njrat | d452f668052e9768cbd68bb14b51569090883ba33b19da0c15048012e811420a

General

Target

kaban.exe
Size

43KB
MD5

cf1be61ec41bd78ec5e3df069df3f738
SHA1

b0848fd421ab5d00a179d3edc61c9deb3ef4879f
SHA256

c9c46d2376eeccbdd123434f7e3a85520769ef0520ae66537b84bcf12b7b3c2d
SHA512

3495b240208c3e1d8c751d64c66b3bfe2e61e42889751fff65f35fcad0377d2b4530834eb030131ea3383233b88705ebf05b229b5c858d6c22fcd74f6f530d64
SSDEEP

384:+ZyTH1mmkuHQUyzprtRdUIgE49XNP9f4zAIij+ZsNO3PlpJKkkjh/TzF7pWnGZgy:E+Hkgwhzf3lo9R9OuXQ/o3x+L

Score

10^/10

njrat dllhost discovery trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

dllhost

C2

pupkinvasya.ddns.net:7777

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	kaban.exe

Executes dropped EXE 1 IoCs

pid	Process
3968	dllhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kaban.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5084	kaban.exe
3968	dllhost.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	3968	dllhost.exe
Token: 33	3968	dllhost.exe
Token: SeIncBasePriorityPrivilege	3968	dllhost.exe
Token: 33	3968	dllhost.exe
Token: SeIncBasePriorityPrivilege	3968	dllhost.exe
Token: 33	3968	dllhost.exe
Token: SeIncBasePriorityPrivilege	3968	dllhost.exe
Token: 33	3968	dllhost.exe
Token: SeIncBasePriorityPrivilege	3968	dllhost.exe
Token: 33	3968	dllhost.exe
Token: SeIncBasePriorityPrivilege	3968	dllhost.exe
Token: 33	3968	dllhost.exe
Token: SeIncBasePriorityPrivilege	3968	dllhost.exe
Token: 33	3968	dllhost.exe
Token: SeIncBasePriorityPrivilege	3968	dllhost.exe
Token: 33	3968	dllhost.exe
Token: SeIncBasePriorityPrivilege	3968	dllhost.exe
Token: 33	3968	dllhost.exe
Token: SeIncBasePriorityPrivilege	3968	dllhost.exe
Token: 33	3968	dllhost.exe
Token: SeIncBasePriorityPrivilege	3968	dllhost.exe
Token: 33	3968	dllhost.exe
Token: SeIncBasePriorityPrivilege	3968	dllhost.exe
Token: 33	3968	dllhost.exe
Token: SeIncBasePriorityPrivilege	3968	dllhost.exe
Token: 33	3968	dllhost.exe
Token: SeIncBasePriorityPrivilege	3968	dllhost.exe
Token: 33	3968	dllhost.exe
Token: SeIncBasePriorityPrivilege	3968	dllhost.exe
Token: 33	3968	dllhost.exe
Token: SeIncBasePriorityPrivilege	3968	dllhost.exe
Token: 33	3968	dllhost.exe
Token: SeIncBasePriorityPrivilege	3968	dllhost.exe
Token: 33	3968	dllhost.exe
Token: SeIncBasePriorityPrivilege	3968	dllhost.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 3968	5084	kaban.exe	93
PID 5084 wrote to memory of 3968	5084	kaban.exe	93
PID 5084 wrote to memory of 3968	5084	kaban.exe	93

C:\Users\Admin\AppData\Local\Temp\kaban.exe
"C:\Users\Admin\AppData\Local\Temp\kaban.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Users\Admin\AppData\Local\Temp\dllhost.exe
  "C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dllhost.exe

Filesize
43KB

MD5
cf1be61ec41bd78ec5e3df069df3f738

SHA1
b0848fd421ab5d00a179d3edc61c9deb3ef4879f

SHA256
c9c46d2376eeccbdd123434f7e3a85520769ef0520ae66537b84bcf12b7b3c2d

SHA512
3495b240208c3e1d8c751d64c66b3bfe2e61e42889751fff65f35fcad0377d2b4530834eb030131ea3383233b88705ebf05b229b5c858d6c22fcd74f6f530d64

Download Submit
memory/3968-17-0x0000000074710000-0x0000000074EC0000-memory.dmp

Filesize
7.7MB

Download
memory/3968-16-0x0000000074710000-0x0000000074EC0000-memory.dmp

Filesize
7.7MB

Download
memory/3968-18-0x0000000005270000-0x000000000527A000-memory.dmp

Filesize
40KB

Download
memory/3968-19-0x0000000074710000-0x0000000074EC0000-memory.dmp

Filesize
7.7MB

Download
memory/3968-20-0x0000000074710000-0x0000000074EC0000-memory.dmp

Filesize
7.7MB

Download
memory/5084-2-0x0000000004AF0000-0x0000000004B8C000-memory.dmp

Filesize
624KB

Download
memory/5084-3-0x0000000005360000-0x0000000005904000-memory.dmp

Filesize
5.6MB

Download
memory/5084-4-0x0000000074710000-0x0000000074EC0000-memory.dmp

Filesize
7.7MB

Download
memory/5084-5-0x0000000004EE0000-0x0000000004F72000-memory.dmp

Filesize
584KB

Download
memory/5084-1-0x0000000000100000-0x0000000000112000-memory.dmp

Filesize
72KB

Download
memory/5084-15-0x0000000074710000-0x0000000074EC0000-memory.dmp

Filesize
7.7MB

Download
memory/5084-0-0x000000007471E000-0x000000007471F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing