Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-09-2024 01:20

General

  • Target

    BO2 Destiny CRAK By Nice Tutorial.exe

  • Size

    290KB

  • MD5

    0334d91acae1fd486041114e1412a5c5

  • SHA1

    913f48c32a9ee734475638e0830f038cfa0abd9f

  • SHA256

    f5d807a8dd24d15bb164528e7141f2daa80f3464e3e1f3b5088ec5829cc40f99

  • SHA512

    227b3a1ef30f00d065c042d5a11c5f8c4a0f27aab4dda452a52dcd7e90b5d91584642abac0fbcdf0bdc3111cd86e4cb7f2f95e383fdbcb5699ac3747459ef192

  • SSDEEP

    3072:fWqRgWra/a47L75pOOwaUOdFy8apU2sA7Po83QOM/JLt2hEdNCMJqkase0m2jobT:fm1CvxsA7PBmpt28NCxktM2job

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

GoogleChromeServer.ddns.net:7777

Mutex

fffdfaa66ba1e7c60e37f984374eb2b4

Attributes
  • reg_key

    fffdfaa66ba1e7c60e37f984374eb2b4

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops autorun.inf file 1 TTPs 5 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of FindShellTrayWindow 50 IoCs
  • Suspicious use of SendNotifyMessage 50 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BO2 Destiny CRAK By Nice Tutorial.exe
    "C:\Users\Admin\AppData\Local\Temp\BO2 Destiny CRAK By Nice Tutorial.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops autorun.inf file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1400
    • C:\Windows\SYSTEM32\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\BO2 Destiny CRAK By Nice Tutorial.exe" "BO2 Destiny CRAK By Nice Tutorial.exe" ENABLE
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      PID:4468
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2808
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2604

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • F:\svchost.exe

      Filesize

      290KB

      MD5

      0334d91acae1fd486041114e1412a5c5

      SHA1

      913f48c32a9ee734475638e0830f038cfa0abd9f

      SHA256

      f5d807a8dd24d15bb164528e7141f2daa80f3464e3e1f3b5088ec5829cc40f99

      SHA512

      227b3a1ef30f00d065c042d5a11c5f8c4a0f27aab4dda452a52dcd7e90b5d91584642abac0fbcdf0bdc3111cd86e4cb7f2f95e383fdbcb5699ac3747459ef192

    • memory/1400-14-0x00007FFDDAC10000-0x00007FFDDB5B1000-memory.dmp

      Filesize

      9.6MB

    • memory/1400-5-0x00007FFDDAC10000-0x00007FFDDB5B1000-memory.dmp

      Filesize

      9.6MB

    • memory/1400-15-0x00007FFDDAC10000-0x00007FFDDB5B1000-memory.dmp

      Filesize

      9.6MB

    • memory/1400-4-0x000000001C7A0000-0x000000001C83C000-memory.dmp

      Filesize

      624KB

    • memory/1400-1-0x000000001BC60000-0x000000001BD06000-memory.dmp

      Filesize

      664KB

    • memory/1400-6-0x000000001BBE0000-0x000000001BBE8000-memory.dmp

      Filesize

      32KB

    • memory/1400-7-0x000000001C900000-0x000000001C94C000-memory.dmp

      Filesize

      304KB

    • memory/1400-8-0x000000001C9C0000-0x000000001CA26000-memory.dmp

      Filesize

      408KB

    • memory/1400-9-0x00007FFDDAC10000-0x00007FFDDB5B1000-memory.dmp

      Filesize

      9.6MB

    • memory/1400-10-0x00007FFDDAC10000-0x00007FFDDB5B1000-memory.dmp

      Filesize

      9.6MB

    • memory/1400-11-0x000000001C8E0000-0x000000001C8F0000-memory.dmp

      Filesize

      64KB

    • memory/1400-25-0x00007FFDDAC10000-0x00007FFDDB5B1000-memory.dmp

      Filesize

      9.6MB

    • memory/1400-13-0x00007FFDDAEC5000-0x00007FFDDAEC6000-memory.dmp

      Filesize

      4KB

    • memory/1400-0-0x00007FFDDAEC5000-0x00007FFDDAEC6000-memory.dmp

      Filesize

      4KB

    • memory/1400-3-0x000000001C1E0000-0x000000001C6AE000-memory.dmp

      Filesize

      4.8MB

    • memory/1400-2-0x00007FFDDAC10000-0x00007FFDDB5B1000-memory.dmp

      Filesize

      9.6MB

    • memory/1400-12-0x00007FFDDAC10000-0x00007FFDDB5B1000-memory.dmp

      Filesize

      9.6MB

    • memory/1400-26-0x00007FFDDAC10000-0x00007FFDDB5B1000-memory.dmp

      Filesize

      9.6MB

    • memory/1400-27-0x00007FFDDAC10000-0x00007FFDDB5B1000-memory.dmp

      Filesize

      9.6MB

    • memory/2604-28-0x000002CF1DD10000-0x000002CF1DD11000-memory.dmp

      Filesize

      4KB

    • memory/2604-30-0x000002CF1DD10000-0x000002CF1DD11000-memory.dmp

      Filesize

      4KB

    • memory/2604-29-0x000002CF1DD10000-0x000002CF1DD11000-memory.dmp

      Filesize

      4KB

    • memory/2604-37-0x000002CF1DD10000-0x000002CF1DD11000-memory.dmp

      Filesize

      4KB

    • memory/2604-38-0x000002CF1DD10000-0x000002CF1DD11000-memory.dmp

      Filesize

      4KB

    • memory/2604-40-0x000002CF1DD10000-0x000002CF1DD11000-memory.dmp

      Filesize

      4KB

    • memory/2604-39-0x000002CF1DD10000-0x000002CF1DD11000-memory.dmp

      Filesize

      4KB

    • memory/2604-36-0x000002CF1DD10000-0x000002CF1DD11000-memory.dmp

      Filesize

      4KB

    • memory/2604-35-0x000002CF1DD10000-0x000002CF1DD11000-memory.dmp

      Filesize

      4KB

    • memory/2604-34-0x000002CF1DD10000-0x000002CF1DD11000-memory.dmp

      Filesize

      4KB