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HDAudio.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HDAudio.exe = "\"C:\\Windows\\HDAudio.exe\" .."	HDAudio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HDAudio.exe = "\"C:\\Windows\\HDAudio.exe\" .."	HDAudio.exe

Drops file in Windows directory 2 IoCs

Processes:

Cheat.exeHDAudio.exe

description ioc process

File created C:\Windows\HDAudio.exe Cheat.exe
File opened for modification C:\Windows\HDAudio.exe HDAudio.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2388 schtasks.exe

description	ioc	process
File created	C:\Windows\HDAudio.exe	Cheat.exe
File opened for modification	C:\Windows\HDAudio.exe	HDAudio.exe

pid	process
2388	schtasks.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

HDAudio.exe

description	pid	process
Token: SeDebugPrivilege	2568	HDAudio.exe
Token: 33	2568	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2568	HDAudio.exe
Token: 33	2568	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2568	HDAudio.exe
Token: 33	2568	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2568	HDAudio.exe
Token: 33	2568	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2568	HDAudio.exe
Token: 33	2568	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2568	HDAudio.exe
Token: 33	2568	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2568	HDAudio.exe
Token: 33	2568	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2568	HDAudio.exe
Token: 33	2568	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2568	HDAudio.exe
Token: 33	2568	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2568	HDAudio.exe
Token: 33	2568	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2568	HDAudio.exe
Token: 33	2568	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2568	HDAudio.exe
Token: 33	2568	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2568	HDAudio.exe
Token: 33	2568	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2568	HDAudio.exe
Token: 33	2568	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2568	HDAudio.exe
Token: 33	2568	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2568	HDAudio.exe
Token: 33	2568	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2568	HDAudio.exe
Token: 33	2568	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2568	HDAudio.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Cheat.exeHDAudio.exetaskeng.exe

description	pid	process	target process
PID 2916 wrote to memory of 2568	2916	Cheat.exe	HDAudio.exe
PID 2916 wrote to memory of 2568	2916	Cheat.exe	HDAudio.exe
PID 2916 wrote to memory of 2568	2916	Cheat.exe	HDAudio.exe
PID 2916 wrote to memory of 2568	2916	Cheat.exe	HDAudio.exe
PID 2568 wrote to memory of 2576	2568	HDAudio.exe	schtasks.exe
PID 2568 wrote to memory of 2576	2568	HDAudio.exe	schtasks.exe
PID 2568 wrote to memory of 2576	2568	HDAudio.exe	schtasks.exe
PID 2568 wrote to memory of 2576	2568	HDAudio.exe	schtasks.exe
PID 2568 wrote to memory of 2388	2568	HDAudio.exe	schtasks.exe
PID 2568 wrote to memory of 2388	2568	HDAudio.exe	schtasks.exe
PID 2568 wrote to memory of 2388	2568	HDAudio.exe	schtasks.exe
PID 2568 wrote to memory of 2388	2568	HDAudio.exe	schtasks.exe
PID 2384 wrote to memory of 2460	2384	taskeng.exe	HDAudio.exe
PID 2384 wrote to memory of 2460	2384	taskeng.exe	HDAudio.exe
PID 2384 wrote to memory of 2460	2384	taskeng.exe	HDAudio.exe
PID 2384 wrote to memory of 2460	2384	taskeng.exe	HDAudio.exe
PID 2384 wrote to memory of 2628	2384	taskeng.exe	HDAudio.exe
PID 2384 wrote to memory of 2628	2384	taskeng.exe	HDAudio.exe
PID 2384 wrote to memory of 2628	2384	taskeng.exe	HDAudio.exe
PID 2384 wrote to memory of 2628	2384	taskeng.exe	HDAudio.exe
PID 2384 wrote to memory of 1544	2384	taskeng.exe	HDAudio.exe
PID 2384 wrote to memory of 1544	2384	taskeng.exe	HDAudio.exe
PID 2384 wrote to memory of 1544	2384	taskeng.exe	HDAudio.exe
PID 2384 wrote to memory of 1544	2384	taskeng.exe	HDAudio.exe

C:\Users\Admin\AppData\Local\Temp\Cheat.exe
"C:\Users\Admin\AppData\Local\Temp\Cheat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\HDAudio.exe
"C:\Windows\HDAudio.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "RealtekHDAudio" /f
3⤵
PID:2576

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
3⤵
- Creates scheduled task(s)
PID:2388

C:\Windows\system32\taskeng.exe
taskeng.exe {B1F4211E-5EE2-4C0F-BF7B-85AD5A1086CB} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
2⤵
- Executes dropped EXE
PID:2460

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
2⤵
- Executes dropped EXE
PID:2628

C:\Windows\HDAudio.exe
C:\Windows\HDAudio.exe
2⤵
- Executes dropped EXE
PID:1544

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\HDAudio.exe
Filesize
65KB

MD5
596bb1dd5ae0ac50a9218910d193d4cf

SHA1
377563b67e5601266d711345f78df4a7d95cad27

SHA256
2018fc40b0faeb1ddd7406ec68677a55164633ee245966a07688329459f6da7d

SHA512
b543f966b174f59384e0579935ae194bff479576007ef966c7bf1a3e3f256e9686383c21f5c239df9e28970106f7770b09fbb498400b7a26cc981a37a9555299

Download Submit
memory/2568-9-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/2568-14-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/2568-16-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/2568-17-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/2916-2-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/2916-1-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download
memory/2916-0-0x0000000074171000-0x0000000074172000-memory.dmp

Filesize
4KB

Download
memory/2916-10-0x0000000074170000-0x000000007471B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads