njrat | dd05afbc110940d656d1af4c5a16542a636e0234941ae74ccb1d35d48f950b55

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
06-10-2024 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootstrapperV1.34.exe
Size

866KB
MD5

21724e0b24754244b7e43f20a132c7db
SHA1

da582b5d7da1743b89a243428c67a9fbd37fb21f
SHA256

dd05afbc110940d656d1af4c5a16542a636e0234941ae74ccb1d35d48f950b55
SHA512

0b193250c40ff4d0936a711194173e77f12063e1e3c0a348c773fa9393511b3a3db6e9f68ad5d146d25bdb0bc4d21ab133a53672c6c4d672858054fb439c02ea
SSDEEP

12288:d0zVvgDNMoWjTmFzAzBocaKjyWtiR1pptHxQ0zzA68:e5vgHWjTwAlocaKjyyItHDzUd

Score

10^/10

njrat veletroblox discovery evasion execution persistence trojan

Malware Config

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

veletroblox

tm6bqni.localto.net:5846

Mutex

d54b8b335e1de961884f3956c1c39c50

Attributes

reg_key
d54b8b335e1de961884f3956c1c39c50
splitter
Y262SUCZ4UJJ

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d54b8b335e1de961884f3956c1c39c50.exe	BootstrapperV1.32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d54b8b335e1de961884f3956c1c39c50.exe	BootstrapperV1.32.exe

Executes dropped EXE 3 IoCs

pid	Process
2840	BootstrapperV1.32.exe
2828	BootstrapperV1.22.exe
1180	Process not Found

Loads dropped DLL 2 IoCs

pid	Process
2008	BootstrapperV1.34.exe
2008	BootstrapperV1.34.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\d54b8b335e1de961884f3956c1c39c50 = "\"C:\\Users\\Admin\\AppData\\Roaming\\BootstrapperV1.32.exe\" .."	BootstrapperV1.32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\d54b8b335e1de961884f3956c1c39c50 = "\"C:\\Users\\Admin\\AppData\\Roaming\\BootstrapperV1.32.exe\" .."	BootstrapperV1.32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2200	powershell.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2416	sc.exe
3036	sc.exe
2112	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperV1.34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperV1.32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2040	cmd.exe
1760	PING.EXE

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1748	ipconfig.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1760	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2200	powershell.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe
2840	BootstrapperV1.32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2840	BootstrapperV1.32.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2840	BootstrapperV1.32.exe
Token: 33	2840	BootstrapperV1.32.exe
Token: SeIncBasePriorityPrivilege	2840	BootstrapperV1.32.exe
Token: 33	2840	BootstrapperV1.32.exe
Token: SeIncBasePriorityPrivilege	2840	BootstrapperV1.32.exe
Token: 33	2840	BootstrapperV1.32.exe
Token: SeIncBasePriorityPrivilege	2840	BootstrapperV1.32.exe
Token: 33	2840	BootstrapperV1.32.exe
Token: SeIncBasePriorityPrivilege	2840	BootstrapperV1.32.exe
Token: 33	2840	BootstrapperV1.32.exe
Token: SeIncBasePriorityPrivilege	2840	BootstrapperV1.32.exe
Token: 33	2840	BootstrapperV1.32.exe
Token: SeIncBasePriorityPrivilege	2840	BootstrapperV1.32.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2840	2008	BootstrapperV1.34.exe	31
PID 2008 wrote to memory of 2840	2008	BootstrapperV1.34.exe	31
PID 2008 wrote to memory of 2840	2008	BootstrapperV1.34.exe	31
PID 2008 wrote to memory of 2840	2008	BootstrapperV1.34.exe	31
PID 2008 wrote to memory of 2828	2008	BootstrapperV1.34.exe	32
PID 2008 wrote to memory of 2828	2008	BootstrapperV1.34.exe	32
PID 2008 wrote to memory of 2828	2008	BootstrapperV1.34.exe	32
PID 2008 wrote to memory of 2828	2008	BootstrapperV1.34.exe	32
PID 2828 wrote to memory of 2976	2828	BootstrapperV1.22.exe	34
PID 2828 wrote to memory of 2976	2828	BootstrapperV1.22.exe	34
PID 2828 wrote to memory of 2976	2828	BootstrapperV1.22.exe	34
PID 2976 wrote to memory of 1748	2976	cmd.exe	36
PID 2976 wrote to memory of 1748	2976	cmd.exe	36
PID 2976 wrote to memory of 1748	2976	cmd.exe	36
PID 2840 wrote to memory of 2700	2840	BootstrapperV1.32.exe	37
PID 2840 wrote to memory of 2700	2840	BootstrapperV1.32.exe	37
PID 2840 wrote to memory of 2700	2840	BootstrapperV1.32.exe	37
PID 2840 wrote to memory of 2700	2840	BootstrapperV1.32.exe	37
PID 2700 wrote to memory of 2200	2700	cmd.exe	39
PID 2700 wrote to memory of 2200	2700	cmd.exe	39
PID 2700 wrote to memory of 2200	2700	cmd.exe	39
PID 2700 wrote to memory of 2200	2700	cmd.exe	39
PID 2840 wrote to memory of 904	2840	BootstrapperV1.32.exe	40
PID 2840 wrote to memory of 904	2840	BootstrapperV1.32.exe	40
PID 2840 wrote to memory of 904	2840	BootstrapperV1.32.exe	40
PID 2840 wrote to memory of 904	2840	BootstrapperV1.32.exe	40
PID 904 wrote to memory of 2416	904	cmd.exe	42
PID 904 wrote to memory of 2416	904	cmd.exe	42
PID 904 wrote to memory of 2416	904	cmd.exe	42
PID 904 wrote to memory of 2416	904	cmd.exe	42
PID 2840 wrote to memory of 2232	2840	BootstrapperV1.32.exe	43
PID 2840 wrote to memory of 2232	2840	BootstrapperV1.32.exe	43
PID 2840 wrote to memory of 2232	2840	BootstrapperV1.32.exe	43
PID 2840 wrote to memory of 2232	2840	BootstrapperV1.32.exe	43
PID 2232 wrote to memory of 3036	2232	cmd.exe	45
PID 2232 wrote to memory of 3036	2232	cmd.exe	45
PID 2232 wrote to memory of 3036	2232	cmd.exe	45
PID 2232 wrote to memory of 3036	2232	cmd.exe	45
PID 2840 wrote to memory of 3020	2840	BootstrapperV1.32.exe	46
PID 2840 wrote to memory of 3020	2840	BootstrapperV1.32.exe	46
PID 2840 wrote to memory of 3020	2840	BootstrapperV1.32.exe	46
PID 2840 wrote to memory of 3020	2840	BootstrapperV1.32.exe	46
PID 3020 wrote to memory of 2112	3020	cmd.exe	48
PID 3020 wrote to memory of 2112	3020	cmd.exe	48
PID 3020 wrote to memory of 2112	3020	cmd.exe	48
PID 3020 wrote to memory of 2112	3020	cmd.exe	48
PID 2840 wrote to memory of 2448	2840	BootstrapperV1.32.exe	50
PID 2840 wrote to memory of 2448	2840	BootstrapperV1.32.exe	50
PID 2840 wrote to memory of 2448	2840	BootstrapperV1.32.exe	50
PID 2840 wrote to memory of 2448	2840	BootstrapperV1.32.exe	50
PID 2840 wrote to memory of 2040	2840	BootstrapperV1.32.exe	52
PID 2840 wrote to memory of 2040	2840	BootstrapperV1.32.exe	52
PID 2840 wrote to memory of 2040	2840	BootstrapperV1.32.exe	52
PID 2840 wrote to memory of 2040	2840	BootstrapperV1.32.exe	52
PID 2040 wrote to memory of 1760	2040	cmd.exe	54
PID 2040 wrote to memory of 1760	2040	cmd.exe	54
PID 2040 wrote to memory of 1760	2040	cmd.exe	54
PID 2040 wrote to memory of 1760	2040	cmd.exe	54

C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.34.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.34.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Roaming\BootstrapperV1.32.exe
  "C:\Users\Admin\AppData\Roaming\BootstrapperV1.32.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc query windefend
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:904
  - - C:\Windows\SysWOW64\sc.exe
      sc query windefend
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2416
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc stop windefend
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Windows\SysWOW64\sc.exe
      sc stop windefend
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3036
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c sc delete windefend
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Windows\SysWOW64\sc.exe
      sc delete windefend
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2112
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn CleanSweepCheck /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2448
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Roaming\BootstrapperV1.32.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\SysWOW64\PING.EXE
      ping 0 -n 2
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1760
- C:\Users\Admin\AppData\Roaming\BootstrapperV1.22.exe
  "C:\Users\Admin\AppData\Roaming\BootstrapperV1.22.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\system32\cmd.exe
    "cmd" /c ipconfig /all
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\BootstrapperV1.22.exe

Filesize
800KB

MD5
2a4dcf20b82896be94eb538260c5fb93

SHA1
21f232c2fd8132f8677e53258562ad98b455e679

SHA256
ebbcb489171abfcfce56554dbaeacd22a15838391cbc7c756db02995129def5a

SHA512
4f1164b2312fb94b7030d6eb6aa9f3502912ffa33505f156443570fc964bfd3bb21ded3cf84092054e07346d2dce83a0907ba33f4ba39ad3fe7a78e836efe288

Download Submit
\Users\Admin\AppData\Roaming\BootstrapperV1.32.exe

Filesize
55KB

MD5
a789f36018dc8f90b31f5a4bada5f06e

SHA1
9055844946a5d8f0e28f2c4166e4a7ee37b78abd

SHA256
81193651af092ef7f9382122950f1fc62366019f3ee30cd3c8b1e547859d767e

SHA512
853ae72e8f3fdb103c98e6b8cb1e8b96ece313491ab7f2db386238e2f88c690ce2848c57c212fa7bd1c65a52ca5bcee8c89d33c6608211e50c2afdb6dc79ad8d

Download Submit
memory/2008-1-0x0000000074EB0000-0x000000007545B000-memory.dmp

Filesize
5.7MB

Download
memory/2008-2-0x0000000074EB0000-0x000000007545B000-memory.dmp

Filesize
5.7MB

Download
memory/2008-0-0x0000000074EB1000-0x0000000074EB2000-memory.dmp

Filesize
4KB

Download
memory/2008-18-0x0000000074EB0000-0x000000007545B000-memory.dmp

Filesize
5.7MB

Download
memory/2828-20-0x00000000000B0000-0x000000000017E000-memory.dmp

Filesize
824KB

Download
memory/2840-12-0x0000000074EB0000-0x000000007545B000-memory.dmp

Filesize
5.7MB

Download
memory/2840-13-0x0000000074EB0000-0x000000007545B000-memory.dmp

Filesize
5.7MB

Download
memory/2840-14-0x0000000074EB0000-0x000000007545B000-memory.dmp

Filesize
5.7MB

Download
memory/2840-25-0x0000000074EB0000-0x000000007545B000-memory.dmp

Filesize
5.7MB

Download
memory/2840-26-0x0000000074EB0000-0x000000007545B000-memory.dmp

Filesize
5.7MB

Download
memory/2840-29-0x0000000074EB0000-0x000000007545B000-memory.dmp

Filesize
5.7MB

Download