njrat | 79a3409077b08f5f71c8d56636b5cbc3205228c73073c2815b7c5b9fc97079d2

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-10-2024 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79a3409077b08f5f71c8d56636b5cbc3205228c73073c2815b7c5b9fc97079d2N.exe
Size

1.5MB
MD5

4e8605fc4f563367bfc6c17b0814f9e0
SHA1

baf0a6501d82494cb3e6787bae049f89348a6bec
SHA256

79a3409077b08f5f71c8d56636b5cbc3205228c73073c2815b7c5b9fc97079d2
SHA512

5ca177c98c54bfb318ac59a4a55a4cc07d0d667e9e48e139d1ec8dded53946345d5b623148cfabb98030ef9e976b30cad429fb62c9c9dd4b25b8930f3c2e41ae
SSDEEP

49152:ZUZMwyarkY6PQ5LeGJO8cH7mO2+Behc3WsP2b2OW:Znw8lRGwVHap+f3Ws+yP

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

hakim32.ddns.net:2000

legendek.viewdns.net:2228

Mutex

56fe2dd164a1d408bef67d69fd4219dd

Attributes

reg_key
56fe2dd164a1d408bef67d69fd4219dd
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3496	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	79a3409077b08f5f71c8d56636b5cbc3205228c73073c2815b7c5b9fc97079d2N.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.exe	jce.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.exe	jce.exe

Executes dropped EXE 3 IoCs

pid	Process
2256	Ocean-mQ7Y4U7K9.exe
876	jce.exe
5028	h27YGK.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\microsoft.exe	jce.exe
File opened for modification	C:\Windows\SysWOW64\microsoft.exe	jce.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
5028	h27YGK.exe
5028	h27YGK.exe
5028	h27YGK.exe
5028	h27YGK.exe
5028	h27YGK.exe
5028	h27YGK.exe
5028	h27YGK.exe
5028	h27YGK.exe
5028	h27YGK.exe
5028	h27YGK.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\microsoft.exe	jce.exe
File opened for modification	C:\Program Files (x86)\microsoft.exe	jce.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79a3409077b08f5f71c8d56636b5cbc3205228c73073c2815b7c5b9fc97079d2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe
876	jce.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2256	Ocean-mQ7Y4U7K9.exe
876	jce.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeDebugPrivilege	876	jce.exe
Token: SeDebugPrivilege	5028	h27YGK.exe
Token: SeDebugPrivilege	5028	h27YGK.exe
Token: SeIncreaseQuotaPrivilege	5028	h27YGK.exe
Token: SeSecurityPrivilege	5028	h27YGK.exe
Token: SeTakeOwnershipPrivilege	5028	h27YGK.exe
Token: SeLoadDriverPrivilege	5028	h27YGK.exe
Token: SeSystemProfilePrivilege	5028	h27YGK.exe
Token: SeSystemtimePrivilege	5028	h27YGK.exe
Token: SeProfSingleProcessPrivilege	5028	h27YGK.exe
Token: SeIncBasePriorityPrivilege	5028	h27YGK.exe
Token: SeCreatePagefilePrivilege	5028	h27YGK.exe
Token: SeBackupPrivilege	5028	h27YGK.exe
Token: SeRestorePrivilege	5028	h27YGK.exe
Token: SeShutdownPrivilege	5028	h27YGK.exe
Token: SeDebugPrivilege	5028	h27YGK.exe
Token: SeSystemEnvironmentPrivilege	5028	h27YGK.exe
Token: SeRemoteShutdownPrivilege	5028	h27YGK.exe
Token: SeUndockPrivilege	5028	h27YGK.exe
Token: SeManageVolumePrivilege	5028	h27YGK.exe
Token: 33	5028	h27YGK.exe
Token: 34	5028	h27YGK.exe
Token: 35	5028	h27YGK.exe
Token: 36	5028	h27YGK.exe
Token: 33	876	jce.exe
Token: SeIncBasePriorityPrivilege	876	jce.exe
Token: 33	876	jce.exe
Token: SeIncBasePriorityPrivilege	876	jce.exe
Token: 33	876	jce.exe
Token: SeIncBasePriorityPrivilege	876	jce.exe
Token: 33	876	jce.exe
Token: SeIncBasePriorityPrivilege	876	jce.exe
Token: 33	876	jce.exe
Token: SeIncBasePriorityPrivilege	876	jce.exe
Token: 33	876	jce.exe
Token: SeIncBasePriorityPrivilege	876	jce.exe
Token: 33	876	jce.exe
Token: SeIncBasePriorityPrivilege	876	jce.exe
Token: 33	876	jce.exe
Token: SeIncBasePriorityPrivilege	876	jce.exe
Token: 33	876	jce.exe
Token: SeIncBasePriorityPrivilege	876	jce.exe
Token: 33	876	jce.exe
Token: SeIncBasePriorityPrivilege	876	jce.exe
Token: 33	876	jce.exe
Token: SeIncBasePriorityPrivilege	876	jce.exe
Token: 33	876	jce.exe
Token: SeIncBasePriorityPrivilege	876	jce.exe
Token: 33	876	jce.exe
Token: SeIncBasePriorityPrivilege	876	jce.exe
Token: 33	876	jce.exe
Token: SeIncBasePriorityPrivilege	876	jce.exe
Token: 33	876	jce.exe
Token: SeIncBasePriorityPrivilege	876	jce.exe
Token: 33	876	jce.exe
Token: SeIncBasePriorityPrivilege	876	jce.exe
Token: 33	876	jce.exe
Token: SeIncBasePriorityPrivilege	876	jce.exe
Token: 33	876	jce.exe
Token: SeIncBasePriorityPrivilege	876	jce.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2256	Ocean-mQ7Y4U7K9.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 2256	4952	79a3409077b08f5f71c8d56636b5cbc3205228c73073c2815b7c5b9fc97079d2N.exe	84
PID 4952 wrote to memory of 2256	4952	79a3409077b08f5f71c8d56636b5cbc3205228c73073c2815b7c5b9fc97079d2N.exe	84
PID 4952 wrote to memory of 876	4952	79a3409077b08f5f71c8d56636b5cbc3205228c73073c2815b7c5b9fc97079d2N.exe	85
PID 4952 wrote to memory of 876	4952	79a3409077b08f5f71c8d56636b5cbc3205228c73073c2815b7c5b9fc97079d2N.exe	85
PID 4952 wrote to memory of 876	4952	79a3409077b08f5f71c8d56636b5cbc3205228c73073c2815b7c5b9fc97079d2N.exe	85
PID 876 wrote to memory of 3496	876	jce.exe	87
PID 876 wrote to memory of 3496	876	jce.exe	87
PID 876 wrote to memory of 3496	876	jce.exe	87
PID 2256 wrote to memory of 5028	2256	Ocean-mQ7Y4U7K9.exe	89
PID 2256 wrote to memory of 5028	2256	Ocean-mQ7Y4U7K9.exe	89

C:\Users\Admin\AppData\Local\Temp\79a3409077b08f5f71c8d56636b5cbc3205228c73073c2815b7c5b9fc97079d2N.exe
"C:\Users\Admin\AppData\Local\Temp\79a3409077b08f5f71c8d56636b5cbc3205228c73073c2815b7c5b9fc97079d2N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Users\Admin\AppData\Local\Temp\Ocean-mQ7Y4U7K9.exe
  "C:\Users\Admin\AppData\Local\Temp\Ocean-mQ7Y4U7K9.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Users\Admin\AppData\Local\Temp\GxEhihBH9ZC8h7\h27YGK.exe
    C:\Users\Admin\AppData\Local\Temp\GxEhihBH9ZC8h7\h27YGK.exe Q7Y4U7K9
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    PID:5028
- C:\Users\Admin\AppData\Local\Temp\jce.exe
  "C:\Users\Admin\AppData\Local\Temp\jce.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\jce.exe" "jce.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GxEhihBH9ZC8h7\h27YGK.exe

Filesize
7.6MB

MD5
04119e6b18ad58698adf99a9ee1fce91

SHA1
1a1c1099bbce911df30fecb8f7f8ed78e22d0318

SHA256
1312fb7adee3f7dad51214e1fb78670b64177881d0e60adf74de339960da54b8

SHA512
7698fb2ec12291a776e9fd39648d094f62c3c8cef43b6aa900b30d520f316ead179f833b9a1df6bcfe132c637fd62282d2e31881a5f5cbd6c78c9a381d9cf00b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ocean-mQ7Y4U7K9.exe

Filesize
2.3MB

MD5
46888c7235910a21a39b13caa72e6113

SHA1
73f89ce12e2db6655b08efe4f233a8a05aa94fd7

SHA256
ef732471300f0a0d6e0e17f48c20b6e28ae9f5e8fc73b02c1cc3668859b1aed4

SHA512
92513026de2ff0cd9eafaaa9d74ae2e8e15f1aa682d1ab5e6d05a357f6b4debb0f146c2f67284ae5eda99ae8ffc6ce99996d944ed155fe4694d6d7d9b4aeaa2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jce.exe

Filesize
93KB

MD5
38696e214ef315d2ba5eb8ca87fd4865

SHA1
f87ebc974c10e8954eca76670f00fba4d0b77975

SHA256
f51b8a48dc96e4d2e74a86bbde4036eb86646ba44421002075cb2a07c250138c

SHA512
dbccffe0e6e2ce840ccaddcb6f2ab5f0d645ac902d84cd073c0d6cae0dbfa7be015889d616c562f86d755e900c5c1715097274a781ba6168b4fbfcac3c23dd4d

Download Submit
memory/876-18-0x0000000074142000-0x0000000074143000-memory.dmp

Filesize
4KB

Download
memory/876-19-0x0000000074140000-0x00000000746F1000-memory.dmp

Filesize
5.7MB

Download
memory/876-20-0x0000000074140000-0x00000000746F1000-memory.dmp

Filesize
5.7MB

Download
memory/876-49-0x0000000074140000-0x00000000746F1000-memory.dmp

Filesize
5.7MB

Download
memory/876-50-0x0000000074142000-0x0000000074143000-memory.dmp

Filesize
4KB

Download
memory/876-51-0x0000000074140000-0x00000000746F1000-memory.dmp

Filesize
5.7MB

Download
memory/5028-43-0x00007FFE57740000-0x00007FFE57742000-memory.dmp

Filesize
8KB

Download
memory/5028-42-0x00007FFE57730000-0x00007FFE57732000-memory.dmp

Filesize
8KB

Download
memory/5028-44-0x0000000140000000-0x000000014169A000-memory.dmp

Filesize
22.6MB

Download