njrat | 7e7ded78b7fc6d533580cedeb16a9f003cee552ddf0acebaf883fb17a9eabb69

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wire Notification.jar
Size

560KB
MD5

22b2dd04bb82b6fb05f6d148255c14c6
SHA1

782faf733ea7d5e36f5e77dd66a7e16fa2f7f86d
SHA256

dd33019c84b905443de022d1ff40146e7d1a2b5b472a3e1589b0ecb36ee64555
SHA512

295eed7bd9cc01f499896f53cc764836fc04513e79434e9b1365bae7105f4ef09cbb668224d9a1653d945a8d7d190693f182cc40307a0a92dec2e916dd7c82c7
SSDEEP

12288:k9f0DrXoyn7Dg0G4ZCLrK6PxEgZ7QBjm/i01rXoyNpDC0GUaResHMO:k50PXtG4ZQpx7QBCa0pXbGdMnO

Score

10^/10

njrat home discovery evasion persistence privilege_escalation trojan upx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HOME

popintertradeer.ddns.net:5552

Mutex

8142474e71bf5da2c38d35d26869bf5c

Attributes

reg_key
8142474e71bf5da2c38d35d26869bf5c
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3028	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	M.exe

Executes dropped EXE 7 IoCs

pid	Process
1492	nwi3593645304789568173.exe
4644	nwi250346192955862333.exe
1324	M.exe
4040	M.exe
4800	M.exe
4620	explorer.exe
3768	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	nwi250346192955862333.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	nwi3593645304789568173.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8142474e71bf5da2c38d35d26869bf5c = "\"C:\\Users\\Admin\\explorer.exe\" .."	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8142474e71bf5da2c38d35d26869bf5c = "\"C:\\Users\\Admin\\explorer.exe\" .."	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4040 set thread context of 4800	4040	M.exe	90
PID 4620 set thread context of 3768	4620	explorer.exe	92

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023c87-32.dat	upx
behavioral2/memory/1324-37-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/1324-39-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4040-55-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/4620-88-0x0000000000400000-0x000000000046A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwi250346192955862333.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwi3593645304789568173.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4040	M.exe
4040	M.exe
4040	M.exe
4040	M.exe
4620	explorer.exe
4620	explorer.exe
4620	explorer.exe
4620	explorer.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	3768	explorer.exe
Token: 33	3768	explorer.exe
Token: SeIncBasePriorityPrivilege	3768	explorer.exe
Token: 33	3768	explorer.exe
Token: SeIncBasePriorityPrivilege	3768	explorer.exe
Token: 33	3768	explorer.exe
Token: SeIncBasePriorityPrivilege	3768	explorer.exe
Token: 33	3768	explorer.exe
Token: SeIncBasePriorityPrivilege	3768	explorer.exe
Token: 33	3768	explorer.exe
Token: SeIncBasePriorityPrivilege	3768	explorer.exe
Token: 33	3768	explorer.exe
Token: SeIncBasePriorityPrivilege	3768	explorer.exe
Token: 33	3768	explorer.exe
Token: SeIncBasePriorityPrivilege	3768	explorer.exe
Token: 33	3768	explorer.exe
Token: SeIncBasePriorityPrivilege	3768	explorer.exe
Token: 33	3768	explorer.exe
Token: SeIncBasePriorityPrivilege	3768	explorer.exe
Token: 33	3768	explorer.exe
Token: SeIncBasePriorityPrivilege	3768	explorer.exe
Token: 33	3768	explorer.exe
Token: SeIncBasePriorityPrivilege	3768	explorer.exe
Token: 33	3768	explorer.exe
Token: SeIncBasePriorityPrivilege	3768	explorer.exe
Token: 33	3768	explorer.exe
Token: SeIncBasePriorityPrivilege	3768	explorer.exe
Token: 33	3768	explorer.exe
Token: SeIncBasePriorityPrivilege	3768	explorer.exe
Token: 33	3768	explorer.exe
Token: SeIncBasePriorityPrivilege	3768	explorer.exe
Token: 33	3768	explorer.exe
Token: SeIncBasePriorityPrivilege	3768	explorer.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4040	M.exe
4040	M.exe
1324	M.exe
4620	explorer.exe
4620	explorer.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 1492	1620	java.exe	86
PID 1620 wrote to memory of 1492	1620	java.exe	86
PID 1620 wrote to memory of 1492	1620	java.exe	86
PID 1620 wrote to memory of 4644	1620	java.exe	87
PID 1620 wrote to memory of 4644	1620	java.exe	87
PID 1620 wrote to memory of 4644	1620	java.exe	87
PID 1492 wrote to memory of 1324	1492	nwi3593645304789568173.exe	89
PID 1492 wrote to memory of 1324	1492	nwi3593645304789568173.exe	89
PID 1492 wrote to memory of 1324	1492	nwi3593645304789568173.exe	89
PID 4644 wrote to memory of 4040	4644	nwi250346192955862333.exe	88
PID 4644 wrote to memory of 4040	4644	nwi250346192955862333.exe	88
PID 4644 wrote to memory of 4040	4644	nwi250346192955862333.exe	88
PID 4040 wrote to memory of 4800	4040	M.exe	90
PID 4040 wrote to memory of 4800	4040	M.exe	90
PID 4040 wrote to memory of 4800	4040	M.exe	90
PID 4040 wrote to memory of 4800	4040	M.exe	90
PID 4040 wrote to memory of 4800	4040	M.exe	90
PID 4040 wrote to memory of 4800	4040	M.exe	90
PID 4040 wrote to memory of 4800	4040	M.exe	90
PID 4040 wrote to memory of 4800	4040	M.exe	90
PID 4040 wrote to memory of 4800	4040	M.exe	90
PID 4040 wrote to memory of 4800	4040	M.exe	90
PID 4040 wrote to memory of 4800	4040	M.exe	90
PID 4800 wrote to memory of 4620	4800	M.exe	91
PID 4800 wrote to memory of 4620	4800	M.exe	91
PID 4800 wrote to memory of 4620	4800	M.exe	91
PID 4620 wrote to memory of 3768	4620	explorer.exe	92
PID 4620 wrote to memory of 3768	4620	explorer.exe	92
PID 4620 wrote to memory of 3768	4620	explorer.exe	92
PID 4620 wrote to memory of 3768	4620	explorer.exe	92
PID 4620 wrote to memory of 3768	4620	explorer.exe	92
PID 4620 wrote to memory of 3768	4620	explorer.exe	92
PID 4620 wrote to memory of 3768	4620	explorer.exe	92
PID 4620 wrote to memory of 3768	4620	explorer.exe	92
PID 4620 wrote to memory of 3768	4620	explorer.exe	92
PID 4620 wrote to memory of 3768	4620	explorer.exe	92
PID 4620 wrote to memory of 3768	4620	explorer.exe	92
PID 3768 wrote to memory of 3028	3768	explorer.exe	93
PID 3768 wrote to memory of 3028	3768	explorer.exe	93
PID 3768 wrote to memory of 3028	3768	explorer.exe	93

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\Wire Notification.jar"
1⤵
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Users\Admin\AppData\Local\Temp\nwi3593645304789568173.exe
  C:\Users\Admin\AppData\Local\Temp\nwi3593645304789568173.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1324
- C:\Users\Admin\AppData\Local\Temp\nwi250346192955862333.exe
  C:\Users\Admin\AppData\Local\Temp\nwi250346192955862333.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4040
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4800
    - - C:\Users\Admin\explorer.exe
        
        "C:\Users\Admin\explorer.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4620
      - C:\Users\Admin\explorer.exe
        
        C:\Users\Admin\explorer.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\explorer.exe" "explorer.exe" ENABLE
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CSIDL_

Filesize
67KB

MD5
49424f341f838a4ce27197aed4847598

SHA1
aae80b2ba04bf5dfd584983aea9311138f7a291b

SHA256
8ca3bcaccd0228a67aef40b148ee55800e0f5960433f93918e65b788fcea3ab0

SHA512
e90b88ea10636e9ded71a4954934e429e26237450506b660ec0fa85a488c14a6e2160616d884763431bcc63d66276248302a826fa0b942381dd3a77a2fbf2181

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe

Filesize
104KB

MD5
7bae06cbe364bb42b8c34fcfb90e3ebd

SHA1
79129af7efa46244da0676607242f0a6b7e12e78

SHA256
6ceaebd55b4a542ef64be1d6971fcfe802e67e2027366c52faacc8a8d325ec7a

SHA512
c599b72500a5c17cd5c4a81fcf220a95925aa0e5ad72aa92dd1a469fe6e3c23590c548a0be7ec2c4dbd737511a0a79c1c46436867cf7f0c4df21f8dcea9686cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M.exe

Filesize
153KB

MD5
033ffa687f8e6c5ca059bb4c87a19f6c

SHA1
3918e4059745bbc2a90e2a8923696df646bb0d7c

SHA256
1c759626d29d2f3105a0813f9a12fc7b2c46f5e4864c08bc2489d8ab7862bc87

SHA512
d28b11f8318c8f795be7ff18e9447bd136bc96921f5f038f8b9ccb1a60f10c28b1a5bf3876d65e6e0db7b8dbfc483a31c0646cde121574cbe3f96f6b2b029025

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwi250346192955862333.exe

Filesize
282KB

MD5
7ca883132f911dc51acbc93bbd3c025a

SHA1
a24679540f4b0c7e40d8f4715791d6b98909b143

SHA256
bd10e99fa6e2c7de3f76bea84f0b15cbf10ccb2badbe79e2a2c7370f90dc254e

SHA512
bfb399eb4d4b0756f39bcf63e791ec199073a6a692e759d1bc0799b43223fa72be2f3b71a1b737c3858452cb149d99812d3ccc49c7c8dd2a12df2eae900f3451

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwi3593645304789568173.exe

Filesize
342KB

MD5
4cd2f4749d8f2e13849fb0481ea23b63

SHA1
947e01c3d53b03e454921613abd3e3d27801f215

SHA256
560166ce8f4c12322484e638b1b6f17d7d65157475aef1962339cc6848f921be

SHA512
4e9f21e03d08bb20127a2bc0c4a61ab8454cf8644feab9df8d85687660e22403e8e7dd310d24bc8ac3a3e35dc3b145130d6517710654b7bde2798aafe7e387e4

Download Submit
memory/1324-39-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1324-37-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1620-20-0x000002B22E900000-0x000002B22E901000-memory.dmp

Filesize
4KB

Download
memory/1620-23-0x000002B2301D0000-0x000002B230440000-memory.dmp

Filesize
2.4MB

Download
memory/1620-2-0x000002B2301D0000-0x000002B230440000-memory.dmp

Filesize
2.4MB

Download
memory/4040-55-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4620-88-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4800-50-0x0000000000400000-0x00000000008B0000-memory.dmp

Filesize
4.7MB

Download