njrat | ed307213c0e62af8477e9ca939b045da7498c21d7c717011a78b3b2de8dfec3a

General

Target

filetest.exe
Size

33KB
MD5

ef59fb3c39255044648423954f1da668
SHA1

45cf2370789c5314fa2c57221ca02b6ef877be60
SHA256

ed307213c0e62af8477e9ca939b045da7498c21d7c717011a78b3b2de8dfec3a
SHA512

907aefa515e7df8dd215f57ec47d96e79cf5b63b0a4e7aeb81ed8ce2540796dd4281ce46d3b06b4bda4c250aec6bd62b83b5018979cea064fa7f37fd7e55f101
SSDEEP

768:uR5KrKvDIAuBtvoY2vIP0S9QY3UuTWUSX94HPy8R9:rKvMnf2Ie+U1NX94vy8/

Score

10^/10

njrat hacked defense_evasion discovery trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

Mutex

ee714fb89d1a0ba22c66b8980599112e

Attributes

reg_key
ee714fb89d1a0ba22c66b8980599112e
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 1 IoCs

pid	Process
2872	Server.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2872	Server.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2216	powershell.exe
2572	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1624	AcroRd32.exe
1624	AcroRd32.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 2216	1444	filetest.exe	30
PID 1444 wrote to memory of 2216	1444	filetest.exe	30
PID 1444 wrote to memory of 2216	1444	filetest.exe	30
PID 1444 wrote to memory of 2572	1444	filetest.exe	32
PID 1444 wrote to memory of 2572	1444	filetest.exe	32
PID 1444 wrote to memory of 2572	1444	filetest.exe	32
PID 1444 wrote to memory of 2872	1444	filetest.exe	34
PID 1444 wrote to memory of 2872	1444	filetest.exe	34
PID 1444 wrote to memory of 2872	1444	filetest.exe	34
PID 2872 wrote to memory of 1820	2872	Server.exe	35
PID 2872 wrote to memory of 1820	2872	Server.exe	35
PID 2872 wrote to memory of 1820	2872	Server.exe	35
PID 1820 wrote to memory of 1624	1820	rundll32.exe	36
PID 1820 wrote to memory of 1624	1820	rundll32.exe	36
PID 1820 wrote to memory of 1624	1820	rundll32.exe	36
PID 1820 wrote to memory of 1624	1820	rundll32.exe	36

C:\Users\Admin\AppData\Local\Temp\filetest.exe
"C:\Users\Admin\AppData\Local\Temp\filetest.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAZwBzACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAZgB1ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARABvAHcAbgBsAG8AYQBkACAARQByAHIAbwByACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHkAawBnACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAegBkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGMAagB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdABkACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2572
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\nudes
    3⤵
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\nudes"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

1

T1027

Command Obfuscation

1

T1027.010

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
24KB

MD5
fa9439d61c3c28bb92a75095cf39d6bc

SHA1
a959b37a215b1417e72fb7df722e9cecd8f29629

SHA256
5f135cd0ac161e5ec8e90598e5ad2f1db3981a597a3c0f1cbd4aac54189c62a8

SHA512
49703b19e66daa3932dc7074b99ef6859005b45f99b7cd84d3681291cf006b4526ca7561bbfeb6c1527fa7ab57d9164eaaf331af3308416b23ac6e5cc59c7fa2

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
12a21f0ce198028be6e5d7b8b252db20

SHA1
af8abee61c93097d53f950139cad28e8ed0c2ede

SHA256
2e39f331acbfe2b6f106c7a373f64b1b635e6542a6b5f626b17468e5dc58c4c0

SHA512
ee23c4c4ca8f8ef50931ba2c95cb7bef15cce116fc10a75759b8b8fad69cba204a998cc47407c9bd2b1266b53203cef0457c620b38a5f04e62219ee973cce32c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c5f82a5a8c32ae47d34dd2a264e1e2af

SHA1
10a4b3342dc484358c88c9c45b41f82f69a3febf

SHA256
687d68db1da41b26737410a8067cdcff005e65a5c3ae6e7fa519bab9f5a3299f

SHA512
104e1968bb0a3e1866c91836c95e9764501aa31210f1d5ce9316447cebe45fbd299a3d851b5f37b60662c6da30a633711eb068a4f07390e0f5d9da2970801fbe

Download Submit
memory/1444-10-0x000007FEF4F63000-0x000007FEF4F64000-memory.dmp

Filesize
4KB

Download
memory/1444-0-0x000007FEF4F63000-0x000007FEF4F64000-memory.dmp

Filesize
4KB

Download
memory/1444-11-0x000007FEF4F60000-0x000007FEF594C000-memory.dmp

Filesize
9.9MB

Download
memory/1444-22-0x000007FEF4F60000-0x000007FEF594C000-memory.dmp

Filesize
9.9MB

Download
memory/1444-2-0x000007FEF4F60000-0x000007FEF594C000-memory.dmp

Filesize
9.9MB

Download
memory/1444-1-0x0000000000AA0000-0x0000000000AAE000-memory.dmp

Filesize
56KB

Download
memory/2216-8-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2216-9-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/2216-12-0x0000000002CF0000-0x0000000002D70000-memory.dmp

Filesize
512KB

Download
memory/2216-7-0x0000000002CF0000-0x0000000002D70000-memory.dmp

Filesize
512KB

Download
memory/2872-20-0x0000000000D20000-0x0000000000D2C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing