General

  • Target

    svchost.exe

  • Size

    178KB

  • Sample

    240622-rgp3ra1clc

  • MD5

    8c5888968cfdb6a017ee0e480e958321

  • SHA1

    7b44a84ed6544709cac184ccc9c901157b0ed76a

  • SHA256

    ce78bc90ee00ff4ba34b9a98c6cc88f55d93a3ac3366bb587421f4e55f4f86ad

  • SHA512

    631f04864b4d1e746a6820d40f7ef450f8b026649ca4ed87d7702d4c2516c6f63ddbf5418dc0f5b0577a4a1a1c338ecdc6f2d582d0d8346d94b1faee9cce1065

  • SSDEEP

    3072:QrhzCyHoN36tHQviFCvoBnEfWl9zyaF9biYvMG4NpVq8BxFRzaqF+o2GQJ7/Jzqo:QMk9zhvMGgVqwlL

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

LOX

C2

127.0.0.1:11166

Mutex

Microsoft Edge

Attributes
  • reg_key

    Microsoft Edge

  • splitter

    |Ghost|

Targets

    • Target

      svchost.exe

    • Size

      178KB

    • MD5

      8c5888968cfdb6a017ee0e480e958321

    • SHA1

      7b44a84ed6544709cac184ccc9c901157b0ed76a

    • SHA256

      ce78bc90ee00ff4ba34b9a98c6cc88f55d93a3ac3366bb587421f4e55f4f86ad

    • SHA512

      631f04864b4d1e746a6820d40f7ef450f8b026649ca4ed87d7702d4c2516c6f63ddbf5418dc0f5b0577a4a1a1c338ecdc6f2d582d0d8346d94b1faee9cce1065

    • SSDEEP

      3072:QrhzCyHoN36tHQviFCvoBnEfWl9zyaF9biYvMG4NpVq8BxFRzaqF+o2GQJ7/Jzqo:QMk9zhvMGgVqwlL

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

MITRE ATT&CK Enterprise v15

Tasks