njrat | 99603c4aa08d90d8b53a010e07ca12ddbac2c72e1c5896534215d20ae14fbf30

General

Target

New Client.exe
Size

65KB
MD5

adebf8218a6f1e5ace6965a397c58be8
SHA1

92af1426e006b354ac230f88c59eb813c73d9625
SHA256

99603c4aa08d90d8b53a010e07ca12ddbac2c72e1c5896534215d20ae14fbf30
SHA512

3dc12ef879a13f2554d3d422ddc9b73e579fe0927d0a4fea38d2cd457975ab4da12f0519e0bea87c7df096c6cae5b288947aa52470a44a4017884d36f333c3eb
SSDEEP

1536:ifqK4Tm4BoN36t4QviFw1AjHkBnvbKfLteF3nLrB9z3nIaF9bKS9vM:ifqK4C4BoN36t4QviFC8EBnefWl9zYaS

Score

10^/10

njrat hacked discovery persistence trojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

HacKed

C2

127.0.0.1:36811

Mutex

svhost.exe

Attributes

reg_key
svhost.exe
splitter
|Ghost|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

New Client.exesvhost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	New Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	svhost.exe

Executes dropped EXE 6 IoCs

Processes:

svhost.exesvhost.exesvhost.exesvhost.exesvhost.exe669088f0db0e4716b691345b7cbaaf25.exe

pid process

4700 svhost.exe
3444 svhost.exe
4508 svhost.exe
452 svhost.exe
2108 svhost.exe
3824 669088f0db0e4716b691345b7cbaaf25.exe

pid	process
4700	svhost.exe
3444	svhost.exe
4508	svhost.exe
452	svhost.exe
2108	svhost.exe
3824	669088f0db0e4716b691345b7cbaaf25.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost.exe\" .."	svhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svhost.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost.exe\" .."	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

schtasks.exesvhost.exe669088f0db0e4716b691345b7cbaaf25.exeNew Client.execmd.exechoice.exetaskkill.exeschtasks.exesvhost.exesvhost.exesvhost.exesvhost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	669088f0db0e4716b691345b7cbaaf25.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3800 taskkill.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2136 schtasks.exe

pid	process
3800	taskkill.exe

pid	process
2136	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svhost.exe

description	pid	process
Token: SeDebugPrivilege	4700	svhost.exe
Token: 33	4700	svhost.exe
Token: SeIncBasePriorityPrivilege	4700	svhost.exe
Token: 33	4700	svhost.exe
Token: SeIncBasePriorityPrivilege	4700	svhost.exe
Token: 33	4700	svhost.exe
Token: SeIncBasePriorityPrivilege	4700	svhost.exe
Token: 33	4700	svhost.exe
Token: SeIncBasePriorityPrivilege	4700	svhost.exe
Token: 33	4700	svhost.exe
Token: SeIncBasePriorityPrivilege	4700	svhost.exe
Token: 33	4700	svhost.exe
Token: SeIncBasePriorityPrivilege	4700	svhost.exe
Token: 33	4700	svhost.exe
Token: SeIncBasePriorityPrivilege	4700	svhost.exe
Token: 33	4700	svhost.exe
Token: SeIncBasePriorityPrivilege	4700	svhost.exe
Token: 33	4700	svhost.exe
Token: SeIncBasePriorityPrivilege	4700	svhost.exe
Token: 33	4700	svhost.exe
Token: SeIncBasePriorityPrivilege	4700	svhost.exe
Token: 33	4700	svhost.exe
Token: SeIncBasePriorityPrivilege	4700	svhost.exe
Token: 33	4700	svhost.exe
Token: SeIncBasePriorityPrivilege	4700	svhost.exe
Token: 33	4700	svhost.exe
Token: SeIncBasePriorityPrivilege	4700	svhost.exe
Token: 33	4700	svhost.exe
Token: SeIncBasePriorityPrivilege	4700	svhost.exe
Token: 33	4700	svhost.exe
Token: SeIncBasePriorityPrivilege	4700	svhost.exe
Token: 33	4700	svhost.exe
Token: SeIncBasePriorityPrivilege	4700	svhost.exe
Token: 33	4700	svhost.exe
Token: SeIncBasePriorityPrivilege	4700	svhost.exe
Token: 33	4700	svhost.exe
Token: SeIncBasePriorityPrivilege	4700	svhost.exe
Token: 33	4700	svhost.exe
Token: SeIncBasePriorityPrivilege	4700	svhost.exe
Token: 33	4700	svhost.exe
Token: SeIncBasePriorityPrivilege	4700	svhost.exe
Token: 33	4700	svhost.exe
Token: SeIncBasePriorityPrivilege	4700	svhost.exe
Token: 33	4700	svhost.exe
Token: SeIncBasePriorityPrivilege	4700	svhost.exe
Token: 33	4700	svhost.exe
Token: SeIncBasePriorityPrivilege	4700	svhost.exe
Token: 33	4700	svhost.exe
Token: SeIncBasePriorityPrivilege	4700	svhost.exe
Token: 33	4700	svhost.exe
Token: SeIncBasePriorityPrivilege	4700	svhost.exe
Token: 33	4700	svhost.exe
Token: SeIncBasePriorityPrivilege	4700	svhost.exe
Token: 33	4700	svhost.exe
Token: SeIncBasePriorityPrivilege	4700	svhost.exe
Token: 33	4700	svhost.exe
Token: SeIncBasePriorityPrivilege	4700	svhost.exe
Token: 33	4700	svhost.exe
Token: SeIncBasePriorityPrivilege	4700	svhost.exe
Token: 33	4700	svhost.exe
Token: SeIncBasePriorityPrivilege	4700	svhost.exe
Token: 33	4700	svhost.exe
Token: SeIncBasePriorityPrivilege	4700	svhost.exe
Token: 33	4700	svhost.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

New Client.execmd.exesvhost.exe

description	pid	process	target process
PID 5080 wrote to memory of 4700	5080	New Client.exe	svhost.exe
PID 5080 wrote to memory of 4700	5080	New Client.exe	svhost.exe
PID 5080 wrote to memory of 4700	5080	New Client.exe	svhost.exe
PID 5080 wrote to memory of 3744	5080	New Client.exe	cmd.exe
PID 5080 wrote to memory of 3744	5080	New Client.exe	cmd.exe
PID 5080 wrote to memory of 3744	5080	New Client.exe	cmd.exe
PID 3744 wrote to memory of 3340	3744	cmd.exe	choice.exe
PID 3744 wrote to memory of 3340	3744	cmd.exe	choice.exe
PID 3744 wrote to memory of 3340	3744	cmd.exe	choice.exe
PID 4700 wrote to memory of 3800	4700	svhost.exe	taskkill.exe
PID 4700 wrote to memory of 3800	4700	svhost.exe	taskkill.exe
PID 4700 wrote to memory of 3800	4700	svhost.exe	taskkill.exe
PID 4700 wrote to memory of 1148	4700	svhost.exe	schtasks.exe
PID 4700 wrote to memory of 1148	4700	svhost.exe	schtasks.exe
PID 4700 wrote to memory of 1148	4700	svhost.exe	schtasks.exe
PID 4700 wrote to memory of 2136	4700	svhost.exe	schtasks.exe
PID 4700 wrote to memory of 2136	4700	svhost.exe	schtasks.exe
PID 4700 wrote to memory of 2136	4700	svhost.exe	schtasks.exe
PID 4700 wrote to memory of 3824	4700	svhost.exe	669088f0db0e4716b691345b7cbaaf25.exe
PID 4700 wrote to memory of 3824	4700	svhost.exe	669088f0db0e4716b691345b7cbaaf25.exe
PID 4700 wrote to memory of 3824	4700	svhost.exe	669088f0db0e4716b691345b7cbaaf25.exe

C:\Users\Admin\AppData\Local\Temp\New Client.exe
"C:\Users\Admin\AppData\Local\Temp\New Client.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f im Wireshark.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:3800
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1148
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Local\Temp\svhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2136
- - C:\Users\Admin\AppData\Local\Temp\669088f0db0e4716b691345b7cbaaf25.exe
    "C:\Users\Admin\AppData\Local\Temp\669088f0db0e4716b691345b7cbaaf25.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3824
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\New Client.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3744
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3340

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3444

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4508

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:452

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2108

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3dc 0x508
1⤵
PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svhost.exe.log

Filesize
418B

MD5
5d4a9519354aeb1aa1dc3623e8eba141

SHA1
40dc75a5da413db2c24f0b71e3268b1b092d58b4

SHA256
6af753e859a4e27e635cc7952c5c3905f09f01f488c4559736efe3a62946767b

SHA512
66cbb607b1a1c4ad07c82d3769456b79dc03bac5ba46e3528ab36855d4e67fe15c89960579910b55c567270bb0e7612df311f15283884e9d3315f3bbda7c0681

Download Submit
C:\Users\Admin\AppData\Local\Temp\kfzraafggd.gif

Filesize
422KB

MD5
705a10144ffd51597b863af7b6dc6761

SHA1
68e3ff4a0c5c498e958431cc4379f33042900194

SHA256
cbc8a31345ac302681cac85e5347de1ffcbaa12bdc50c679ecf99cda7fc5157e

SHA512
00685116a9471c2f95534932eedf29e70c0486cdb16235770ff3ab8655396ead19378c29f57f298ac2d17e202ed8e75b4ecab282a1be4cb40dd27774568107a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
65KB

MD5
adebf8218a6f1e5ace6965a397c58be8

SHA1
92af1426e006b354ac230f88c59eb813c73d9625

SHA256
99603c4aa08d90d8b53a010e07ca12ddbac2c72e1c5896534215d20ae14fbf30

SHA512
3dc12ef879a13f2554d3d422ddc9b73e579fe0927d0a4fea38d2cd457975ab4da12f0519e0bea87c7df096c6cae5b288947aa52470a44a4017884d36f333c3eb

Download Submit
memory/4700-19-0x0000000004EF0000-0x0000000004EFA000-memory.dmp

Filesize
40KB

Download
memory/4700-21-0x0000000006820000-0x0000000006838000-memory.dmp

Filesize
96KB

Download
memory/4700-16-0x0000000074E90000-0x0000000075641000-memory.dmp

Filesize
7.7MB

Download
memory/4700-17-0x0000000004F10000-0x0000000004FA2000-memory.dmp

Filesize
584KB

Download
memory/4700-18-0x0000000074E90000-0x0000000075641000-memory.dmp

Filesize
7.7MB

Download
memory/4700-31-0x00000000051C0000-0x00000000051E2000-memory.dmp

Filesize
136KB

Download
memory/4700-20-0x0000000005020000-0x0000000005086000-memory.dmp

Filesize
408KB

Download
memory/4700-30-0x0000000004680000-0x000000000468E000-memory.dmp

Filesize
56KB

Download
memory/4700-22-0x0000000074E90000-0x0000000075641000-memory.dmp

Filesize
7.7MB

Download
memory/4700-23-0x0000000074E90000-0x0000000075641000-memory.dmp

Filesize
7.7MB

Download
memory/5080-2-0x0000000004AD0000-0x0000000004B6C000-memory.dmp

Filesize
624KB

Download
memory/5080-3-0x0000000005120000-0x00000000056C6000-memory.dmp

Filesize
5.6MB

Download
memory/5080-0-0x0000000074E9E000-0x0000000074E9F000-memory.dmp

Filesize
4KB

Download
memory/5080-1-0x0000000000120000-0x0000000000136000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads