njrat | bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656

General

Target

74561ab8272480ac06696738092ce507_JaffaCakes118.exe
Size

93KB
MD5

74561ab8272480ac06696738092ce507
SHA1

5182c427adf49862dcb6d2444df487c9f1bb21da
SHA256

bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656
SHA512

07a710a0be9869f2759bf3bcd25a0d981f9503604dd0629cad43114da0942de6fc16da34330e41d7f1c88d43565c70b66c5c4095908392b370abe266b5be7c62
SSDEEP

768:tY3zGJhWXxyFcxovUKUJuROprXtgNzeYhYbmXxrjEtCdnl2pi1Rz4Rk3ysGdpvgM:IG3WhIUKcuOJQPhBjEwzGi1dDuDvgS

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

0.tcp.ngrok.io:13578

Mutex

73137daa68006467b187b2f414df684d

Attributes

reg_key
73137daa68006467b187b2f414df684d
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 3 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exe

pid process

2716 netsh.exe
2940 netsh.exe
2552 netsh.exe

pid	process
2716	netsh.exe
2940	netsh.exe
2552	netsh.exe

Drops startup file 4 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73137daa68006467b187b2f414df684dWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73137daa68006467b187b2f414df684dWindows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe

Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

3036 server.exe
Loads dropped DLL 2 IoCs

Processes:

74561ab8272480ac06696738092ce507_JaffaCakes118.exe

pid process

2156 74561ab8272480ac06696738092ce507_JaffaCakes118.exe
2156 74561ab8272480ac06696738092ce507_JaffaCakes118.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

24 0.tcp.ngrok.io
26 0.tcp.ngrok.io
45 0.tcp.ngrok.io
47 0.tcp.ngrok.io
2 0.tcp.ngrok.io
18 0.tcp.ngrok.io
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

3036 server.exe

pid	process
3036	server.exe

pid	process
2156	74561ab8272480ac06696738092ce507_JaffaCakes118.exe
2156	74561ab8272480ac06696738092ce507_JaffaCakes118.exe

flow	ioc
24	0.tcp.ngrok.io
26	0.tcp.ngrok.io
45	0.tcp.ngrok.io
47	0.tcp.ngrok.io
2	0.tcp.ngrok.io
18	0.tcp.ngrok.io

pid	process
3036	server.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	3036	server.exe
Token: 33	3036	server.exe
Token: SeIncBasePriorityPrivilege	3036	server.exe
Token: 33	3036	server.exe
Token: SeIncBasePriorityPrivilege	3036	server.exe
Token: 33	3036	server.exe
Token: SeIncBasePriorityPrivilege	3036	server.exe
Token: 33	3036	server.exe
Token: SeIncBasePriorityPrivilege	3036	server.exe
Token: 33	3036	server.exe
Token: SeIncBasePriorityPrivilege	3036	server.exe
Token: 33	3036	server.exe
Token: SeIncBasePriorityPrivilege	3036	server.exe
Token: 33	3036	server.exe
Token: SeIncBasePriorityPrivilege	3036	server.exe
Token: 33	3036	server.exe
Token: SeIncBasePriorityPrivilege	3036	server.exe
Token: 33	3036	server.exe
Token: SeIncBasePriorityPrivilege	3036	server.exe
Token: 33	3036	server.exe
Token: SeIncBasePriorityPrivilege	3036	server.exe
Token: 33	3036	server.exe
Token: SeIncBasePriorityPrivilege	3036	server.exe
Token: 33	3036	server.exe
Token: SeIncBasePriorityPrivilege	3036	server.exe
Token: 33	3036	server.exe
Token: SeIncBasePriorityPrivilege	3036	server.exe
Token: 33	3036	server.exe
Token: SeIncBasePriorityPrivilege	3036	server.exe
Token: 33	3036	server.exe
Token: SeIncBasePriorityPrivilege	3036	server.exe
Token: 33	3036	server.exe
Token: SeIncBasePriorityPrivilege	3036	server.exe
Token: 33	3036	server.exe
Token: SeIncBasePriorityPrivilege	3036	server.exe
Token: 33	3036	server.exe
Token: SeIncBasePriorityPrivilege	3036	server.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

74561ab8272480ac06696738092ce507_JaffaCakes118.exeserver.exe

description	pid	process	target process
PID 2156 wrote to memory of 3036	2156	74561ab8272480ac06696738092ce507_JaffaCakes118.exe	server.exe
PID 2156 wrote to memory of 3036	2156	74561ab8272480ac06696738092ce507_JaffaCakes118.exe	server.exe
PID 2156 wrote to memory of 3036	2156	74561ab8272480ac06696738092ce507_JaffaCakes118.exe	server.exe
PID 2156 wrote to memory of 3036	2156	74561ab8272480ac06696738092ce507_JaffaCakes118.exe	server.exe
PID 3036 wrote to memory of 2716	3036	server.exe	netsh.exe
PID 3036 wrote to memory of 2716	3036	server.exe	netsh.exe
PID 3036 wrote to memory of 2716	3036	server.exe	netsh.exe
PID 3036 wrote to memory of 2716	3036	server.exe	netsh.exe
PID 3036 wrote to memory of 2940	3036	server.exe	netsh.exe
PID 3036 wrote to memory of 2940	3036	server.exe	netsh.exe
PID 3036 wrote to memory of 2940	3036	server.exe	netsh.exe
PID 3036 wrote to memory of 2940	3036	server.exe	netsh.exe
PID 3036 wrote to memory of 2552	3036	server.exe	netsh.exe
PID 3036 wrote to memory of 2552	3036	server.exe	netsh.exe
PID 3036 wrote to memory of 2552	3036	server.exe	netsh.exe
PID 3036 wrote to memory of 2552	3036	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\74561ab8272480ac06696738092ce507_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\74561ab8272480ac06696738092ce507_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:2716
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Modifies Windows Firewall
    PID:2940
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
5014379cf5fa31db8a73d68d6353a145

SHA1
2a1a5138e8c9e7547caae1c9fb223afbf714ed00

SHA256
538b830838cbf62e6ce267b48e2eb165030686e5b6317f0b1e9205a3e08c73b8

SHA512
5091a16ef7730449601a70b5ef5512a93c98c76beb8cfee1adc9d39780c49b1d712e764720b04e44e18c7b08633c5d453793462c18dc6bef14d82bf69892e18f

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
93KB

MD5
74561ab8272480ac06696738092ce507

SHA1
5182c427adf49862dcb6d2444df487c9f1bb21da

SHA256
bf65c8e2290aee1cd322f28edf25e804f9626636f0a3263281f172383b97b656

SHA512
07a710a0be9869f2759bf3bcd25a0d981f9503604dd0629cad43114da0942de6fc16da34330e41d7f1c88d43565c70b66c5c4095908392b370abe266b5be7c62

Download Submit
memory/2156-0-0x0000000074411000-0x0000000074412000-memory.dmp

Filesize
4KB

Download
memory/2156-1-0x0000000074410000-0x00000000749BB000-memory.dmp

Filesize
5.7MB

Download
memory/2156-2-0x0000000074410000-0x00000000749BB000-memory.dmp

Filesize
5.7MB

Download
memory/2156-14-0x0000000074410000-0x00000000749BB000-memory.dmp

Filesize
5.7MB

Download
memory/3036-15-0x0000000074410000-0x00000000749BB000-memory.dmp

Filesize
5.7MB

Download
memory/3036-16-0x0000000074410000-0x00000000749BB000-memory.dmp

Filesize
5.7MB

Download
memory/3036-24-0x0000000074410000-0x00000000749BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads