njrat | 1dbda519a644e4d68ce67947ada332f98f85b56bebfa8d9be86cb711466095ff

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Plague crack/Launcher.bat
Size

45B
MD5

23e45603d9174a3c459e0f776395fce2
SHA1

45401deff1d3c0b621e524950c94e8746b2a73d0
SHA256

69f1cff5fe133b95f7d1ecb31328136816f21d232758d47c4afff91ef27f42ce
SHA512

af0bdbd88d5d828707a69b472e591fa20a1b808c5fec10b018ef28e7cae58172b374974773d1befd98ee1e6985d9d4e8267ef4d03f4fd3e87faef10457a3ab85

Score

10^/10

njrat evasion persistence privilege_escalation trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Loader.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	Loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Plague crack\\Loader.exe"	Loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	Loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Plague crack\\Loader.exe"	Loader.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2696	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
2316	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Java = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Plague crack\\Loader.exe"	Loader.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe
100	Loader.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
100	Loader.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeBackupPrivilege	100	Loader.exe
Token: SeRestorePrivilege	100	Loader.exe
Token: SeDebugPrivilege	2316	svchost.exe
Token: 33	2316	svchost.exe
Token: SeIncBasePriorityPrivilege	2316	svchost.exe
Token: 33	2316	svchost.exe
Token: SeIncBasePriorityPrivilege	2316	svchost.exe
Token: 33	2316	svchost.exe
Token: SeIncBasePriorityPrivilege	2316	svchost.exe
Token: 33	2316	svchost.exe
Token: SeIncBasePriorityPrivilege	2316	svchost.exe
Token: 33	2316	svchost.exe
Token: SeIncBasePriorityPrivilege	2316	svchost.exe
Token: 33	2316	svchost.exe
Token: SeIncBasePriorityPrivilege	2316	svchost.exe
Token: 33	2316	svchost.exe
Token: SeIncBasePriorityPrivilege	2316	svchost.exe
Token: 33	2316	svchost.exe
Token: SeIncBasePriorityPrivilege	2316	svchost.exe
Token: 33	2316	svchost.exe
Token: SeIncBasePriorityPrivilege	2316	svchost.exe
Token: 33	2316	svchost.exe
Token: SeIncBasePriorityPrivilege	2316	svchost.exe
Token: 33	2316	svchost.exe
Token: SeIncBasePriorityPrivilege	2316	svchost.exe
Token: 33	2316	svchost.exe
Token: SeIncBasePriorityPrivilege	2316	svchost.exe
Token: 33	2316	svchost.exe
Token: SeIncBasePriorityPrivilege	2316	svchost.exe
Token: 33	2316	svchost.exe
Token: SeIncBasePriorityPrivilege	2316	svchost.exe
Token: 33	2316	svchost.exe
Token: SeIncBasePriorityPrivilege	2316	svchost.exe
Token: 33	2316	svchost.exe
Token: SeIncBasePriorityPrivilege	2316	svchost.exe
Token: 33	2316	svchost.exe
Token: SeIncBasePriorityPrivilege	2316	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
100	Loader.exe
4224	Loader.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 4956	2940	cmd.exe	84
PID 2940 wrote to memory of 4956	2940	cmd.exe	84
PID 2940 wrote to memory of 4956	2940	cmd.exe	84
PID 2940 wrote to memory of 100	2940	cmd.exe	85
PID 2940 wrote to memory of 100	2940	cmd.exe	85
PID 2940 wrote to memory of 100	2940	cmd.exe	85
PID 4956 wrote to memory of 2316	4956	Client.exe	90
PID 4956 wrote to memory of 2316	4956	Client.exe	90
PID 4956 wrote to memory of 2316	4956	Client.exe	90
PID 2316 wrote to memory of 2696	2316	svchost.exe	91
PID 2316 wrote to memory of 2696	2316	svchost.exe	91
PID 2316 wrote to memory of 2696	2316	svchost.exe	91

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Plague crack\Launcher.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Users\Admin\AppData\Local\Temp\Plague crack\Client.exe
  client.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2696
- C:\Users\Admin\AppData\Local\Temp\Plague crack\Loader.exe
  Loader.exe
  2⤵
  - UAC bypass
  - Event Triggered Execution: Image File Execution Options Injection
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:100

C:\Users\Admin\AppData\Local\Temp\Plague crack\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Plague crack\Loader.exe" explorer.exe
1⤵
- Suspicious use of SetWindowsHookEx
PID:4224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
31KB

MD5
390d34e903b86af3619fd35dd30378c6

SHA1
0e2fedee3f816ae525643dd61d3841c57f99803a

SHA256
d5a59b3315fce1989e6681262328e355f228a0691cef9b693d8b721c88830d1b

SHA512
410f7d82cc51fd5ef4aef8d2cecbaebd833d600f2d1c942846302a6cce3f9cdf9823fcfd9b9daa7cf1988eb07c36dc7e3a240eaad1f0d3315270031129a2cedd

Download Submit
memory/100-163-0x0000000000400000-0x00000000006D0000-memory.dmp

Filesize
2.8MB

Download
memory/100-55-0x0000000000400000-0x00000000006D0000-memory.dmp

Filesize
2.8MB

Download
memory/100-98-0x0000000000400000-0x00000000006D0000-memory.dmp

Filesize
2.8MB

Download
memory/100-224-0x0000000000400000-0x00000000006D0000-memory.dmp

Filesize
2.8MB

Download
memory/100-203-0x0000000000400000-0x00000000006D0000-memory.dmp

Filesize
2.8MB

Download
memory/100-81-0x0000000000400000-0x00000000006D0000-memory.dmp

Filesize
2.8MB

Download
memory/100-2-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/100-34-0x0000000000400000-0x00000000006D0000-memory.dmp

Filesize
2.8MB

Download
memory/100-121-0x0000000000400000-0x00000000006D0000-memory.dmp

Filesize
2.8MB

Download
memory/100-249-0x0000000000400000-0x00000000006D0000-memory.dmp

Filesize
2.8MB

Download
memory/100-308-0x0000000000400000-0x00000000006D0000-memory.dmp

Filesize
2.8MB

Download
memory/100-287-0x0000000000400000-0x00000000006D0000-memory.dmp

Filesize
2.8MB

Download
memory/100-56-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/100-142-0x0000000000400000-0x00000000006D0000-memory.dmp

Filesize
2.8MB

Download
memory/100-268-0x0000000000400000-0x00000000006D0000-memory.dmp

Filesize
2.8MB

Download
memory/100-184-0x0000000000400000-0x00000000006D0000-memory.dmp

Filesize
2.8MB

Download
memory/4224-15-0x0000000000400000-0x00000000006D0000-memory.dmp

Filesize
2.8MB

Download
memory/4224-12-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/4956-25-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download
memory/4956-0-0x0000000074852000-0x0000000074853000-memory.dmp

Filesize
4KB

Download
memory/4956-3-0x0000000074852000-0x0000000074854000-memory.dmp

Filesize
8KB

Download
memory/4956-1-0x0000000074850000-0x0000000074E01000-memory.dmp

Filesize
5.7MB

Download