njrat | ebcdf0ea7146fac2e4d68409c125892102c8b65c97321d7a57e1386ce69d5e09

General

Target

5d9806d592202444f84ae3e14398975c.exe
Size

116KB
MD5

5d9806d592202444f84ae3e14398975c
SHA1

17347e5f8cde10bff0e30c7946e6d8c6958dbfd7
SHA256

ebcdf0ea7146fac2e4d68409c125892102c8b65c97321d7a57e1386ce69d5e09
SHA512

3e27103bc81e87ee61840e66d3be0adcc7d1aa2bf1fb803e92f734b2aa8503a30fbe06e369e72d5557594a10b377c5dc0698f1c458ca00b97c6131fb89d1bbb6
SSDEEP

1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMdee:P5eznsjsguGDFqGZ2rP

Score

10^/10

njrat neuf discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2700	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
2576	chargeable.exe
3048	chargeable.exe

Loads dropped DLL 2 IoCs

pid	Process
2136	5d9806d592202444f84ae3e14398975c.exe
2136	5d9806d592202444f84ae3e14398975c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	5d9806d592202444f84ae3e14398975c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5d9806d592202444f84ae3e14398975c.exe"	5d9806d592202444f84ae3e14398975c.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2576 set thread context of 3048	2576	chargeable.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d9806d592202444f84ae3e14398975c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chargeable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chargeable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	chargeable.exe
Token: 33	3048	chargeable.exe
Token: SeIncBasePriorityPrivilege	3048	chargeable.exe
Token: 33	3048	chargeable.exe
Token: SeIncBasePriorityPrivilege	3048	chargeable.exe
Token: 33	3048	chargeable.exe
Token: SeIncBasePriorityPrivilege	3048	chargeable.exe
Token: 33	3048	chargeable.exe
Token: SeIncBasePriorityPrivilege	3048	chargeable.exe
Token: 33	3048	chargeable.exe
Token: SeIncBasePriorityPrivilege	3048	chargeable.exe
Token: 33	3048	chargeable.exe
Token: SeIncBasePriorityPrivilege	3048	chargeable.exe
Token: 33	3048	chargeable.exe
Token: SeIncBasePriorityPrivilege	3048	chargeable.exe
Token: 33	3048	chargeable.exe
Token: SeIncBasePriorityPrivilege	3048	chargeable.exe
Token: 33	3048	chargeable.exe
Token: SeIncBasePriorityPrivilege	3048	chargeable.exe
Token: 33	3048	chargeable.exe
Token: SeIncBasePriorityPrivilege	3048	chargeable.exe
Token: 33	3048	chargeable.exe
Token: SeIncBasePriorityPrivilege	3048	chargeable.exe
Token: 33	3048	chargeable.exe
Token: SeIncBasePriorityPrivilege	3048	chargeable.exe
Token: 33	3048	chargeable.exe
Token: SeIncBasePriorityPrivilege	3048	chargeable.exe
Token: 33	3048	chargeable.exe
Token: SeIncBasePriorityPrivilege	3048	chargeable.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2576	2136	5d9806d592202444f84ae3e14398975c.exe	30
PID 2136 wrote to memory of 2576	2136	5d9806d592202444f84ae3e14398975c.exe	30
PID 2136 wrote to memory of 2576	2136	5d9806d592202444f84ae3e14398975c.exe	30
PID 2136 wrote to memory of 2576	2136	5d9806d592202444f84ae3e14398975c.exe	30
PID 2576 wrote to memory of 3048	2576	chargeable.exe	31
PID 2576 wrote to memory of 3048	2576	chargeable.exe	31
PID 2576 wrote to memory of 3048	2576	chargeable.exe	31
PID 2576 wrote to memory of 3048	2576	chargeable.exe	31
PID 2576 wrote to memory of 3048	2576	chargeable.exe	31
PID 2576 wrote to memory of 3048	2576	chargeable.exe	31
PID 2576 wrote to memory of 3048	2576	chargeable.exe	31
PID 2576 wrote to memory of 3048	2576	chargeable.exe	31
PID 2576 wrote to memory of 3048	2576	chargeable.exe	31
PID 3048 wrote to memory of 2700	3048	chargeable.exe	32
PID 3048 wrote to memory of 2700	3048	chargeable.exe	32
PID 3048 wrote to memory of 2700	3048	chargeable.exe	32
PID 3048 wrote to memory of 2700	3048	chargeable.exe	32

C:\Users\Admin\AppData\Local\Temp\5d9806d592202444f84ae3e14398975c.exe
"C:\Users\Admin\AppData\Local\Temp\5d9806d592202444f84ae3e14398975c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
  "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

Filesize
1KB

MD5
e7122c733f9e37bba0ca4c985ce11d6d

SHA1
d661aa5b31ff7ef2df9bc4095279058c36499af2

SHA256
acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a

SHA512
84cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

Filesize
264B

MD5
bb2e13f605e7d7ba4de15cc6da927e8d

SHA1
1fb4c12bae63905e4ea505cfd7cd23e374a2eb2c

SHA256
f234960359648baeaca02d67d98870c4f29ca3813bc8293a8163ac88710237ac

SHA512
1166e1dc465e757ee5817963764a34659778d23b56c76122e168b4949b6ebe497d120f226ecf2f1094a9b54390813388fd865813ffee4fd41c5e4d5b6ae324d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
9933df93be5699d5f837a1f50c9a39a7

SHA1
33cba5a1d295afeca09fbeaf1eea0c2ca380e5fc

SHA256
3ccf201de441efdab64e7934dd71fdc4961c2b611d199f03a362c30e0faf5ea9

SHA512
d6408aef89904293ff024366c825b42757d5ff92dbe9437da568fef4285587c69c81b8e8acf4ba6d9a32b5d4beb10f18ecb7d7422b049310917b03ae9a27ed49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
6a030e9e0c8ac942752f14ee3f3d3a5f

SHA1
6596fb3191c6607b8b79180b277ffe0e2522d77e

SHA256
aa8dc02099bf07035a6fb872662bf63392192236196287fdd8d2ae6af4c1cfb8

SHA512
3236de814c7a2b7c1321f3b105a8ea30b8341f9e2444af20cc5c701be4d12ce3a9b5ddf152fd35be36c4690aef72dd3ff30042b573ab56d8eef245cfd9288366

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
d9b0510bfc313805ef53c1435d2bc3dd

SHA1
de649ab251419219d91984d3f25c0fba83bdeb4b

SHA256
f6e275eabb4cde3a78a5ad5eadd563f87d6bacab1b76bc12fd52d06da2f0e7b2

SHA512
58551baabb71bc3976ebebd6bb17b435e0483eeb4be06a3dae3c2b3409edb23bfad9800e89166270df16934996b9df67d7805403ef062bea2939f2def4774976

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD8F3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD925.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Filesize
116KB

MD5
bd7f0967d59b7737ed847bef527a5b48

SHA1
c044fe113a14e49df15f17963fced45bae46c5cd

SHA256
5cca061a2467ddee96d5d4b01a1bde1eb6c1e45e21f972a6e9ebf133f0ce6170

SHA512
e0ab733804c53169044283f92722bdffcaddf7a8a5d1f00f085ef68e20d2b67234da75d93477c5c0baa66584c1ff5be14d3968f451198b606d4f8924e3db92ea

Download Submit
memory/2136-175-0x0000000074960000-0x0000000074F0B000-memory.dmp

Filesize
5.7MB

Download
memory/2136-0-0x0000000074961000-0x0000000074962000-memory.dmp

Filesize
4KB

Download
memory/2136-9-0x0000000074960000-0x0000000074F0B000-memory.dmp

Filesize
5.7MB

Download
memory/2136-1-0x0000000074960000-0x0000000074F0B000-memory.dmp

Filesize
5.7MB

Download
memory/3048-342-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3048-345-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3048-344-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads