njrat | 9c3b2fbc16a9de445cb29b54df0640e490842071a7cc56741b2849b79f40b1b4

General

Target

9c3b2fbc16a9de445cb29b54df0640e490842071a7cc56741b2849b79f40b1b4.exe
Size

691KB
MD5

cb388bfc451183d5e8f4dae5bcaa42c5
SHA1

7c1979d5b07d61be4e15de5a028d8631ee75c413
SHA256

9c3b2fbc16a9de445cb29b54df0640e490842071a7cc56741b2849b79f40b1b4
SHA512

46f65cd29c4bf35f25507b7aa25dddfb28283f5981607b41e87e164bb6cdc9d56d1b66ae63b4e88bcb624bf86687d58b6a8266102d73b170bf55aff438d9c106
SSDEEP

12288:NLMEalqxXblqoRX5qbfphLxaOzOpSX0+Tlbsl+YQSn:ZqaXNabfphLxanSk+xTpSn

Score

10^/10

njrat hacked evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

127.0.0.1:888

Mutex

129295b2f84871f6432468d2e8802e81

Attributes

reg_key
129295b2f84871f6432468d2e8802e81
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3016	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\129295b2f84871f6432468d2e8802e81.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\129295b2f84871f6432468d2e8802e81.exe	server.exe

Executes dropped EXE 2 IoCs

pid	Process
2856	svchost.exe
2912	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\129295b2f84871f6432468d2e8802e81 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\129295b2f84871f6432468d2e8802e81 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .."	server.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\xxxxxx	9c3b2fbc16a9de445cb29b54df0640e490842071a7cc56741b2849b79f40b1b4.exe
File created	C:\Program Files\xxxxxx\__tmp_rar_sfx_access_check_259521609	9c3b2fbc16a9de445cb29b54df0640e490842071a7cc56741b2849b79f40b1b4.exe
File created	C:\Program Files\xxxxxx\svchost.exe	9c3b2fbc16a9de445cb29b54df0640e490842071a7cc56741b2849b79f40b1b4.exe
File opened for modification	C:\Program Files\xxxxxx\svchost.exe	9c3b2fbc16a9de445cb29b54df0640e490842071a7cc56741b2849b79f40b1b4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	server.exe
Token: 33	2912	server.exe
Token: SeIncBasePriorityPrivilege	2912	server.exe
Token: 33	2912	server.exe
Token: SeIncBasePriorityPrivilege	2912	server.exe
Token: 33	2912	server.exe
Token: SeIncBasePriorityPrivilege	2912	server.exe
Token: 33	2912	server.exe
Token: SeIncBasePriorityPrivilege	2912	server.exe
Token: 33	2912	server.exe
Token: SeIncBasePriorityPrivilege	2912	server.exe
Token: 33	2912	server.exe
Token: SeIncBasePriorityPrivilege	2912	server.exe
Token: 33	2912	server.exe
Token: SeIncBasePriorityPrivilege	2912	server.exe
Token: 33	2912	server.exe
Token: SeIncBasePriorityPrivilege	2912	server.exe
Token: 33	2912	server.exe
Token: SeIncBasePriorityPrivilege	2912	server.exe
Token: 33	2912	server.exe
Token: SeIncBasePriorityPrivilege	2912	server.exe
Token: 33	2912	server.exe
Token: SeIncBasePriorityPrivilege	2912	server.exe
Token: 33	2912	server.exe
Token: SeIncBasePriorityPrivilege	2912	server.exe
Token: 33	2912	server.exe
Token: SeIncBasePriorityPrivilege	2912	server.exe
Token: 33	2912	server.exe
Token: SeIncBasePriorityPrivilege	2912	server.exe
Token: 33	2912	server.exe
Token: SeIncBasePriorityPrivilege	2912	server.exe
Token: 33	2912	server.exe
Token: SeIncBasePriorityPrivilege	2912	server.exe
Token: 33	2912	server.exe
Token: SeIncBasePriorityPrivilege	2912	server.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2856	2904	9c3b2fbc16a9de445cb29b54df0640e490842071a7cc56741b2849b79f40b1b4.exe	29
PID 2904 wrote to memory of 2856	2904	9c3b2fbc16a9de445cb29b54df0640e490842071a7cc56741b2849b79f40b1b4.exe	29
PID 2904 wrote to memory of 2856	2904	9c3b2fbc16a9de445cb29b54df0640e490842071a7cc56741b2849b79f40b1b4.exe	29
PID 2856 wrote to memory of 2912	2856	svchost.exe	30
PID 2856 wrote to memory of 2912	2856	svchost.exe	30
PID 2856 wrote to memory of 2912	2856	svchost.exe	30
PID 2912 wrote to memory of 3016	2912	server.exe	31
PID 2912 wrote to memory of 3016	2912	server.exe	31
PID 2912 wrote to memory of 3016	2912	server.exe	31

C:\Users\Admin\AppData\Local\Temp\9c3b2fbc16a9de445cb29b54df0640e490842071a7cc56741b2849b79f40b1b4.exe
"C:\Users\Admin\AppData\Local\Temp\9c3b2fbc16a9de445cb29b54df0640e490842071a7cc56741b2849b79f40b1b4.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Program Files\xxxxxx\svchost.exe
  "C:\Program Files\xxxxxx\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Users\Admin\AppData\Roaming\server.exe
    "C:\Users\Admin\AppData\Roaming\server.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\system32\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\xxxxxx\svchost.exe

Filesize
130KB

MD5
b3d00932eb36d08a6b9270d8ef5fa8d5

SHA1
738f8f2b1632256c2382a63f72a4f2e0cc8fc24d

SHA256
e78e7cd8277852811360372dfacef123701013c3d3c4f021ca9adc9ba4e8827e

SHA512
5e4103ef57a3d74247c603814c378aa26cb23b3e5a295b4dbf2e8386f28a19244546f3a23a6588864e9b6f3a6ceb4b434a2464863332e3d618516d9f8becf6da

Download Submit
memory/2856-11-0x000007FEF620E000-0x000007FEF620F000-memory.dmp

Filesize
4KB

Download
memory/2856-12-0x0000000000490000-0x00000000004A4000-memory.dmp

Filesize
80KB

Download
memory/2856-14-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2856-13-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/2856-15-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2856-21-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2912-22-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2912-24-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads