njrat | 18d57def8a8508e9767383a47b26a31d30b4ed1d4fadc260d61810f32ea14a13

Analysis

max time kernel
171s
max time network
172s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
20-10-2024 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DLLINJECTWORK.exe
Size

43KB
MD5

75f876f184505cc110923210adf581cc
SHA1

2670bf9724001fd9ba1370682c8deddb22d1a35c
SHA256

18d57def8a8508e9767383a47b26a31d30b4ed1d4fadc260d61810f32ea14a13
SHA512

345c6cbeba7d3db55dee9a4717dea12b32693b19f8588920e2841330ba821fe0fb85769c26cb4b3050d1f851b3bfd26ea14b3dae24be095658243141ae151f74
SSDEEP

384:GZy8tFgpWfxyiihvhAhjEhHSLizYIij+ZsNO3PlpJKkkjh/TzF7pWnD/greT0pqD:c7tWofYiYhcYy4uXQ/oO/+L

Score

10^/10

njrat assault discovery persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

assault

pro-fundraising.gl.at.ply.gg:43768

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	ChromeUpdater.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	ChromeUpdater.exe

Executes dropped EXE 3 IoCs

pid	Process
1672	ChromeUpdater.exe
1120	Server.exe
3448	Server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeUpdater.exe\" .."	ChromeUpdater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\ChromeUpdater.exe\" .."	ChromeUpdater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DLLINJECTWORK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChromeUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3560	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2516	DLLINJECTWORK.exe
1672	ChromeUpdater.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	ChromeUpdater.exe
Token: 33	1672	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1672	ChromeUpdater.exe
Token: 33	1672	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1672	ChromeUpdater.exe
Token: 33	1672	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1672	ChromeUpdater.exe
Token: 33	1672	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1672	ChromeUpdater.exe
Token: 33	1672	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1672	ChromeUpdater.exe
Token: 33	1672	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1672	ChromeUpdater.exe
Token: 33	1672	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1672	ChromeUpdater.exe
Token: 33	1672	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1672	ChromeUpdater.exe
Token: 33	1672	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1672	ChromeUpdater.exe
Token: 33	1672	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1672	ChromeUpdater.exe
Token: 33	1672	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1672	ChromeUpdater.exe
Token: 33	1672	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1672	ChromeUpdater.exe
Token: 33	1672	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1672	ChromeUpdater.exe
Token: 33	1672	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1672	ChromeUpdater.exe
Token: 33	1672	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1672	ChromeUpdater.exe
Token: 33	1672	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1672	ChromeUpdater.exe
Token: 33	1672	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1672	ChromeUpdater.exe
Token: 33	1672	ChromeUpdater.exe
Token: SeIncBasePriorityPrivilege	1672	ChromeUpdater.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 1672	2516	DLLINJECTWORK.exe	77
PID 2516 wrote to memory of 1672	2516	DLLINJECTWORK.exe	77
PID 2516 wrote to memory of 1672	2516	DLLINJECTWORK.exe	77
PID 1672 wrote to memory of 3560	1672	ChromeUpdater.exe	78
PID 1672 wrote to memory of 3560	1672	ChromeUpdater.exe	78
PID 1672 wrote to memory of 3560	1672	ChromeUpdater.exe	78

C:\Users\Admin\AppData\Local\Temp\DLLINJECTWORK.exe
"C:\Users\Admin\AppData\Local\Temp\DLLINJECTWORK.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Users\Admin\AppData\Roaming\ChromeUpdater.exe
  "C:\Users\Admin\AppData\Roaming\ChromeUpdater.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3560

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1120

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Server.exe.log

Filesize
507B

MD5
e8bd0098ec5a1da383fe129285ad924f

SHA1
b44ae4b8450c544b6bd0cb78dd4d7a05316d825e

SHA256
9497c983480d695b1a7fcf2e63d953abebcf759deb3ae698a65440018e80871f

SHA512
2c048bf22871425c4ddaca08b9e8be29a184d9e0dbf8657d99e4a5877ae68186bf7433e383816e3706d299a20c36a80fb04751199781fe437889e5d46d9a19c3

Download Submit
C:\Users\Admin\AppData\Roaming\ChromeUpdater.exe

Filesize
43KB

MD5
75f876f184505cc110923210adf581cc

SHA1
2670bf9724001fd9ba1370682c8deddb22d1a35c

SHA256
18d57def8a8508e9767383a47b26a31d30b4ed1d4fadc260d61810f32ea14a13

SHA512
345c6cbeba7d3db55dee9a4717dea12b32693b19f8588920e2841330ba821fe0fb85769c26cb4b3050d1f851b3bfd26ea14b3dae24be095658243141ae151f74

Download Submit
memory/1120-27-0x0000000074280000-0x0000000074A31000-memory.dmp

Filesize
7.7MB

Download
memory/1120-25-0x0000000074280000-0x0000000074A31000-memory.dmp

Filesize
7.7MB

Download
memory/1672-17-0x0000000074280000-0x0000000074A31000-memory.dmp

Filesize
7.7MB

Download
memory/1672-22-0x0000000005BF0000-0x0000000005BFA000-memory.dmp

Filesize
40KB

Download
memory/1672-21-0x0000000074280000-0x0000000074A31000-memory.dmp

Filesize
7.7MB

Download
memory/1672-16-0x0000000074280000-0x0000000074A31000-memory.dmp

Filesize
7.7MB

Download
memory/1672-20-0x0000000074280000-0x0000000074A31000-memory.dmp

Filesize
7.7MB

Download
memory/2516-4-0x0000000005CC0000-0x0000000005D52000-memory.dmp

Filesize
584KB

Download
memory/2516-15-0x0000000074280000-0x0000000074A31000-memory.dmp

Filesize
7.7MB

Download
memory/2516-5-0x0000000074280000-0x0000000074A31000-memory.dmp

Filesize
7.7MB

Download
memory/2516-0-0x000000007428E000-0x000000007428F000-memory.dmp

Filesize
4KB

Download
memory/2516-3-0x00000000061C0000-0x0000000006766000-memory.dmp

Filesize
5.6MB

Download
memory/2516-2-0x00000000058C0000-0x000000000595C000-memory.dmp

Filesize
624KB

Download
memory/2516-1-0x0000000000E10000-0x0000000000E22000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads