Malware Analysis Report

2025-01-22 13:49

Sample ID 240901-xmwqdayhjk
Target 8b1df0d122c60401912e479f60afe89ff8e322da11966a79c8372be265f96599
SHA256 8b1df0d122c60401912e479f60afe89ff8e322da11966a79c8372be265f96599
Tags
njrat hacked discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8b1df0d122c60401912e479f60afe89ff8e322da11966a79c8372be265f96599

Threat Level: Known bad

The file 8b1df0d122c60401912e479f60afe89ff8e322da11966a79c8372be265f96599 was found to be: Known bad.

Malicious Activity Summary

njrat hacked discovery trojan

njRAT/Bladabindi

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-01 18:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-01 18:58

Reported

2024-09-01 19:01

Platform

win7-20240729-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b2d8f64d585c4504658a80ef5d76d9cd42206c579d26a3e007bb74cc44b28ce9.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b2d8f64d585c4504658a80ef5d76d9cd42206c579d26a3e007bb74cc44b28ce9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b2d8f64d585c4504658a80ef5d76d9cd42206c579d26a3e007bb74cc44b28ce9.exe

"C:\Users\Admin\AppData\Local\Temp\b2d8f64d585c4504658a80ef5d76d9cd42206c579d26a3e007bb74cc44b28ce9.exe"

C:\Users\Admin\AppData\Local\Temp\skyeee.exe

"C:\Users\Admin\AppData\Local\Temp\skyeee.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 njjar.ddns.net udp

Files

memory/2100-0-0x0000000073E6E000-0x0000000073E6F000-memory.dmp

memory/2100-1-0x0000000000F60000-0x0000000000FB0000-memory.dmp

memory/2100-2-0x0000000073E60000-0x000000007454E000-memory.dmp

memory/2100-3-0x0000000073E60000-0x000000007454E000-memory.dmp

memory/2100-4-0x0000000000A00000-0x0000000000A2A000-memory.dmp

\Users\Admin\AppData\Local\Temp\skyeee.exe

MD5 ca156366c023c64cb0a2074a57b8fa26
SHA1 21736f34aae1c70916e9e6ca090e0f0f4b592b6b
SHA256 b2d8f64d585c4504658a80ef5d76d9cd42206c579d26a3e007bb74cc44b28ce9
SHA512 1588694779bafa6c59c010bf8593db765a6b54a16f4bf21f3a1f33f615d7db6cd7a9ee475f5b6f5eba4dfa096a4f74d3df0fa936f1d4bac9b02d342d2e670764

memory/2696-14-0x0000000073E60000-0x000000007454E000-memory.dmp

memory/2696-13-0x0000000001230000-0x0000000001280000-memory.dmp

memory/2100-12-0x0000000073E60000-0x000000007454E000-memory.dmp

memory/2696-15-0x0000000073E60000-0x000000007454E000-memory.dmp

memory/2696-16-0x0000000073E60000-0x000000007454E000-memory.dmp

memory/2696-17-0x0000000073E60000-0x000000007454E000-memory.dmp

memory/2696-18-0x0000000073E60000-0x000000007454E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-01 18:58

Reported

2024-09-01 19:01

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b2d8f64d585c4504658a80ef5d76d9cd42206c579d26a3e007bb74cc44b28ce9.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b2d8f64d585c4504658a80ef5d76d9cd42206c579d26a3e007bb74cc44b28ce9.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b2d8f64d585c4504658a80ef5d76d9cd42206c579d26a3e007bb74cc44b28ce9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skyeee.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b2d8f64d585c4504658a80ef5d76d9cd42206c579d26a3e007bb74cc44b28ce9.exe

"C:\Users\Admin\AppData\Local\Temp\b2d8f64d585c4504658a80ef5d76d9cd42206c579d26a3e007bb74cc44b28ce9.exe"

C:\Users\Admin\AppData\Local\Temp\skyeee.exe

"C:\Users\Admin\AppData\Local\Temp\skyeee.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 njjar.ddns.net udp
US 8.8.8.8:53 njjar.ddns.net udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 njjar.ddns.net udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 njjar.ddns.net udp
US 8.8.8.8:53 njjar.ddns.net udp
US 8.8.8.8:53 njjar.ddns.net udp
US 8.8.8.8:53 njjar.ddns.net udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 njjar.ddns.net udp
US 8.8.8.8:53 njjar.ddns.net udp
US 8.8.8.8:53 njjar.ddns.net udp
US 8.8.8.8:53 njjar.ddns.net udp
US 8.8.8.8:53 njjar.ddns.net udp
US 8.8.8.8:53 njjar.ddns.net udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 njjar.ddns.net udp
US 8.8.8.8:53 njjar.ddns.net udp
US 8.8.8.8:53 njjar.ddns.net udp
US 8.8.8.8:53 njjar.ddns.net udp
US 8.8.8.8:53 njjar.ddns.net udp
US 8.8.8.8:53 njjar.ddns.net udp
US 8.8.8.8:53 njjar.ddns.net udp
US 8.8.8.8:53 njjar.ddns.net udp
US 8.8.8.8:53 njjar.ddns.net udp

Files

memory/3192-0-0x00000000748EE000-0x00000000748EF000-memory.dmp

memory/3192-1-0x0000000000B40000-0x0000000000B90000-memory.dmp

memory/3192-2-0x00000000053D0000-0x000000000546C000-memory.dmp

memory/3192-3-0x0000000005A70000-0x0000000006014000-memory.dmp

memory/3192-4-0x0000000005560000-0x00000000055F2000-memory.dmp

memory/3192-6-0x00000000748E0000-0x0000000075090000-memory.dmp

memory/3192-5-0x00000000054F0000-0x00000000054FA000-memory.dmp

memory/3192-7-0x0000000005710000-0x0000000005766000-memory.dmp

memory/3192-8-0x00000000748E0000-0x0000000075090000-memory.dmp

memory/3192-9-0x0000000006920000-0x000000000694A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\skyeee.exe

MD5 ca156366c023c64cb0a2074a57b8fa26
SHA1 21736f34aae1c70916e9e6ca090e0f0f4b592b6b
SHA256 b2d8f64d585c4504658a80ef5d76d9cd42206c579d26a3e007bb74cc44b28ce9
SHA512 1588694779bafa6c59c010bf8593db765a6b54a16f4bf21f3a1f33f615d7db6cd7a9ee475f5b6f5eba4dfa096a4f74d3df0fa936f1d4bac9b02d342d2e670764

memory/3192-19-0x00000000748EE000-0x00000000748EF000-memory.dmp

memory/3192-23-0x00000000748E0000-0x0000000075090000-memory.dmp

memory/2680-24-0x00000000748E0000-0x0000000075090000-memory.dmp

memory/3192-25-0x00000000748E0000-0x0000000075090000-memory.dmp

memory/2680-26-0x00000000748E0000-0x0000000075090000-memory.dmp

memory/3192-27-0x00000000748E0000-0x0000000075090000-memory.dmp

memory/2680-28-0x00000000748E0000-0x0000000075090000-memory.dmp

memory/2680-29-0x00000000748E0000-0x0000000075090000-memory.dmp

memory/2680-30-0x00000000748E0000-0x0000000075090000-memory.dmp

memory/2680-31-0x00000000748E0000-0x0000000075090000-memory.dmp