njrat | 1fd77b4983a23ba908746e571a7343687356382104476872892fad0bb21bf1c6

General

Target

4fb70c06fdefcc1595dc603fea1da470N.exe
Size

116KB
MD5

4fb70c06fdefcc1595dc603fea1da470
SHA1

868e36d53792bf49b3ce8c7e4ec6aa146ab64001
SHA256

1fd77b4983a23ba908746e571a7343687356382104476872892fad0bb21bf1c6
SHA512

f9d895b727cac4e57e8754782ebad9756f21f111b4b75e3806da4da3c13177e70c306e8491080b238535e04592826a48be24e0ced158497abd58c913f32bedf4
SSDEEP

1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLZbL:P5eznsjsguGDFqGZ2rDLt

Score

10^/10

njrat neuf discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3132	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	4fb70c06fdefcc1595dc603fea1da470N.exe

Executes dropped EXE 2 IoCs

pid	Process
2152	chargeable.exe
2156	chargeable.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	4fb70c06fdefcc1595dc603fea1da470N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4fb70c06fdefcc1595dc603fea1da470N.exe"	4fb70c06fdefcc1595dc603fea1da470N.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2152 set thread context of 2156	2152	chargeable.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4fb70c06fdefcc1595dc603fea1da470N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chargeable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chargeable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	chargeable.exe
Token: 33	2156	chargeable.exe
Token: SeIncBasePriorityPrivilege	2156	chargeable.exe
Token: 33	2156	chargeable.exe
Token: SeIncBasePriorityPrivilege	2156	chargeable.exe
Token: 33	2156	chargeable.exe
Token: SeIncBasePriorityPrivilege	2156	chargeable.exe
Token: 33	2156	chargeable.exe
Token: SeIncBasePriorityPrivilege	2156	chargeable.exe
Token: 33	2156	chargeable.exe
Token: SeIncBasePriorityPrivilege	2156	chargeable.exe
Token: 33	2156	chargeable.exe
Token: SeIncBasePriorityPrivilege	2156	chargeable.exe
Token: 33	2156	chargeable.exe
Token: SeIncBasePriorityPrivilege	2156	chargeable.exe
Token: 33	2156	chargeable.exe
Token: SeIncBasePriorityPrivilege	2156	chargeable.exe
Token: 33	2156	chargeable.exe
Token: SeIncBasePriorityPrivilege	2156	chargeable.exe
Token: 33	2156	chargeable.exe
Token: SeIncBasePriorityPrivilege	2156	chargeable.exe
Token: 33	2156	chargeable.exe
Token: SeIncBasePriorityPrivilege	2156	chargeable.exe
Token: 33	2156	chargeable.exe
Token: SeIncBasePriorityPrivilege	2156	chargeable.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 2152	936	4fb70c06fdefcc1595dc603fea1da470N.exe	97
PID 936 wrote to memory of 2152	936	4fb70c06fdefcc1595dc603fea1da470N.exe	97
PID 936 wrote to memory of 2152	936	4fb70c06fdefcc1595dc603fea1da470N.exe	97
PID 2152 wrote to memory of 2156	2152	chargeable.exe	98
PID 2152 wrote to memory of 2156	2152	chargeable.exe	98
PID 2152 wrote to memory of 2156	2152	chargeable.exe	98
PID 2152 wrote to memory of 2156	2152	chargeable.exe	98
PID 2152 wrote to memory of 2156	2152	chargeable.exe	98
PID 2152 wrote to memory of 2156	2152	chargeable.exe	98
PID 2152 wrote to memory of 2156	2152	chargeable.exe	98
PID 2152 wrote to memory of 2156	2152	chargeable.exe	98
PID 2156 wrote to memory of 3132	2156	chargeable.exe	99
PID 2156 wrote to memory of 3132	2156	chargeable.exe	99
PID 2156 wrote to memory of 3132	2156	chargeable.exe	99

C:\Users\Admin\AppData\Local\Temp\4fb70c06fdefcc1595dc603fea1da470N.exe
"C:\Users\Admin\AppData\Local\Temp\4fb70c06fdefcc1595dc603fea1da470N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:936
- C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
  "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chargeable.exe.log

Filesize
400B

MD5
0a9b4592cd49c3c21f6767c2dabda92f

SHA1
f534297527ae5ccc0ecb2221ddeb8e58daeb8b74

SHA256
c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd

SHA512
6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

Download Submit
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Filesize
116KB

MD5
c69b11f1d7fa215ac43e9d1551ce3e65

SHA1
5a071035914b2ae081a6b359b4d07fbf5f4a2055

SHA256
e05ecbdc9ac7024c3e9c3ee37a9a9eb8b8f27b02736910c4b7ccb6d4f1795049

SHA512
97d9b93fdbde6db006cbcdcaeafb7fca2d9bc77472e4a851ff66616f93df11449ab7faab42ceb4a302254a31ebab11e8e12f5cd9ad26140562372e70ca54955c

Download Submit
memory/936-7-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/936-19-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/936-0-0x0000000075482000-0x0000000075483000-memory.dmp

Filesize
4KB

Download
memory/936-2-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/936-20-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/936-1-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/936-6-0x0000000075482000-0x0000000075483000-memory.dmp

Filesize
4KB

Download
memory/2152-22-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/2152-23-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/2152-21-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/2152-28-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/2156-24-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2156-29-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/2156-30-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download
memory/2156-31-0x0000000075480000-0x0000000075A31000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads