njrat | 161b33a3ef477f26cdc150c5ebdec32608975cd3d359c8fa1dd7576a2692cfc3

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-10-2024 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DarkSnakeFlex.exe
Size

395KB
MD5

a6e769e192f3a302342c1eef22a16088
SHA1

92840048c6ee3811ed84e7c743f6788311182c2c
SHA256

5ac2dc6b18782e745af8a2985921dbc64b41f7b4f8a6cf4274704b18345d3dac
SHA512

88db5067ee80dc761f70cad5fce5b87d10cf737715d245ecc23350edcd4007b58f74b0672f473a8c1cf6bb2148fdd0987a6ccca09b4cb58d9f82822c877e7970
SSDEEP

1536:6vdWSVRVDlOzjRzrksAO0iN9uEH2Kj+gRJN3dOuzXz76XgnIa1QCSz7S7Nv:6MSncRzAO0i7uUv+yJtUOnI9UNv

Score

10^/10

njrat system32 discovery trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

system32

no-vac.ddns.net:6522

Mutex

2bb34da73788e2e567ded296b83f1c4e

Attributes

reg_key
2bb34da73788e2e567ded296b83f1c4e
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 2 IoCs

pid	Process
2132	SERVER.EXE
1660	SNAKEGAME.EXE

Loads dropped DLL 3 IoCs

pid	Process
1392	DarkSnakeFlex.exe
1392	DarkSnakeFlex.exe
1392	DarkSnakeFlex.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64	SERVER.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DarkSnakeFlex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVER.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 2132	1392	DarkSnakeFlex.exe	28
PID 1392 wrote to memory of 2132	1392	DarkSnakeFlex.exe	28
PID 1392 wrote to memory of 2132	1392	DarkSnakeFlex.exe	28
PID 1392 wrote to memory of 2132	1392	DarkSnakeFlex.exe	28
PID 1392 wrote to memory of 1660	1392	DarkSnakeFlex.exe	29
PID 1392 wrote to memory of 1660	1392	DarkSnakeFlex.exe	29
PID 1392 wrote to memory of 1660	1392	DarkSnakeFlex.exe	29
PID 1392 wrote to memory of 1660	1392	DarkSnakeFlex.exe	29

C:\Users\Admin\AppData\Local\Temp\DarkSnakeFlex.exe
"C:\Users\Admin\AppData\Local\Temp\DarkSnakeFlex.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
  "C:\Users\Admin\AppData\Local\Temp\SERVER.EXE"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2132
- C:\Users\Admin\AppData\Local\Temp\SNAKEGAME.EXE
  "C:\Users\Admin\AppData\Local\Temp\SNAKEGAME.EXE"
  2⤵
  - Executes dropped EXE
  PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\SERVER.EXE

Filesize
37KB

MD5
e6df7638861cc7aeb1150f7b9abf1703

SHA1
adbc72359d1e26d78c16c92a6eb23f357715568c

SHA256
a42cdbdbde54ff254f046cdd14e1ba86e040b7ad2ae7cdb44415d5fbf420015a

SHA512
c3173dcb43eb7bbaa2580604d08a580722e517be99533beccfc80544f828546a126db305b9d01773efae96a2ba3ad3712b310fc14f7c06427277ac02a65f5cf3

Download Submit
\Users\Admin\AppData\Local\Temp\SNAKEGAME.EXE

Filesize
24KB

MD5
dc45bc2e4f394805ade55a42097b853b

SHA1
602fcf6b5595e30ad930901f670e60d6cc571f75

SHA256
c42150de053665206ee68e621d3531cacd0b9a8d743b924c2a3e29ea24f41ec7

SHA512
d3d05aee1179bed84b660c4090f570a2c9b097f03accd46ddbcdde5df46337361e23a7793cbbe1b22c91ce745dca315bf0484266a2ec171e1a22f900787d280d

Download Submit
memory/1660-16-0x000007FEF58EE000-0x000007FEF58EF000-memory.dmp

Filesize
4KB

Download
memory/1660-17-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

Filesize
9.6MB

Download
memory/1660-19-0x000007FEF58EE000-0x000007FEF58EF000-memory.dmp

Filesize
4KB

Download
memory/1660-20-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2132-18-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download