njrat | afaf9770608b7ba29f183586c580fc8093a2efdd68febff71122ac41cedae49d

Analysis

max time kernel
149s
max time network
147s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Proxy Checker v0.2/Proxy Checker v0.2 Crack.exe
Size

1.1MB
MD5

c23fa9a76be0e91ae95ab347e68a8a17
SHA1

3e8fee7b1729113fa86d53e7eb7135b32d50da96
SHA256

b0356479bb707ba0be06277723150e0401960783d21ab1a97fe76d6723546022
SHA512

6634aac9cb6abbe348fe5befeb1218ed0937713570190a2a1ea05da1b959a17f722eeff5d27d3464ba3f3cf19986d1364cb73b71de76997d99df82ebdb3512eb
SSDEEP

12288:lMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9eZLtL0ERDyKj:lnsJ39LyjbJkQFMhmC+6GD9ItwERDF

Score

10^/10

njrat hacked discovery persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7 MultiHost

Botnet

HacKed

fgtgd33333.ddns.net:1177

Mutex

8746d62c81bb0c573a0a1086f9955c7b

Attributes

reg_key
8746d62c81bb0c573a0a1086f9955c7b
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CCleaner.lnk	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
3016	._cache_Proxy Checker v0.2 Crack.exe
2768	Synaptics.exe
1484	._cache_Synaptics.exe
2152	svchost.exe
2544	svchost.exe
1472	svchost.exe

Loads dropped DLL 5 IoCs

pid	Process
2884	Proxy Checker v0.2 Crack.exe
2884	Proxy Checker v0.2 Crack.exe
2884	Proxy Checker v0.2 Crack.exe
2768	Synaptics.exe
2768	Synaptics.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8746d62c81bb0c573a0a1086f9955c7b = "\"C:\\Users\\Public\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Proxy Checker v0.2 Crack.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\8746d62c81bb0c573a0a1086f9955c7b = "\"C:\\Users\\Public\\svchost.exe\" .."	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Proxy Checker v0.2 Crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1952	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1804	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2152	svchost.exe
Token: 33	2152	svchost.exe
Token: SeIncBasePriorityPrivilege	2152	svchost.exe
Token: 33	2152	svchost.exe
Token: SeIncBasePriorityPrivilege	2152	svchost.exe
Token: 33	2152	svchost.exe
Token: SeIncBasePriorityPrivilege	2152	svchost.exe
Token: 33	2152	svchost.exe
Token: SeIncBasePriorityPrivilege	2152	svchost.exe
Token: 33	2152	svchost.exe
Token: SeIncBasePriorityPrivilege	2152	svchost.exe
Token: 33	2152	svchost.exe
Token: SeIncBasePriorityPrivilege	2152	svchost.exe
Token: 33	2152	svchost.exe
Token: SeIncBasePriorityPrivilege	2152	svchost.exe
Token: 33	2152	svchost.exe
Token: SeIncBasePriorityPrivilege	2152	svchost.exe
Token: 33	2152	svchost.exe
Token: SeIncBasePriorityPrivilege	2152	svchost.exe
Token: 33	2152	svchost.exe
Token: SeIncBasePriorityPrivilege	2152	svchost.exe
Token: 33	2152	svchost.exe
Token: SeIncBasePriorityPrivilege	2152	svchost.exe
Token: 33	2152	svchost.exe
Token: SeIncBasePriorityPrivilege	2152	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1804	EXCEL.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 3016	2884	Proxy Checker v0.2 Crack.exe	30
PID 2884 wrote to memory of 3016	2884	Proxy Checker v0.2 Crack.exe	30
PID 2884 wrote to memory of 3016	2884	Proxy Checker v0.2 Crack.exe	30
PID 2884 wrote to memory of 3016	2884	Proxy Checker v0.2 Crack.exe	30
PID 2884 wrote to memory of 2768	2884	Proxy Checker v0.2 Crack.exe	31
PID 2884 wrote to memory of 2768	2884	Proxy Checker v0.2 Crack.exe	31
PID 2884 wrote to memory of 2768	2884	Proxy Checker v0.2 Crack.exe	31
PID 2884 wrote to memory of 2768	2884	Proxy Checker v0.2 Crack.exe	31
PID 2768 wrote to memory of 1484	2768	Synaptics.exe	32
PID 2768 wrote to memory of 1484	2768	Synaptics.exe	32
PID 2768 wrote to memory of 1484	2768	Synaptics.exe	32
PID 2768 wrote to memory of 1484	2768	Synaptics.exe	32
PID 3016 wrote to memory of 2152	3016	._cache_Proxy Checker v0.2 Crack.exe	37
PID 3016 wrote to memory of 2152	3016	._cache_Proxy Checker v0.2 Crack.exe	37
PID 3016 wrote to memory of 2152	3016	._cache_Proxy Checker v0.2 Crack.exe	37
PID 2152 wrote to memory of 1952	2152	svchost.exe	38
PID 2152 wrote to memory of 1952	2152	svchost.exe	38
PID 2152 wrote to memory of 1952	2152	svchost.exe	38
PID 992 wrote to memory of 2544	992	taskeng.exe	41
PID 992 wrote to memory of 2544	992	taskeng.exe	41
PID 992 wrote to memory of 2544	992	taskeng.exe	41
PID 992 wrote to memory of 1472	992	taskeng.exe	42
PID 992 wrote to memory of 1472	992	taskeng.exe	42
PID 992 wrote to memory of 1472	992	taskeng.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\Proxy Checker v0.2 Crack.exe
"C:\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\Proxy Checker v0.2 Crack.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\._cache_Proxy Checker v0.2 Crack.exe
  "C:\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\._cache_Proxy Checker v0.2 Crack.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Users\Public\svchost.exe
    "C:\Users\Public\svchost.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn Skype /tr "C:\Users\Public\svchost.exe
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1952
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:1484

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1804

C:\Windows\system32\taskeng.exe
taskeng.exe {387359D2-1616-4CD4-B180-4D2A489A267C} S-1-5-21-1506706701-1246725540-2219210854-1000:MUYDDIIS\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:992
- C:\Users\Public\svchost.exe
  C:\Users\Public\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Users\Public\svchost.exe
  C:\Users\Public\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.1MB

MD5
c23fa9a76be0e91ae95ab347e68a8a17

SHA1
3e8fee7b1729113fa86d53e7eb7135b32d50da96

SHA256
b0356479bb707ba0be06277723150e0401960783d21ab1a97fe76d6723546022

SHA512
6634aac9cb6abbe348fe5befeb1218ed0937713570190a2a1ea05da1b959a17f722eeff5d27d3464ba3f3cf19986d1364cb73b71de76997d99df82ebdb3512eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\BKXlAeur.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\BKXlAeur.xlsm

Filesize
23KB

MD5
4a84c32cd8cdd5bfc78a47cd118d049c

SHA1
16209c349d63b3d45cae2471b37e6a957542c56f

SHA256
7d6b0a489686bccfc3d3a4319554f631b4002d225a9961c7dbce24c1c02faf7a

SHA512
3f2d50dc624f9502310a245645a540b1d49a3cff80f5a04d48cf549b908d4d9585731a561e840baa680923526e93a48e6abcc5d6a24d95b5474cf0cee988a491

Download Submit
\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\._cache_Proxy Checker v0.2 Crack.exe

Filesize
346KB

MD5
2c35cb3cc2e236e6d12a5e80c5ca8a08

SHA1
fc213a4dd34fa096432850fc4ca899794f36f9d0

SHA256
e7268ad15e40087bcae6d5c42f1c39d6e32456ff33c38b5a7ff876317b456c7b

SHA512
ff4869b16402f0eb84dd8bec2fbaca170b55184c8e2ad10126e1b3b0a4e63fde27d63b89c6dd9679cbf94733a0e6ef52ecf36165430ed86fea95609c213c6455

Download Submit
memory/1804-36-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1804-77-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2768-92-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/2768-121-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/2768-79-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/2884-0-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2884-26-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/3016-17-0x0000000000AC0000-0x0000000000B40000-memory.dmp

Filesize
512KB

Download
memory/3016-81-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/3016-78-0x0000000000AC0000-0x0000000000B40000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads