njrat | 39972599e9f197a89cafc40a5a6d7311bd5102588102c4b6107003cb6cc1cb52

General

Target

39972599e9f197a89cafc40a5a6d7311bd5102588102c4b6107003cb6cc1cb52.exe
Size

114KB
MD5

2bc33e129d53f2d2a3a6387910d73111
SHA1

567e478405352dfa7aca5da09e65ac8c679abc7d
SHA256

39972599e9f197a89cafc40a5a6d7311bd5102588102c4b6107003cb6cc1cb52
SHA512

0c6d82669d5d14f9fbc0a327079fc7c1ac6ebf2530933887d7298c3da2ca5988be7da83c14cbd9e12944d79cf940787869770a4ffcc7f5df261fe66192ef0df1
SSDEEP

1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMz:P5eznsjsguGDFqGZ2rz

Score

10^/10

njrat neuf evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4784 netsh.exe

pid	process
4784	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

39972599e9f197a89cafc40a5a6d7311bd5102588102c4b6107003cb6cc1cb52.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	39972599e9f197a89cafc40a5a6d7311bd5102588102c4b6107003cb6cc1cb52.exe

Executes dropped EXE 2 IoCs

Processes:

chargeable.exechargeable.exe

pid process

4068 chargeable.exe
2172 chargeable.exe

pid	process
4068	chargeable.exe
2172	chargeable.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

39972599e9f197a89cafc40a5a6d7311bd5102588102c4b6107003cb6cc1cb52.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	39972599e9f197a89cafc40a5a6d7311bd5102588102c4b6107003cb6cc1cb52.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\39972599e9f197a89cafc40a5a6d7311bd5102588102c4b6107003cb6cc1cb52.exe"	39972599e9f197a89cafc40a5a6d7311bd5102588102c4b6107003cb6cc1cb52.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

chargeable.exe

description pid process target process

PID 4068 set thread context of 2172 4068 chargeable.exe chargeable.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 4068 set thread context of 2172	4068	chargeable.exe	chargeable.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

chargeable.exe

description	pid	process
Token: SeDebugPrivilege	2172	chargeable.exe
Token: 33	2172	chargeable.exe
Token: SeIncBasePriorityPrivilege	2172	chargeable.exe
Token: 33	2172	chargeable.exe
Token: SeIncBasePriorityPrivilege	2172	chargeable.exe
Token: 33	2172	chargeable.exe
Token: SeIncBasePriorityPrivilege	2172	chargeable.exe
Token: 33	2172	chargeable.exe
Token: SeIncBasePriorityPrivilege	2172	chargeable.exe
Token: 33	2172	chargeable.exe
Token: SeIncBasePriorityPrivilege	2172	chargeable.exe
Token: 33	2172	chargeable.exe
Token: SeIncBasePriorityPrivilege	2172	chargeable.exe
Token: 33	2172	chargeable.exe
Token: SeIncBasePriorityPrivilege	2172	chargeable.exe
Token: 33	2172	chargeable.exe
Token: SeIncBasePriorityPrivilege	2172	chargeable.exe
Token: 33	2172	chargeable.exe
Token: SeIncBasePriorityPrivilege	2172	chargeable.exe
Token: 33	2172	chargeable.exe
Token: SeIncBasePriorityPrivilege	2172	chargeable.exe
Token: 33	2172	chargeable.exe
Token: SeIncBasePriorityPrivilege	2172	chargeable.exe
Token: 33	2172	chargeable.exe
Token: SeIncBasePriorityPrivilege	2172	chargeable.exe
Token: 33	2172	chargeable.exe
Token: SeIncBasePriorityPrivilege	2172	chargeable.exe
Token: 33	2172	chargeable.exe
Token: SeIncBasePriorityPrivilege	2172	chargeable.exe
Token: 33	2172	chargeable.exe
Token: SeIncBasePriorityPrivilege	2172	chargeable.exe
Token: 33	2172	chargeable.exe
Token: SeIncBasePriorityPrivilege	2172	chargeable.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

39972599e9f197a89cafc40a5a6d7311bd5102588102c4b6107003cb6cc1cb52.exechargeable.exechargeable.exe

description	pid	process	target process
PID 432 wrote to memory of 4068	432	39972599e9f197a89cafc40a5a6d7311bd5102588102c4b6107003cb6cc1cb52.exe	chargeable.exe
PID 432 wrote to memory of 4068	432	39972599e9f197a89cafc40a5a6d7311bd5102588102c4b6107003cb6cc1cb52.exe	chargeable.exe
PID 432 wrote to memory of 4068	432	39972599e9f197a89cafc40a5a6d7311bd5102588102c4b6107003cb6cc1cb52.exe	chargeable.exe
PID 4068 wrote to memory of 2172	4068	chargeable.exe	chargeable.exe
PID 4068 wrote to memory of 2172	4068	chargeable.exe	chargeable.exe
PID 4068 wrote to memory of 2172	4068	chargeable.exe	chargeable.exe
PID 4068 wrote to memory of 2172	4068	chargeable.exe	chargeable.exe
PID 4068 wrote to memory of 2172	4068	chargeable.exe	chargeable.exe
PID 4068 wrote to memory of 2172	4068	chargeable.exe	chargeable.exe
PID 4068 wrote to memory of 2172	4068	chargeable.exe	chargeable.exe
PID 4068 wrote to memory of 2172	4068	chargeable.exe	chargeable.exe
PID 2172 wrote to memory of 4784	2172	chargeable.exe	netsh.exe
PID 2172 wrote to memory of 4784	2172	chargeable.exe	netsh.exe
PID 2172 wrote to memory of 4784	2172	chargeable.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\39972599e9f197a89cafc40a5a6d7311bd5102588102c4b6107003cb6cc1cb52.exe
"C:\Users\Admin\AppData\Local\Temp\39972599e9f197a89cafc40a5a6d7311bd5102588102c4b6107003cb6cc1cb52.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:432
- C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
  "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Filesize
114KB

MD5
85150bfa1c192ec08533f8fd87c214ee

SHA1
1ae763d86478d66b99230469f17b39678d78ce78

SHA256
734dc761c04fd137de6facf06af6c8e72fd652e23c503c73b80602a6e68468f1

SHA512
8e8ca36f9f7cfa6aecb52e965fd4a38c548296b57963cb7b822b4fb16b9e81af41f45ef343c01d98418487bac52fe5182779738ff4eb12e90cbb2e1b41271aa8

Download Submit
memory/432-0-0x0000000075012000-0x0000000075013000-memory.dmp

Filesize
4KB

Download
memory/432-1-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/432-2-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/432-17-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/2172-24-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/2172-21-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2172-26-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/2172-27-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/2172-28-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/4068-19-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/4068-20-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/4068-18-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download
memory/4068-25-0x0000000075010000-0x00000000755C1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads