njrat | f1ee6a26a415669c195bb842fad2d0330776d9e8544a406ba60837c5f5d45e2d

General

Target

272807e29879a6d16fd18eed2e7ff7ea.exe
Size

114KB
MD5

272807e29879a6d16fd18eed2e7ff7ea
SHA1

79dbc3bc456688a5eb6e11443d2e756c069a74fd
SHA256

f1ee6a26a415669c195bb842fad2d0330776d9e8544a406ba60837c5f5d45e2d
SHA512

5767ad38c4a8dbe79bb979acdc7f0c0ae87f708a1b6dc8099c2a38592ab7dea031e35b5fd467e48262510b93d3af96e130a3f83622b53c1611218e4f0d35e365
SSDEEP

1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuML:P5eznsjsguGDFqGZ2rL

Score

10^/10

njrat neuf evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4436 netsh.exe

pid	process
4436	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

272807e29879a6d16fd18eed2e7ff7ea.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	272807e29879a6d16fd18eed2e7ff7ea.exe

Executes dropped EXE 3 IoCs

Processes:

chargeable.exechargeable.exechargeable.exe

pid process

2608 chargeable.exe
4768 chargeable.exe
4764 chargeable.exe

pid	process
2608	chargeable.exe
4768	chargeable.exe
4764	chargeable.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

272807e29879a6d16fd18eed2e7ff7ea.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	272807e29879a6d16fd18eed2e7ff7ea.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\272807e29879a6d16fd18eed2e7ff7ea.exe"	272807e29879a6d16fd18eed2e7ff7ea.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

chargeable.exe

description	pid	process	target process
PID 2608 set thread context of 4768	2608	chargeable.exe	chargeable.exe
PID 2608 set thread context of 4764	2608	chargeable.exe	chargeable.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

796 4764 WerFault.exe chargeable.exe

pid	pid_target	process	target process
796	4764	WerFault.exe	chargeable.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

chargeable.exe

description	pid	process
Token: SeDebugPrivilege	4768	chargeable.exe
Token: 33	4768	chargeable.exe
Token: SeIncBasePriorityPrivilege	4768	chargeable.exe
Token: 33	4768	chargeable.exe
Token: SeIncBasePriorityPrivilege	4768	chargeable.exe
Token: 33	4768	chargeable.exe
Token: SeIncBasePriorityPrivilege	4768	chargeable.exe
Token: 33	4768	chargeable.exe
Token: SeIncBasePriorityPrivilege	4768	chargeable.exe
Token: 33	4768	chargeable.exe
Token: SeIncBasePriorityPrivilege	4768	chargeable.exe
Token: 33	4768	chargeable.exe
Token: SeIncBasePriorityPrivilege	4768	chargeable.exe
Token: 33	4768	chargeable.exe
Token: SeIncBasePriorityPrivilege	4768	chargeable.exe
Token: 33	4768	chargeable.exe
Token: SeIncBasePriorityPrivilege	4768	chargeable.exe
Token: 33	4768	chargeable.exe
Token: SeIncBasePriorityPrivilege	4768	chargeable.exe
Token: 33	4768	chargeable.exe
Token: SeIncBasePriorityPrivilege	4768	chargeable.exe
Token: 33	4768	chargeable.exe
Token: SeIncBasePriorityPrivilege	4768	chargeable.exe
Token: 33	4768	chargeable.exe
Token: SeIncBasePriorityPrivilege	4768	chargeable.exe
Token: 33	4768	chargeable.exe
Token: SeIncBasePriorityPrivilege	4768	chargeable.exe
Token: 33	4768	chargeable.exe
Token: SeIncBasePriorityPrivilege	4768	chargeable.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

272807e29879a6d16fd18eed2e7ff7ea.exechargeable.exechargeable.exe

description	pid	process	target process
PID 1712 wrote to memory of 2608	1712	272807e29879a6d16fd18eed2e7ff7ea.exe	chargeable.exe
PID 1712 wrote to memory of 2608	1712	272807e29879a6d16fd18eed2e7ff7ea.exe	chargeable.exe
PID 1712 wrote to memory of 2608	1712	272807e29879a6d16fd18eed2e7ff7ea.exe	chargeable.exe
PID 2608 wrote to memory of 4764	2608	chargeable.exe	chargeable.exe
PID 2608 wrote to memory of 4764	2608	chargeable.exe	chargeable.exe
PID 2608 wrote to memory of 4764	2608	chargeable.exe	chargeable.exe
PID 2608 wrote to memory of 4768	2608	chargeable.exe	chargeable.exe
PID 2608 wrote to memory of 4768	2608	chargeable.exe	chargeable.exe
PID 2608 wrote to memory of 4768	2608	chargeable.exe	chargeable.exe
PID 2608 wrote to memory of 4768	2608	chargeable.exe	chargeable.exe
PID 2608 wrote to memory of 4768	2608	chargeable.exe	chargeable.exe
PID 2608 wrote to memory of 4768	2608	chargeable.exe	chargeable.exe
PID 2608 wrote to memory of 4768	2608	chargeable.exe	chargeable.exe
PID 2608 wrote to memory of 4768	2608	chargeable.exe	chargeable.exe
PID 2608 wrote to memory of 4764	2608	chargeable.exe	chargeable.exe
PID 2608 wrote to memory of 4764	2608	chargeable.exe	chargeable.exe
PID 2608 wrote to memory of 4764	2608	chargeable.exe	chargeable.exe
PID 2608 wrote to memory of 4764	2608	chargeable.exe	chargeable.exe
PID 2608 wrote to memory of 4764	2608	chargeable.exe	chargeable.exe
PID 4768 wrote to memory of 4436	4768	chargeable.exe	netsh.exe
PID 4768 wrote to memory of 4436	4768	chargeable.exe	netsh.exe
PID 4768 wrote to memory of 4436	4768	chargeable.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\272807e29879a6d16fd18eed2e7ff7ea.exe
"C:\Users\Admin\AppData\Local\Temp\272807e29879a6d16fd18eed2e7ff7ea.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
  "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    PID:4764
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 80
      4⤵
      Program crash
      PID:796
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4764 -ip 4764
1⤵
PID:3488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:4116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Filesize
114KB

MD5
f0cf43422b9db8db5a06c35787d0d13a

SHA1
31f60e21a218a4d03d10efc96efcac78a7e2ed19

SHA256
f9ad5fe78a9d4c0dd659531381b88684802e2700566432e3615b076454b6a6a5

SHA512
33379935446431942ae366ce674f71de9c293d644df8aa9059fa9ecdd2f085de59b4d3821403013dbf2732626fd2772e3e3613e503891378b67892e2a871b249

Download Submit
memory/1712-20-0x0000000075500000-0x0000000075AB1000-memory.dmp

Filesize
5.7MB

Download
memory/1712-1-0x0000000075500000-0x0000000075AB1000-memory.dmp

Filesize
5.7MB

Download
memory/1712-2-0x0000000075500000-0x0000000075AB1000-memory.dmp

Filesize
5.7MB

Download
memory/1712-17-0x0000000075502000-0x0000000075503000-memory.dmp

Filesize
4KB

Download
memory/1712-18-0x0000000075500000-0x0000000075AB1000-memory.dmp

Filesize
5.7MB

Download
memory/1712-0-0x0000000075502000-0x0000000075503000-memory.dmp

Filesize
4KB

Download
memory/2608-21-0x0000000075500000-0x0000000075AB1000-memory.dmp

Filesize
5.7MB

Download
memory/2608-19-0x0000000075500000-0x0000000075AB1000-memory.dmp

Filesize
5.7MB

Download
memory/2608-22-0x0000000075500000-0x0000000075AB1000-memory.dmp

Filesize
5.7MB

Download
memory/2608-29-0x0000000075500000-0x0000000075AB1000-memory.dmp

Filesize
5.7MB

Download
memory/4768-23-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4768-28-0x0000000075500000-0x0000000075AB1000-memory.dmp

Filesize
5.7MB

Download
memory/4768-30-0x0000000075500000-0x0000000075AB1000-memory.dmp

Filesize
5.7MB

Download
memory/4768-31-0x0000000075500000-0x0000000075AB1000-memory.dmp

Filesize
5.7MB

Download
memory/4768-32-0x0000000075500000-0x0000000075AB1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads