njrat | bfc4b4deeb63752021f0c5ab3f131998057eeedf432c9c2ff747007be89300fe

General

Target

bfc4b4deeb63752021f0c5ab3f131998057eeedf432c9c2ff747007be89300feN.exe
Size

1.4MB
MD5

1280141ffb881e94d9583f4590e44350
SHA1

34760e79481085994ee8391e6ae0f49fe8cc3359
SHA256

bfc4b4deeb63752021f0c5ab3f131998057eeedf432c9c2ff747007be89300fe
SHA512

1b44624ca3976ee45a04612d2ce315fdbe0c010c8d9d494dce8ad35bbc0b95118e72f4fd229ef6aa167505afd4a7d266a23323a1cfc2d77371ce23b8c6c89418
SSDEEP

24576:nEeqQq3KZU+f1nqBYHNhRkfUdalyOHUgf6iXzAJx2KkGtSHgqLsvr2:nEuq6xf1nnHNXkfU0lynZiDAJx2rGEA8

Score

10^/10

njrat discovery persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	bfc4b4deeb63752021f0c5ab3f131998057eeedf432c9c2ff747007be89300feN.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	driver.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	driver.exe

Executes dropped EXE 1 IoCs

pid	Process
2676	driver.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\driver.exe\" .."	driver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\driver.exe\" .."	driver.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

pid	Process
2676	driver.exe
2676	driver.exe
2676	driver.exe
2676	driver.exe
2676	driver.exe
2676	driver.exe
2676	driver.exe
2676	driver.exe
2676	driver.exe
2676	driver.exe
2676	driver.exe
2676	driver.exe
2676	driver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driver.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2676	driver.exe
2676	driver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2676	driver.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	driver.exe
Token: 33	2676	driver.exe
Token: SeIncBasePriorityPrivilege	2676	driver.exe
Token: 33	2676	driver.exe
Token: SeIncBasePriorityPrivilege	2676	driver.exe
Token: 33	2676	driver.exe
Token: SeIncBasePriorityPrivilege	2676	driver.exe
Token: 33	2676	driver.exe
Token: SeIncBasePriorityPrivilege	2676	driver.exe
Token: 33	2676	driver.exe
Token: SeIncBasePriorityPrivilege	2676	driver.exe
Token: 33	2676	driver.exe
Token: SeIncBasePriorityPrivilege	2676	driver.exe
Token: 33	2676	driver.exe
Token: SeIncBasePriorityPrivilege	2676	driver.exe
Token: 33	2676	driver.exe
Token: SeIncBasePriorityPrivilege	2676	driver.exe
Token: 33	2676	driver.exe
Token: SeIncBasePriorityPrivilege	2676	driver.exe
Token: 33	2676	driver.exe
Token: SeIncBasePriorityPrivilege	2676	driver.exe
Token: 33	2676	driver.exe
Token: SeIncBasePriorityPrivilege	2676	driver.exe
Token: 33	2676	driver.exe
Token: SeIncBasePriorityPrivilege	2676	driver.exe
Token: 33	2676	driver.exe
Token: SeIncBasePriorityPrivilege	2676	driver.exe
Token: 33	2676	driver.exe
Token: SeIncBasePriorityPrivilege	2676	driver.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2676	driver.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 2676	816	bfc4b4deeb63752021f0c5ab3f131998057eeedf432c9c2ff747007be89300feN.exe	84
PID 816 wrote to memory of 2676	816	bfc4b4deeb63752021f0c5ab3f131998057eeedf432c9c2ff747007be89300feN.exe	84
PID 816 wrote to memory of 2676	816	bfc4b4deeb63752021f0c5ab3f131998057eeedf432c9c2ff747007be89300feN.exe	84

C:\Users\Admin\AppData\Local\Temp\bfc4b4deeb63752021f0c5ab3f131998057eeedf432c9c2ff747007be89300feN.exe
"C:\Users\Admin\AppData\Local\Temp\bfc4b4deeb63752021f0c5ab3f131998057eeedf432c9c2ff747007be89300feN.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:816
- C:\Users\Admin\AppData\Local\Temp\driver.exe
  "C:\Users\Admin\AppData\Local\Temp\driver.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\driver.exe

Filesize
1.1MB

MD5
1902de0834473c792fceb61cb8640709

SHA1
76c81fd6ae35b2fa943fa10315de9370b4c8eadc

SHA256
b254f1a667dd799a434d60e30bf3dd6d9416440be82ab978b8247da0d08be1c3

SHA512
daf901dc72d0b03ab7f377ce5387ed2fa4ac07162dab7e4eefdfbcae99cd2f3f610d4fcde1373b9cd000914daf8cd4a7c9c262029bce6278827b794af662188a

Download Submit
memory/2676-9-0x00000000002F0000-0x0000000000668000-memory.dmp

Filesize
3.5MB

Download
memory/2676-10-0x000000007426E000-0x000000007426F000-memory.dmp

Filesize
4KB

Download
memory/2676-11-0x00000000002F0000-0x0000000000668000-memory.dmp

Filesize
3.5MB

Download
memory/2676-12-0x0000000005830000-0x00000000058CC000-memory.dmp

Filesize
624KB

Download
memory/2676-13-0x0000000006170000-0x0000000006714000-memory.dmp

Filesize
5.6MB

Download
memory/2676-14-0x0000000074260000-0x0000000074A10000-memory.dmp

Filesize
7.7MB

Download
memory/2676-15-0x0000000005C60000-0x0000000005CF2000-memory.dmp

Filesize
584KB

Download
memory/2676-17-0x0000000005A30000-0x0000000005A3A000-memory.dmp

Filesize
40KB

Download
memory/2676-18-0x00000000002F0000-0x0000000000668000-memory.dmp

Filesize
3.5MB

Download
memory/2676-19-0x000000007426E000-0x000000007426F000-memory.dmp

Filesize
4KB

Download
memory/2676-21-0x0000000074260000-0x0000000074A10000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads