njrat | 25c9d000b42a92daeb66f415dab93a5f6d97fe8efbd7855dc08490c93a06ce87

General

Target

cc checker.exe
Size

36KB
MD5

2bde8284cee1fa0fe32a7b815e6b386a
SHA1

8d9f12d9f97980171317fa2fc9ef5a42b50af82a
SHA256

68925c30a00e4698111dd2f8f342568d120beb13ba2442e8129cfc79f8fd08ec
SHA512

847d8739cd122c758051f1620d9212c759d6e8c03b6b9510ad9589937f82c6326c94c39b57fdd4df7780b1455f094fbcaa1769ab8c890233d9fee55deeeaef99
SSDEEP

384:cfiZ9ktDWlPWPISeq90KTqZyQiiAnuPXMmWTetT2/F1qzsEQT:cfiZaDWNwJ9MyQiiCcKT

Score

10^/10

njrat discovery persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	cc checker.exe

Executes dropped EXE 1 IoCs

pid	Process
3100	srss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\srss.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\srss.exe\""	cc checker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc checker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	srss.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	3100	srss.exe
Token: 33	3100	srss.exe
Token: SeIncBasePriorityPrivilege	3100	srss.exe
Token: 33	3100	srss.exe
Token: SeIncBasePriorityPrivilege	3100	srss.exe
Token: 33	3100	srss.exe
Token: SeIncBasePriorityPrivilege	3100	srss.exe
Token: 33	3100	srss.exe
Token: SeIncBasePriorityPrivilege	3100	srss.exe
Token: 33	3100	srss.exe
Token: SeIncBasePriorityPrivilege	3100	srss.exe
Token: 33	3100	srss.exe
Token: SeIncBasePriorityPrivilege	3100	srss.exe
Token: 33	3100	srss.exe
Token: SeIncBasePriorityPrivilege	3100	srss.exe
Token: 33	3100	srss.exe
Token: SeIncBasePriorityPrivilege	3100	srss.exe
Token: 33	3100	srss.exe
Token: SeIncBasePriorityPrivilege	3100	srss.exe
Token: 33	3100	srss.exe
Token: SeIncBasePriorityPrivilege	3100	srss.exe
Token: 33	3100	srss.exe
Token: SeIncBasePriorityPrivilege	3100	srss.exe
Token: 33	3100	srss.exe
Token: SeIncBasePriorityPrivilege	3100	srss.exe
Token: 33	3100	srss.exe
Token: SeIncBasePriorityPrivilege	3100	srss.exe
Token: 33	3100	srss.exe
Token: SeIncBasePriorityPrivilege	3100	srss.exe
Token: 33	3100	srss.exe
Token: SeIncBasePriorityPrivilege	3100	srss.exe
Token: 33	3100	srss.exe
Token: SeIncBasePriorityPrivilege	3100	srss.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 3100	2180	cc checker.exe	87
PID 2180 wrote to memory of 3100	2180	cc checker.exe	87
PID 2180 wrote to memory of 3100	2180	cc checker.exe	87

C:\Users\Admin\AppData\Local\Temp\cc checker.exe
"C:\Users\Admin\AppData\Local\Temp\cc checker.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\srss.exe
  "C:\Users\Admin\AppData\Local\Temp\srss.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\srss.exe

Filesize
48.9MB

MD5
9b4b3c5c20595d105b1de74807f63844

SHA1
5e8c0de9fb4e30363e596ea4a40fe6494b0a6c49

SHA256
82c787a1fdf81f4e57f7bdc22e782bdadcd7611cf468c7570a43c08aadbbdc73

SHA512
72014b71bbae7f6c5d4e66778b08a90e3cb710066b05ff0561d3f40b692185618dcd2ca82f8ba30090943040b8e190c7b69eb1ccbed15cfc24236eff4fabe1b5

Download Submit
memory/2180-0-0x0000000074BF2000-0x0000000074BF3000-memory.dmp

Filesize
4KB

Download
memory/2180-1-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/2180-2-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/2180-4-0x0000000074BF2000-0x0000000074BF3000-memory.dmp

Filesize
4KB

Download
memory/2180-5-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/2180-18-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/3100-17-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/3100-20-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/3100-19-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/3100-21-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download
memory/3100-22-0x0000000074BF0000-0x00000000751A1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads