njrat | f7ca25eb2280d864435398259c502fe3dac6797871d8d1e9d362a889419c5cf4

General

Target

svchost.exe
Size

1.1MB
MD5

5bf9ee7d92c033665bbbe4cc83c6c8bd
SHA1

e763e34f50c83e1cf8c4be632993b8cec2ed193e
SHA256

f7ca25eb2280d864435398259c502fe3dac6797871d8d1e9d362a889419c5cf4
SHA512

f3026e908adf75147bfef7737bcf98701118ea310a0b93b9c04369656572e1c3f43f6a2a2fe61a31a0f66d2b59d6a74ca4efc5528a65ac64784b6aa8b7472448
SSDEEP

24576:EQlWF5PC5xcbIdo20hVV58hCXeFnnw0uR7DF8A+dIJtFwwGf3xx7BzU:jnxcbOo28PeFcR7DF8YbGfL7BQ

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

1052 netsh.exe
1260 netsh.exe

pid	process
1052	netsh.exe
1260	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	svchost.exe

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a5f4311056a11b632f3449ff4bfd0e3.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a5f4311056a11b632f3449ff4bfd0e3.exe	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

3636 svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\3a5f4311056a11b632f3449ff4bfd0e3 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3a5f4311056a11b632f3449ff4bfd0e3 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .."	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

svchost.exesvchost.exe

pid process

1384 svchost.exe
1384 svchost.exe
3636 svchost.exe
3636 svchost.exe
3636 svchost.exe
3636 svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4120 taskkill.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1956 PING.EXE

pid	process
1384	svchost.exe
1384	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe

pid	process
4120	taskkill.exe

pid	process
1956	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe

pid	process
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe
3636	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid process

3636 svchost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

svchost.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3636	svchost.exe
Token: SeDebugPrivilege	4120	taskkill.exe
Token: 33	3636	svchost.exe
Token: SeIncBasePriorityPrivilege	3636	svchost.exe
Token: 33	3636	svchost.exe
Token: SeIncBasePriorityPrivilege	3636	svchost.exe
Token: 33	3636	svchost.exe
Token: SeIncBasePriorityPrivilege	3636	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

1384 svchost.exe
3636 svchost.exe

pid	process
1384	svchost.exe
3636	svchost.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

svchost.exesvchost.execmd.exe

description	pid	process	target process
PID 1384 wrote to memory of 3636	1384	svchost.exe	svchost.exe
PID 1384 wrote to memory of 3636	1384	svchost.exe	svchost.exe
PID 1384 wrote to memory of 3636	1384	svchost.exe	svchost.exe
PID 3636 wrote to memory of 1260	3636	svchost.exe	netsh.exe
PID 3636 wrote to memory of 1260	3636	svchost.exe	netsh.exe
PID 3636 wrote to memory of 1260	3636	svchost.exe	netsh.exe
PID 3636 wrote to memory of 4120	3636	svchost.exe	taskkill.exe
PID 3636 wrote to memory of 4120	3636	svchost.exe	taskkill.exe
PID 3636 wrote to memory of 4120	3636	svchost.exe	taskkill.exe
PID 3636 wrote to memory of 1052	3636	svchost.exe	netsh.exe
PID 3636 wrote to memory of 1052	3636	svchost.exe	netsh.exe
PID 3636 wrote to memory of 1052	3636	svchost.exe	netsh.exe
PID 3636 wrote to memory of 2540	3636	svchost.exe	cmd.exe
PID 3636 wrote to memory of 2540	3636	svchost.exe	cmd.exe
PID 3636 wrote to memory of 2540	3636	svchost.exe	cmd.exe
PID 2540 wrote to memory of 1956	2540	cmd.exe	PING.EXE
PID 2540 wrote to memory of 1956	2540	cmd.exe	PING.EXE
PID 2540 wrote to memory of 1956	2540	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1384

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3636

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1260

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM MsMpEng.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4120

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- Modifies Windows Firewall
PID:1052

C:\Windows\SysWOW64\cmd.exe
cmd.exe /k ping 0 & del "C:\Users\Admin\AppData\Roaming\svchost.exe" & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\SysWOW64\PING.EXE
ping 0
4⤵
- Runs ping.exe
PID:1956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3772,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=3836 /prefetch:8
1⤵
PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\svchost.exe.log

Filesize
319B

MD5
da4fafeffe21b7cb3a8c170ca7911976

SHA1
50ef77e2451ab60f93f4db88325b897d215be5ad

SHA256
7341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7

SHA512
0bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
1.1MB

MD5
5bf9ee7d92c033665bbbe4cc83c6c8bd

SHA1
e763e34f50c83e1cf8c4be632993b8cec2ed193e

SHA256
f7ca25eb2280d864435398259c502fe3dac6797871d8d1e9d362a889419c5cf4

SHA512
f3026e908adf75147bfef7737bcf98701118ea310a0b93b9c04369656572e1c3f43f6a2a2fe61a31a0f66d2b59d6a74ca4efc5528a65ac64784b6aa8b7472448

Download Submit
memory/1384-15-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/1384-2-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/1384-14-0x00000000005E0000-0x0000000000956000-memory.dmp

Filesize
3.5MB

Download
memory/1384-0-0x00000000005E0000-0x0000000000956000-memory.dmp

Filesize
3.5MB

Download
memory/1384-1-0x0000000074C52000-0x0000000074C53000-memory.dmp

Filesize
4KB

Download
memory/3636-11-0x0000000000CE0000-0x0000000001056000-memory.dmp

Filesize
3.5MB

Download
memory/3636-17-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/3636-18-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/3636-22-0x0000000000CE0000-0x0000000001056000-memory.dmp

Filesize
3.5MB

Download
memory/3636-23-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/3636-28-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/3636-29-0x0000000000CE0000-0x0000000001056000-memory.dmp

Filesize
3.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads