njrat | 89afd81cb7cb59382bf5830fd0111fd79a186532d960242e2e7e079415850ba0

General

Target

89afd81cb7cb59382bf5830fd0111fd79a186532d960242e2e7e079415850ba0.exe
Size

114KB
MD5

43b54cfac304eeaa653ff9ffbe260427
SHA1

b65b4fb9a6e70f74dc34b2d5c474642a13e84222
SHA256

89afd81cb7cb59382bf5830fd0111fd79a186532d960242e2e7e079415850ba0
SHA512

b22fb5408f1412922e61ba0a1a73de9bbb7361490686420dfb0cb3542c202e8f1fa320938fb1ae2b8c39701dc151e73ee0dd883954f91c11e7640afe437d2277
SSDEEP

1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMiat6Aa:P5eznsjsguGDFqGZ2riAa

Score

10^/10

njrat neuf evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1700 netsh.exe

pid	process
1700	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

89afd81cb7cb59382bf5830fd0111fd79a186532d960242e2e7e079415850ba0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	89afd81cb7cb59382bf5830fd0111fd79a186532d960242e2e7e079415850ba0.exe

Executes dropped EXE 2 IoCs

Processes:

chargeable.exechargeable.exe

pid process

4464 chargeable.exe
840 chargeable.exe

pid	process
4464	chargeable.exe
840	chargeable.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

89afd81cb7cb59382bf5830fd0111fd79a186532d960242e2e7e079415850ba0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\89afd81cb7cb59382bf5830fd0111fd79a186532d960242e2e7e079415850ba0.exe"	89afd81cb7cb59382bf5830fd0111fd79a186532d960242e2e7e079415850ba0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	89afd81cb7cb59382bf5830fd0111fd79a186532d960242e2e7e079415850ba0.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

chargeable.exe

description pid process target process

PID 4464 set thread context of 840 4464 chargeable.exe chargeable.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 4464 set thread context of 840	4464	chargeable.exe	chargeable.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

chargeable.exe

description	pid	process
Token: SeDebugPrivilege	840	chargeable.exe
Token: 33	840	chargeable.exe
Token: SeIncBasePriorityPrivilege	840	chargeable.exe
Token: 33	840	chargeable.exe
Token: SeIncBasePriorityPrivilege	840	chargeable.exe
Token: 33	840	chargeable.exe
Token: SeIncBasePriorityPrivilege	840	chargeable.exe
Token: 33	840	chargeable.exe
Token: SeIncBasePriorityPrivilege	840	chargeable.exe
Token: 33	840	chargeable.exe
Token: SeIncBasePriorityPrivilege	840	chargeable.exe
Token: 33	840	chargeable.exe
Token: SeIncBasePriorityPrivilege	840	chargeable.exe
Token: 33	840	chargeable.exe
Token: SeIncBasePriorityPrivilege	840	chargeable.exe
Token: 33	840	chargeable.exe
Token: SeIncBasePriorityPrivilege	840	chargeable.exe
Token: 33	840	chargeable.exe
Token: SeIncBasePriorityPrivilege	840	chargeable.exe
Token: 33	840	chargeable.exe
Token: SeIncBasePriorityPrivilege	840	chargeable.exe
Token: 33	840	chargeable.exe
Token: SeIncBasePriorityPrivilege	840	chargeable.exe
Token: 33	840	chargeable.exe
Token: SeIncBasePriorityPrivilege	840	chargeable.exe
Token: 33	840	chargeable.exe
Token: SeIncBasePriorityPrivilege	840	chargeable.exe
Token: 33	840	chargeable.exe
Token: SeIncBasePriorityPrivilege	840	chargeable.exe
Token: 33	840	chargeable.exe
Token: SeIncBasePriorityPrivilege	840	chargeable.exe
Token: 33	840	chargeable.exe
Token: SeIncBasePriorityPrivilege	840	chargeable.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

89afd81cb7cb59382bf5830fd0111fd79a186532d960242e2e7e079415850ba0.exechargeable.exechargeable.exe

description	pid	process	target process
PID 436 wrote to memory of 4464	436	89afd81cb7cb59382bf5830fd0111fd79a186532d960242e2e7e079415850ba0.exe	chargeable.exe
PID 436 wrote to memory of 4464	436	89afd81cb7cb59382bf5830fd0111fd79a186532d960242e2e7e079415850ba0.exe	chargeable.exe
PID 436 wrote to memory of 4464	436	89afd81cb7cb59382bf5830fd0111fd79a186532d960242e2e7e079415850ba0.exe	chargeable.exe
PID 4464 wrote to memory of 840	4464	chargeable.exe	chargeable.exe
PID 4464 wrote to memory of 840	4464	chargeable.exe	chargeable.exe
PID 4464 wrote to memory of 840	4464	chargeable.exe	chargeable.exe
PID 4464 wrote to memory of 840	4464	chargeable.exe	chargeable.exe
PID 4464 wrote to memory of 840	4464	chargeable.exe	chargeable.exe
PID 4464 wrote to memory of 840	4464	chargeable.exe	chargeable.exe
PID 4464 wrote to memory of 840	4464	chargeable.exe	chargeable.exe
PID 4464 wrote to memory of 840	4464	chargeable.exe	chargeable.exe
PID 840 wrote to memory of 1700	840	chargeable.exe	netsh.exe
PID 840 wrote to memory of 1700	840	chargeable.exe	netsh.exe
PID 840 wrote to memory of 1700	840	chargeable.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\89afd81cb7cb59382bf5830fd0111fd79a186532d960242e2e7e079415850ba0.exe
"C:\Users\Admin\AppData\Local\Temp\89afd81cb7cb59382bf5830fd0111fd79a186532d960242e2e7e079415850ba0.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:436

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
"C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4464

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:1700

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
Filesize
114KB

MD5
61102355f95cbc430c0cf9762af85ff0

SHA1
acc48c897e2937eae212b6386fc33179f8c3047b

SHA256
0d30ee16e59f9929b0d85fff1c300b337c524c7d265f2449524337a6f010f7fc

SHA512
4217cc73bcaddcaf5cb1ef2ffe592f924439925973f8fe1736c36b77698200a7b505cf087bf746de0bf040b4d4c462256b075aa148ab74fc3041abd59ee14bdd

Download Submit
memory/436-0-0x0000000074A92000-0x0000000074A93000-memory.dmp

Filesize
4KB

Download
memory/436-1-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/436-16-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/840-18-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/840-23-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/840-21-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/840-24-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/840-25-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/4464-17-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download
memory/4464-22-0x0000000074A90000-0x0000000075041000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads