njrat | 0b19a02bdfaab560d515b3fd51df9075c62995c8256145d8e6448acd5d366266

General

Target

CSGO cheat Injector.exe
Size

3.3MB
MD5

01b49aed665fd529003ad01832496c87
SHA1

ab94f91fdf173a9c3fb54a0a34d4184199c14ed5
SHA256

6c9e49b58cb313e27a026efdd33dbf86867a658bf6b2f3668f7c11b1fd4aefe0
SHA512

d0ecd2442162edb04b006d0f0877e5dc5c7d5a777f22a5a4997d0650c429a6b39d73b6fbbc2d6b085e65610aca0b93b0489f96da4d28334e0cf17a847c00a39a
SSDEEP

98304:t7Iviz/27qWGq/TzuqCDl2Ptao7jcEZTfGNK3:hIviq75/Tzuf2Z6NK3

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3704 netsh.exe

pid	process
3704	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CDS.execrypted.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	CDS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	crypted.exe

Drops startup file 2 IoCs

Processes:

svchos.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bab42d001896286dbfc0834be2d10b9f.exe	svchos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bab42d001896286dbfc0834be2d10b9f.exe	svchos.exe

Executes dropped EXE 3 IoCs

Processes:

CDS.execrypted.exesvchos.exe

pid process

4588 CDS.exe
468 crypted.exe
3232 svchos.exe
Loads dropped DLL 1 IoCs

Processes:

CDS.exe

pid process

4588 CDS.exe

pid	process
4588	CDS.exe
468	crypted.exe
3232	svchos.exe

pid	process
4588	CDS.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

CSGO cheat Injector.exesvchos.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	CSGO cheat Injector.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bab42d001896286dbfc0834be2d10b9f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchos.exe\" .."	svchos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bab42d001896286dbfc0834be2d10b9f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchos.exe\" .."	svchos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

CDS.exe

pid process

4588 CDS.exe
4588 CDS.exe

pid	process
4588	CDS.exe
4588	CDS.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

AUDIODG.EXEsvchos.exe

description	pid	process
Token: 33	1676	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1676	AUDIODG.EXE
Token: SeDebugPrivilege	3232	svchos.exe
Token: 33	3232	svchos.exe
Token: SeIncBasePriorityPrivilege	3232	svchos.exe
Token: 33	3232	svchos.exe
Token: SeIncBasePriorityPrivilege	3232	svchos.exe
Token: 33	3232	svchos.exe
Token: SeIncBasePriorityPrivilege	3232	svchos.exe
Token: 33	3232	svchos.exe
Token: SeIncBasePriorityPrivilege	3232	svchos.exe
Token: 33	3232	svchos.exe
Token: SeIncBasePriorityPrivilege	3232	svchos.exe
Token: 33	3232	svchos.exe
Token: SeIncBasePriorityPrivilege	3232	svchos.exe
Token: 33	3232	svchos.exe
Token: SeIncBasePriorityPrivilege	3232	svchos.exe
Token: 33	3232	svchos.exe
Token: SeIncBasePriorityPrivilege	3232	svchos.exe
Token: 33	3232	svchos.exe
Token: SeIncBasePriorityPrivilege	3232	svchos.exe
Token: 33	3232	svchos.exe
Token: SeIncBasePriorityPrivilege	3232	svchos.exe
Token: 33	3232	svchos.exe
Token: SeIncBasePriorityPrivilege	3232	svchos.exe
Token: 33	3232	svchos.exe
Token: SeIncBasePriorityPrivilege	3232	svchos.exe
Token: 33	3232	svchos.exe
Token: SeIncBasePriorityPrivilege	3232	svchos.exe
Token: 33	3232	svchos.exe
Token: SeIncBasePriorityPrivilege	3232	svchos.exe
Token: 33	3232	svchos.exe
Token: SeIncBasePriorityPrivilege	3232	svchos.exe
Token: 33	3232	svchos.exe
Token: SeIncBasePriorityPrivilege	3232	svchos.exe
Token: 33	3232	svchos.exe
Token: SeIncBasePriorityPrivilege	3232	svchos.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

CDS.exe

pid process

4588 CDS.exe
4588 CDS.exe

pid	process
4588	CDS.exe
4588	CDS.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

CSGO cheat Injector.exeCDS.execrypted.exesvchos.exe

description	pid	process	target process
PID 4804 wrote to memory of 4588	4804	CSGO cheat Injector.exe	CDS.exe
PID 4804 wrote to memory of 4588	4804	CSGO cheat Injector.exe	CDS.exe
PID 4804 wrote to memory of 4588	4804	CSGO cheat Injector.exe	CDS.exe
PID 4588 wrote to memory of 468	4588	CDS.exe	crypted.exe
PID 4588 wrote to memory of 468	4588	CDS.exe	crypted.exe
PID 4588 wrote to memory of 468	4588	CDS.exe	crypted.exe
PID 468 wrote to memory of 3232	468	crypted.exe	svchos.exe
PID 468 wrote to memory of 3232	468	crypted.exe	svchos.exe
PID 468 wrote to memory of 3232	468	crypted.exe	svchos.exe
PID 3232 wrote to memory of 3704	3232	svchos.exe	netsh.exe
PID 3232 wrote to memory of 3704	3232	svchos.exe	netsh.exe
PID 3232 wrote to memory of 3704	3232	svchos.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\CSGO cheat Injector.exe
"C:\Users\Admin\AppData\Local\Temp\CSGO cheat Injector.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4804

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4588

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468

C:\Users\Admin\AppData\Local\Temp\svchos.exe
"C:\Users\Admin\AppData\Local\Temp\svchos.exe"
4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3232

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchos.exe" "svchos.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:3704

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x45c 0x328
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3456,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4604 /prefetch:8
1⤵
PID:4492

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png
Filesize
2KB

MD5
340b294efc691d1b20c64175d565ebc7

SHA1
81cb9649bd1c9a62ae79e781818fc24d15c29ce7

SHA256
72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9

SHA512
1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd
Filesize
13KB

MD5
3e7ecaeb51c2812d13b07ec852d74aaf

SHA1
e9bdab93596ffb0f7f8c65243c579180939acb26

SHA256
e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96

SHA512
635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
Filesize
6.1MB

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat
Filesize
86KB

MD5
dcdd76e80973787b5db380543e380f8a

SHA1
8a6b881fc535bc493bc0f225a6f47c6a696568c0

SHA256
aede243661ad8863a7c91ab57e20dfbe1fafd7ea5b2df0482c08da7b96501810

SHA512
61296aea1c20f96efeb10368f5f2f8ed56466fa4e7c2bdac8a7c20c51c8aeae1e8f336b813408e63eb3f027d45b8d1b4e7b9389dc0710c4b2ef6024dbe9ee165

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
Filesize
86KB

MD5
6b22cfdf10b292df5e08bd63c97f4e66

SHA1
951b3751f3b84fdc09d66674a33edd8236dd1624

SHA256
580440de3ad0aa5b5a55451fefd38ce19597dd2f50ff09e13e10bf98a0e45555

SHA512
9f109cce75668db583ffef6be7cf05eb90c468c4911553f10dc9514d7c82afe48fde48ddf2d8d6ab8a7a46f14f345966630430d0295a8721591abd27c2dd982c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings
Filesize
5B

MD5
68934a3e9455fa72420237eb05902327

SHA1
7cb6efb98ba5972a9b5090dc2e517fe14d12cb04

SHA256
fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa

SHA512
719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll
Filesize
322KB

MD5
c3256800dce47c14acc83ccca4c3e2ac

SHA1
9d126818c66991dbc3813a65eddb88bbcf77f30a

SHA256
f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

SHA512
6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads