njrat | 09f6b7cdce51c287cd7e6b996b89b548827d9e6960a4ac3c24ce8572bb6f2aac

General

Target

1.exe
Size

26KB
MD5

1ea0ce92a9671c932d4839291da7d91b
SHA1

25eaa42e77e876df66961a3b7360936acd3b941f
SHA256

09f6b7cdce51c287cd7e6b996b89b548827d9e6960a4ac3c24ce8572bb6f2aac
SHA512

a349bd4fd3c6db3df8b960b06aeba81613c03c2a39d3a428ada73a10054ac3a68ffae23860d333151abedaf577445a7ca6eaff5ad018b4d5cf74573827acf655
SSDEEP

384:wLduTaZIVi/dMkt1cpDkjetHzCYe/QBY2OzRLTm3yilqr6YqbdtVvGf:um0IVi/dMc1uT5e/WsX0VvGf

Score

10^/10

njrat discovery persistence trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1480 cmd.exe

pid	process
1480	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1.exe\""	1.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1.execmd.exePING.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXE

pid process

1480 cmd.exe
3020 PING.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3020 PING.EXE

pid	process
1480	cmd.exe
3020	PING.EXE

pid	process
3020	PING.EXE

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

1.exe

description	pid	process
Token: SeDebugPrivilege	2604	1.exe
Token: 33	2604	1.exe
Token: SeIncBasePriorityPrivilege	2604	1.exe
Token: 33	2604	1.exe
Token: SeIncBasePriorityPrivilege	2604	1.exe
Token: 33	2604	1.exe
Token: SeIncBasePriorityPrivilege	2604	1.exe
Token: 33	2604	1.exe
Token: SeIncBasePriorityPrivilege	2604	1.exe
Token: 33	2604	1.exe
Token: SeIncBasePriorityPrivilege	2604	1.exe
Token: 33	2604	1.exe
Token: SeIncBasePriorityPrivilege	2604	1.exe
Token: 33	2604	1.exe
Token: SeIncBasePriorityPrivilege	2604	1.exe
Token: 33	2604	1.exe
Token: SeIncBasePriorityPrivilege	2604	1.exe
Token: 33	2604	1.exe
Token: SeIncBasePriorityPrivilege	2604	1.exe
Token: 33	2604	1.exe
Token: SeIncBasePriorityPrivilege	2604	1.exe
Token: 33	2604	1.exe
Token: SeIncBasePriorityPrivilege	2604	1.exe
Token: 33	2604	1.exe
Token: SeIncBasePriorityPrivilege	2604	1.exe
Token: 33	2604	1.exe
Token: SeIncBasePriorityPrivilege	2604	1.exe
Token: 33	2604	1.exe
Token: SeIncBasePriorityPrivilege	2604	1.exe
Token: 33	2604	1.exe
Token: SeIncBasePriorityPrivilege	2604	1.exe
Token: 33	2604	1.exe
Token: SeIncBasePriorityPrivilege	2604	1.exe
Token: 33	2604	1.exe
Token: SeIncBasePriorityPrivilege	2604	1.exe
Token: 33	2604	1.exe
Token: SeIncBasePriorityPrivilege	2604	1.exe
Token: 33	2604	1.exe
Token: SeIncBasePriorityPrivilege	2604	1.exe
Token: 33	2604	1.exe
Token: SeIncBasePriorityPrivilege	2604	1.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

1.execmd.exe

description	pid	process	target process
PID 2604 wrote to memory of 1480	2604	1.exe	cmd.exe
PID 2604 wrote to memory of 1480	2604	1.exe	cmd.exe
PID 2604 wrote to memory of 1480	2604	1.exe	cmd.exe
PID 2604 wrote to memory of 1480	2604	1.exe	cmd.exe
PID 1480 wrote to memory of 3020	1480	cmd.exe	PING.EXE
PID 1480 wrote to memory of 3020	1480	cmd.exe	PING.EXE
PID 1480 wrote to memory of 3020	1480	cmd.exe	PING.EXE
PID 1480 wrote to memory of 3020	1480	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\SysWOW64\PING.EXE
    ping 0 -n 2
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2604-0-0x00000000741FE000-0x00000000741FF000-memory.dmp

Filesize
4KB

Download
memory/2604-1-0x00000000009B0000-0x00000000009BC000-memory.dmp

Filesize
48KB

Download
memory/2604-2-0x00000000741F0000-0x00000000748DE000-memory.dmp

Filesize
6.9MB

Download
memory/2604-3-0x00000000741FE000-0x00000000741FF000-memory.dmp

Filesize
4KB

Download
memory/2604-4-0x00000000741F0000-0x00000000748DE000-memory.dmp

Filesize
6.9MB

Download
memory/2604-5-0x00000000741F0000-0x00000000748DE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads