njrat | af9bf280613d5c0a55a543573fa943191ac171c6e36ab8ba474abc3d32572bc0

General

Target

31bb4a299ec1bdeceef2ce35b9d28750N.exe
Size

118KB
MD5

31bb4a299ec1bdeceef2ce35b9d28750
SHA1

ef94ad27c4605c6d499237f72cbba44848454b87
SHA256

af9bf280613d5c0a55a543573fa943191ac171c6e36ab8ba474abc3d32572bc0
SHA512

3bf5cfe3786e27fd9848ca3c7757313fd1ef8a99427520202ac6dc58ec11505b301bf44e5a1b2ad2eb0d755a0a2c40b0e31403f8904c0e66740638d16b09ab31
SSDEEP

1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDL14FOK:P5eznsjsguGDFqGZ2rDL14FOK

Score

10^/10

njrat neuf discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2892	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
2296	chargeable.exe
1532	chargeable.exe

Loads dropped DLL 2 IoCs

pid	Process
2416	31bb4a299ec1bdeceef2ce35b9d28750N.exe
2416	31bb4a299ec1bdeceef2ce35b9d28750N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\31bb4a299ec1bdeceef2ce35b9d28750N.exe"	31bb4a299ec1bdeceef2ce35b9d28750N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	31bb4a299ec1bdeceef2ce35b9d28750N.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2296 set thread context of 1532	2296	chargeable.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	31bb4a299ec1bdeceef2ce35b9d28750N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chargeable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chargeable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	1532	chargeable.exe
Token: 33	1532	chargeable.exe
Token: SeIncBasePriorityPrivilege	1532	chargeable.exe
Token: 33	1532	chargeable.exe
Token: SeIncBasePriorityPrivilege	1532	chargeable.exe
Token: 33	1532	chargeable.exe
Token: SeIncBasePriorityPrivilege	1532	chargeable.exe
Token: 33	1532	chargeable.exe
Token: SeIncBasePriorityPrivilege	1532	chargeable.exe
Token: 33	1532	chargeable.exe
Token: SeIncBasePriorityPrivilege	1532	chargeable.exe
Token: 33	1532	chargeable.exe
Token: SeIncBasePriorityPrivilege	1532	chargeable.exe
Token: 33	1532	chargeable.exe
Token: SeIncBasePriorityPrivilege	1532	chargeable.exe
Token: 33	1532	chargeable.exe
Token: SeIncBasePriorityPrivilege	1532	chargeable.exe
Token: 33	1532	chargeable.exe
Token: SeIncBasePriorityPrivilege	1532	chargeable.exe
Token: 33	1532	chargeable.exe
Token: SeIncBasePriorityPrivilege	1532	chargeable.exe
Token: 33	1532	chargeable.exe
Token: SeIncBasePriorityPrivilege	1532	chargeable.exe
Token: 33	1532	chargeable.exe
Token: SeIncBasePriorityPrivilege	1532	chargeable.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2296	2416	31bb4a299ec1bdeceef2ce35b9d28750N.exe	30
PID 2416 wrote to memory of 2296	2416	31bb4a299ec1bdeceef2ce35b9d28750N.exe	30
PID 2416 wrote to memory of 2296	2416	31bb4a299ec1bdeceef2ce35b9d28750N.exe	30
PID 2416 wrote to memory of 2296	2416	31bb4a299ec1bdeceef2ce35b9d28750N.exe	30
PID 2296 wrote to memory of 1532	2296	chargeable.exe	31
PID 2296 wrote to memory of 1532	2296	chargeable.exe	31
PID 2296 wrote to memory of 1532	2296	chargeable.exe	31
PID 2296 wrote to memory of 1532	2296	chargeable.exe	31
PID 2296 wrote to memory of 1532	2296	chargeable.exe	31
PID 2296 wrote to memory of 1532	2296	chargeable.exe	31
PID 2296 wrote to memory of 1532	2296	chargeable.exe	31
PID 2296 wrote to memory of 1532	2296	chargeable.exe	31
PID 2296 wrote to memory of 1532	2296	chargeable.exe	31
PID 1532 wrote to memory of 2892	1532	chargeable.exe	33
PID 1532 wrote to memory of 2892	1532	chargeable.exe	33
PID 1532 wrote to memory of 2892	1532	chargeable.exe	33
PID 1532 wrote to memory of 2892	1532	chargeable.exe	33

C:\Users\Admin\AppData\Local\Temp\31bb4a299ec1bdeceef2ce35b9d28750N.exe
"C:\Users\Admin\AppData\Local\Temp\31bb4a299ec1bdeceef2ce35b9d28750N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
  "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

Filesize
1KB

MD5
e7122c733f9e37bba0ca4c985ce11d6d

SHA1
d661aa5b31ff7ef2df9bc4095279058c36499af2

SHA256
acc9932453f5aa68f4b95986668f5584f99e55bbe02eefc0d0960dab376df81a

SHA512
84cddf68a46f455b4ebbb8c0c70607fe60796cfc5eabdace12d0684a1323af9681700acbdbdc37e63d7806d0220fce9cba5213bb35cee056f9d71646f98711b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

Filesize
264B

MD5
e875d63d2bb7eeffc165d356d2890833

SHA1
72c5a9dab664281afb2ec8f55d61b95ae67f442c

SHA256
5f9df250194132f1ee438a10f5ce35d5a0214b591852e17b00044add52bdb71d

SHA512
35753941490920905b8d7d069392b0080528fc6e81f15185a3797c5ec79d734354acd1e44ef559c27d62b28099c8206a4d83cda906028f3aaf6a52d4e5556d97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81663988f2e066025d29dad71304e067

SHA1
e85f25d6469fa979b94a09c419fd602defba06c6

SHA256
6fa66c1c2fe686633a1253d1bd195843887f2095a9fd38d1a9edbbbaa1d2d27d

SHA512
c7216dabd824ddf42125582a4270fd5d00b070981adb068ce099bd52254245399ac75f622091761f4eb80d011a15a111792571fbae444e889fcb50f5789803ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbbfaeaac88e6559ddaabd909a572feb

SHA1
3a1281979bf1db9bcb982115a14519d6a8d86c66

SHA256
fb362d2184cea94c2806f179f0cbfc0d44d9c0d7a061934cdb03f8c019334415

SHA512
fe352fb91ef9bd7491600539e200bc5414195257dfb280fd86a2f968316aeebcc430461148c54ed077e9ad46d1370ee9ce15e5080ac84aef295211b787a75826

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e074f7a5aa72c0883454ec08880faff

SHA1
ac207cd1a34a7d1e2b6737a60351c86521c3d3d1

SHA256
4a9b70eb496ed7f545d57527458275d265390ae5536fcac9ebd6037a2b9094c1

SHA512
45e144e8ee2f39a4f4ee0bcbd434218ad83c921b3ff17633fbbf9ae97a29d6791d8c6f616457aa00617e99e5ab894d82258a545eaa685b6cb8a9752ee75fdc53

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9149.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar914C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Filesize
118KB

MD5
c9faa21276fe112fb3575cde36ed9991

SHA1
5499ad4e45f4afe7c3c799362298e6eb731cf8b7

SHA256
12b7fba05db1e4826816b457bea944b99ee94953bfe44a638a3961f68c3bad1a

SHA512
3989384f162ee2ce0b7cd51afc0d39ae84434d52c1cde1736289abb62272501fbdfc3f6893a1bf3e0a82b84b93cbe759b325da6e0cd83aacc6c753e77e4b0ec7

Download Submit
memory/1532-344-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1532-347-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1532-346-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2416-167-0x0000000074790000-0x0000000074D3B000-memory.dmp

Filesize
5.7MB

Download
memory/2416-168-0x0000000074790000-0x0000000074D3B000-memory.dmp

Filesize
5.7MB

Download
memory/2416-186-0x0000000074790000-0x0000000074D3B000-memory.dmp

Filesize
5.7MB

Download
memory/2416-0-0x0000000074791000-0x0000000074792000-memory.dmp

Filesize
4KB

Download
memory/2416-2-0x0000000074790000-0x0000000074D3B000-memory.dmp

Filesize
5.7MB

Download
memory/2416-1-0x0000000074790000-0x0000000074D3B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads