njrat | 25f669ea146d8f2c977320f30656e2dd192147dc8c1760b6dcc028eb4ff37bff

General

Target

25f669ea146d8f2c977320f30656e2dd192147dc8c1760b6dcc028eb4ff37bffN.exe
Size

115KB
MD5

23fcf061055a57bff56bf1cb8c39ba00
SHA1

7333eb694dff7292c836aa4cac34c3fe24ac3df8
SHA256

25f669ea146d8f2c977320f30656e2dd192147dc8c1760b6dcc028eb4ff37bff
SHA512

c1efc0bd869c7ed2d302ce2bc31521bedf0270be05e1f7838c9746387549d3273160f2b9f36708aa474cbbad353afa8dac288b39b569f03cb30eafd230f6c5f9
SSDEEP

1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMdeRmf:P5eznsjsguGDFqGZ2rc+

Score

10^/10

njrat neuf discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exe

pid	Process
2992	netsh.exe

Executes dropped EXE 3 IoCs

Processes:

chargeable.exechargeable.exechargeable.exe

pid	Process
2324	chargeable.exe
3016	chargeable.exe
3000	chargeable.exe

Loads dropped DLL 2 IoCs

Processes:

25f669ea146d8f2c977320f30656e2dd192147dc8c1760b6dcc028eb4ff37bffN.exe

pid	Process
2256	25f669ea146d8f2c977320f30656e2dd192147dc8c1760b6dcc028eb4ff37bffN.exe
2256	25f669ea146d8f2c977320f30656e2dd192147dc8c1760b6dcc028eb4ff37bffN.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

25f669ea146d8f2c977320f30656e2dd192147dc8c1760b6dcc028eb4ff37bffN.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	25f669ea146d8f2c977320f30656e2dd192147dc8c1760b6dcc028eb4ff37bffN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\25f669ea146d8f2c977320f30656e2dd192147dc8c1760b6dcc028eb4ff37bffN.exe"	25f669ea146d8f2c977320f30656e2dd192147dc8c1760b6dcc028eb4ff37bffN.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

chargeable.exe

description	pid	Process	procid_target
PID 2324 set thread context of 3016	2324	chargeable.exe	32
PID 2324 set thread context of 3000	2324	chargeable.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

25f669ea146d8f2c977320f30656e2dd192147dc8c1760b6dcc028eb4ff37bffN.exechargeable.exechargeable.exenetsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25f669ea146d8f2c977320f30656e2dd192147dc8c1760b6dcc028eb4ff37bffN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chargeable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chargeable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

chargeable.exe

description	pid	Process
Token: SeDebugPrivilege	3016	chargeable.exe
Token: 33	3016	chargeable.exe
Token: SeIncBasePriorityPrivilege	3016	chargeable.exe
Token: 33	3016	chargeable.exe
Token: SeIncBasePriorityPrivilege	3016	chargeable.exe
Token: 33	3016	chargeable.exe
Token: SeIncBasePriorityPrivilege	3016	chargeable.exe
Token: 33	3016	chargeable.exe
Token: SeIncBasePriorityPrivilege	3016	chargeable.exe
Token: 33	3016	chargeable.exe
Token: SeIncBasePriorityPrivilege	3016	chargeable.exe
Token: 33	3016	chargeable.exe
Token: SeIncBasePriorityPrivilege	3016	chargeable.exe
Token: 33	3016	chargeable.exe
Token: SeIncBasePriorityPrivilege	3016	chargeable.exe
Token: 33	3016	chargeable.exe
Token: SeIncBasePriorityPrivilege	3016	chargeable.exe
Token: 33	3016	chargeable.exe
Token: SeIncBasePriorityPrivilege	3016	chargeable.exe
Token: 33	3016	chargeable.exe
Token: SeIncBasePriorityPrivilege	3016	chargeable.exe
Token: 33	3016	chargeable.exe
Token: SeIncBasePriorityPrivilege	3016	chargeable.exe
Token: 33	3016	chargeable.exe
Token: SeIncBasePriorityPrivilege	3016	chargeable.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

25f669ea146d8f2c977320f30656e2dd192147dc8c1760b6dcc028eb4ff37bffN.exechargeable.exechargeable.exe

description	pid	Process	procid_target
PID 2256 wrote to memory of 2324	2256	25f669ea146d8f2c977320f30656e2dd192147dc8c1760b6dcc028eb4ff37bffN.exe	30
PID 2256 wrote to memory of 2324	2256	25f669ea146d8f2c977320f30656e2dd192147dc8c1760b6dcc028eb4ff37bffN.exe	30
PID 2256 wrote to memory of 2324	2256	25f669ea146d8f2c977320f30656e2dd192147dc8c1760b6dcc028eb4ff37bffN.exe	30
PID 2256 wrote to memory of 2324	2256	25f669ea146d8f2c977320f30656e2dd192147dc8c1760b6dcc028eb4ff37bffN.exe	30
PID 2324 wrote to memory of 3000	2324	chargeable.exe	31
PID 2324 wrote to memory of 3000	2324	chargeable.exe	31
PID 2324 wrote to memory of 3000	2324	chargeable.exe	31
PID 2324 wrote to memory of 3000	2324	chargeable.exe	31
PID 2324 wrote to memory of 3016	2324	chargeable.exe	32
PID 2324 wrote to memory of 3016	2324	chargeable.exe	32
PID 2324 wrote to memory of 3016	2324	chargeable.exe	32
PID 2324 wrote to memory of 3016	2324	chargeable.exe	32
PID 2324 wrote to memory of 3016	2324	chargeable.exe	32
PID 2324 wrote to memory of 3016	2324	chargeable.exe	32
PID 2324 wrote to memory of 3016	2324	chargeable.exe	32
PID 2324 wrote to memory of 3016	2324	chargeable.exe	32
PID 2324 wrote to memory of 3016	2324	chargeable.exe	32
PID 2324 wrote to memory of 3000	2324	chargeable.exe	31
PID 2324 wrote to memory of 3000	2324	chargeable.exe	31
PID 2324 wrote to memory of 3000	2324	chargeable.exe	31
PID 2324 wrote to memory of 3000	2324	chargeable.exe	31
PID 2324 wrote to memory of 3000	2324	chargeable.exe	31
PID 3016 wrote to memory of 2992	3016	chargeable.exe	33
PID 3016 wrote to memory of 2992	3016	chargeable.exe	33
PID 3016 wrote to memory of 2992	3016	chargeable.exe	33
PID 3016 wrote to memory of 2992	3016	chargeable.exe	33

C:\Users\Admin\AppData\Local\Temp\25f669ea146d8f2c977320f30656e2dd192147dc8c1760b6dcc028eb4ff37bffN.exe
"C:\Users\Admin\AppData\Local\Temp\25f669ea146d8f2c977320f30656e2dd192147dc8c1760b6dcc028eb4ff37bffN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
  "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    PID:3000
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14b682cd70022afc7e1404fad3ba732a

SHA1
e6cfb0822248455db0fbe452e8cc32bbfe8db850

SHA256
96432ba0e843b0aa0ad356a35f329e4c5db40fef4dbf5df637a360df143f1328

SHA512
af81e725e6b1ce05e39d5ba429a0f9379b2131f0f90c74bdb0d3de63934766615cc531015d8fe9b83218853711e838aaceecd4c718ccdc458ba7ff27d54baa8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7cdb8d12979a80edfe2448ef2b41678

SHA1
7c4abfe5bde465642a0952243f98276bfcd518ae

SHA256
cded779f9b2532df714ee349d6d3b518a67114487686f51c4171248c4f68b807

SHA512
82e57926d5d5cc296cc63f0f3ab1e50a20dc613579fb9f43ba3ac923a1ed26fa9f75396b0fdd42b32352257857af23300f1a557b718da9e921b37ef267e3933a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
991979dda149f8ac977c5949c908da3c

SHA1
8e60fafb12ea610384341f97f5b3b845d3856192

SHA256
68f34727897af433d6a0a9d2af8a74b5274ee5704fc9332c7ac60e99ad09074d

SHA512
678f749986b2fa2563e721808e89bdab96eebc52ad488944fa6f8dadeb2fb2f8060e7af77b1fc211b2b8d6f4ab750ec62efef279373f5f9809eb70953d882484

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB9B0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB9D2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Filesize
116KB

MD5
aa8615e2b7dd49c86e93381d77b25b1a

SHA1
dcf568c8813162341acc7dc3585a6e7a7a58d5ce

SHA256
20bcf2c99ed960e060b629d61a10608805f8acff2ccdfee3a68769ea53777fc3

SHA512
6ce69c2041817aef34617a4813060cce4d0ab30cab858e4b6ac2a549582d86a5241ebec9b15339127400d3be39e86e299868672b6a5e90f1da0a17915b372b46

Download Submit
memory/2256-0-0x0000000074621000-0x0000000074622000-memory.dmp

Filesize
4KB

Download
memory/2256-167-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2256-178-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2256-2-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2256-1-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/3016-342-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3016-347-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3016-346-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads