Overview

overview

10

Static

static

10

CROCODILEJFDHJRTA.exe

windows7-x64

10

CROCODILEJFDHJRTA.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2024 19:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CROCODILEJFDHJRTA.exe

  • Size

    2.1MB

  • MD5

    149f649f898409182fcad1ef424ca4cf

  • SHA1

    89098a69e94ed941385bc2ebf00cd8d3c4e47450

  • SHA256

    f5df17fe1d42b1bcb04578bc05f1ae9787d12ebb5c18cf4df18c861120be0532

  • SHA512

    3dbba29127add72bf5e4f3c7ef5e24d4f693d67b28b2650b0a2364a17274fc0967387ca860ec5d619e40c884b54af41fb9c54425e2aaaa4e3e7555d998ce9a06

  • SSDEEP

    49152:6XtCE3Q3PNxLtxcpMLtxcpVLtxcpNCCjAli9LrLtxcF6+zI:UCl1cpkcpxcpNCdCXcF6+U

Score
10/10
njratwolfhack2025discoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

WolfHack2025

C2

MyGokerMan.casacam.net:5552

Mutex

Chrowin3285550

Attributes
  • reg_key

    Chrowin3285550

  • splitter

    |-F-|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 8 IoCs
  • Executes dropped EXE 9 IoCs
  • Adds Run key to start application 2 TTPs 9 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\CROCODILEJFDHJRTA.exe
    "C:\Users\Admin\AppData\Local\Temp\CROCODILEJFDHJRTA.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3324
    • C:\Users\Admin\AppData\Local\Temp\Gaming.exe
      "C:\Users\Admin\AppData\Local\Temp\Gaming.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2084
    • C:\Users\Admin\AppData\Local\Temp\GameHarroer.exe
      "C:\Users\Admin\AppData\Local\Temp\GameHarroer.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2152
      • C:\Users\Admin\AppData\Local\Temp\3.EXE
        "C:\Users\Admin\AppData\Local\Temp\3.EXE"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:636
        • C:\Users\Admin\AppData\Local\Temp\wincheon64.exe
          "C:\Users\Admin\AppData\Local\Temp\wincheon64.exe"
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3884
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\wincheon64.exe" "wincheon64.exe" ENABLE
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:3164
      • C:\Users\Admin\AppData\Local\Temp\4.EXE
        "C:\Users\Admin\AppData\Local\Temp\4.EXE"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4472
        • C:\Users\Admin\AppData\Local\Temp\1.EXE
          "C:\Users\Admin\AppData\Local\Temp\1.EXE"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4688
          • C:\Users\Admin\AppData\Local\Temp\svchots.exe
            "C:\Users\Admin\AppData\Local\Temp\svchots.exe"
            5⤵
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4032
            • C:\Windows\SysWOW64\netsh.exe
              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchots.exe" "svchots.exe" ENABLE
              6⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              PID:2228
        • C:\Users\Admin\AppData\Local\Temp\2.EXE
          "C:\Users\Admin\AppData\Local\Temp\2.EXE"
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1164
          • C:\Users\Admin\AppData\Local\Temp\Chrowin32.exe
            "C:\Users\Admin\AppData\Local\Temp\Chrowin32.exe"
            5⤵
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:4740
          • C:\Windows\SysWOW64\attrib.exe
            attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Chrowin32.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1.EXE
    Filesize

    37KB

    MD5

    c6a973c4f6ea4969cae1c41d25c5d78c

    SHA1

    12efa1281e57437119df3c8488cd4daadabc80c3

    SHA256

    5a93d1082d4fa0b442f3bf42066a22cdba8f32f2d50dbc1dd9f4db81fa73b496

    SHA512

    4d03fb5bdf9cf340b0a6809858f8da2d0e834f58cfb2182828e16b9a5faae5aeae154c5f7643298e54b3f0e1b8f33265bad82191b9a58bc3dadf3d4f99adb25e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\2.EXE
    Filesize

    27KB

    MD5

    a5d943b57ae77aab0788d29333ab1227

    SHA1

    4d94e5d4ec4822f4562042216e614c3dddf447c1

    SHA256

    2b7eb9a069471b3547adbfcb21c0d76424ba07b5a556693e377bd72223447b6f

    SHA512

    d46dc2c74679c33d0a981b297e24a142393ce06e063cd2a859b375beb0d5b0fa134ca3241bdbc01f77f02ad85ac3cf697bed640cb708449051c855412b9fce0b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3.EXE
    Filesize

    32KB

    MD5

    4f5d50f723896266e70dbb5a0e72ff21

    SHA1

    d3b1fe30f1baaf9e1d34baeb3eaf75619129e490

    SHA256

    83ed6bee9f71403ad9f43b467b99205230e043833a3d014964e79e603613879d

    SHA512

    a8e7ae8aa0a03ccf82be1a58595a17642c8045cf9886266f74ca72b8a23485e9e011ec2018fc9ebd6a9f5c69c5583cc6951ef3320d87037d5f2a8ebc2e6a16e6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\4.EXE
    Filesize

    117KB

    MD5

    89514d6d4e78ab9f33f24f99ea3b1361

    SHA1

    5e055754b253e2814a1d081a66236b583d982a8b

    SHA256

    8da8b662e1e221793959653c7fb940e2313e5cab2325a3dd7392380924f6129a

    SHA512

    c81f102c4579ad0f27dfcb60aacd22f351f13f988e4a8080092edb64cef9b4006298e94ce55f6d5cff0aef07e5eb7fa2a6c981b8023f9f1827df387d497f7fb9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\GameHarroer.exe
    Filesize

    202KB

    MD5

    90de032c5bc78043531d08ed1bf8ec19

    SHA1

    edd41ecf58e32c3f57ba90ee2fcf3d0e4a9c2cf1

    SHA256

    98df5e2377549819b17759d05406f3c97711a76836aa2bf427ef08045b5ef80d

    SHA512

    5ec5e7a4c35312bf7be5a3353aab857e98c7c0d68188a0b488574027236d1c14118924d500d82d11814c59f85d572226da71620d818d1df49eac95dac080ed8c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Gaming.exe
    Filesize

    1.5MB

    MD5

    205604c1ca8e135124962cd5a04b3ca9

    SHA1

    1d4816032549ad0d2e64d95a873034a80ef3744b

    SHA256

    b95b972f8212de7598ec32e544b5689c6f9b4beef8c2fdc41b5ca5a7b11e3ce8

    SHA512

    69c189b597ce3ad37aad873f224faa439c085cb7af3594cedcdbe0100d41ec4f61c2eb161e698cacdacb5d198e388b1896a5f4b8250ee910690c6cc53f14cdf6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrowin3285550.lnk
    Filesize

    1KB

    MD5

    228956cdab99f2a0735710251d684710

    SHA1

    e07132f16079617074d049aad39134e6e964ad10

    SHA256

    67ec8de2d49c35363d90bcb63112e1c13c2b11f05a6bb81bc4786f149fe0007a

    SHA512

    685607be8cd5edc14016a3eb6865464cfe49d4d97756eee23f07e58dd752eab74b185595b52eaa9c358b07eba5f9b90c811932c5c8e2ae3d8c4b54b4bfb67846

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Chrowin3285550.lnk
    Filesize

    1KB

    MD5

    edc471bb5d1181425e48ba1441c1d613

    SHA1

    1f8bf74f9a7d74d9b736940f1b8547a46c06fa2b

    SHA256

    cbe7cd5a6942cc2a404fa35a7a503de1fc2046e06d9dbab0fc7f45b92e82e80a

    SHA512

    04d3c9efa219c679929c4c237acc1d7646df47cfafda7aa7691c2be3cb61d1a0c4368e3f4b6f360870416560ec94fdf0e52a2be7c19c48a4392bb48fd815e52a

    Download Submit

  • memory/2084-29-0x00000000053B0000-0x0000000005442000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2084-26-0x0000000000750000-0x00000000008D8000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2084-104-0x0000000072030000-0x00000000727E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2084-30-0x0000000005370000-0x000000000537A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2084-31-0x0000000005660000-0x00000000056B6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/2084-27-0x0000000005250000-0x00000000052EC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2084-42-0x0000000072030000-0x00000000727E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2084-28-0x00000000058C0000-0x0000000005E64000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2084-25-0x000000007203E000-0x000000007203F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2084-90-0x000000007203E000-0x000000007203F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3324-24-0x00000000752B0000-0x0000000075861000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3324-2-0x00000000752B0000-0x0000000075861000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3324-1-0x00000000752B0000-0x0000000075861000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3324-0-0x00000000752B2000-0x00000000752B3000-memory.dmp

    Filesize

    4KB

    Download