njrat | 371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5

General

Target

371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe
Size

998KB
MD5

f6285298e09929244eb9721e78f1369a
SHA1

0bd100e7a55810b3d9dbd2c302c246c867d20852
SHA256

371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5
SHA512

8139a473deda14e651566f03868c2bd5c760994e749982ae9ad16576040d4098f3985d7979cbc306e91d8c628434ab96337c3f4d11658b58cef6d73a77a5e7fa
SSDEEP

12288:fMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9VXKFUoanL:fnsJ39LyjbJkQFMhmC+6GD96yL

Score

10^/10

njrat xred backdoor discovery evasion macro persistence privilege_escalation trojan

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Njrat family
njrat
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exe

pid	Process
1892	netsh.exe

Suspicious Office macro 2 IoCs

Office document equipped with macros.

macro

Processes:

resource
behavioral1/files/0x000900000001739f-92.dat
behavioral1/files/0x000b00000001739f-114.dat

Drops startup file 2 IoCs

Processes:

server.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4eb37852a0eff3d12ee195891381805c.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4eb37852a0eff3d12ee195891381805c.exe	server.exe

Executes dropped EXE 4 IoCs

Processes:

._cache_371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exeSynaptics.exe._cache_Synaptics.exeserver.exe

pid	Process
2800	._cache_371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe
2744	Synaptics.exe
2556	._cache_Synaptics.exe
1308	server.exe

Loads dropped DLL 9 IoCs

Processes:

371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exeSynaptics.exe._cache_371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe

pid	Process
2152	371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe
2152	371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe
2152	371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe
2152	371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe
2744	Synaptics.exe
2744	Synaptics.exe
2744	Synaptics.exe
2800	._cache_371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe
2800	._cache_371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exeserver.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\4eb37852a0eff3d12ee195891381805c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4eb37852a0eff3d12ee195891381805c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe._cache_371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exeSynaptics.exe._cache_Synaptics.exeEXCEL.EXEserver.exenetsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid	Process
2636	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

._cache_Synaptics.exe._cache_371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exeserver.exe

pid	Process
2556	._cache_Synaptics.exe
2800	._cache_371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe
1308	server.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

._cache_371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe._cache_Synaptics.exeserver.exe

description	pid	Process
Token: SeDebugPrivilege	2800	._cache_371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe
Token: SeDebugPrivilege	2556	._cache_Synaptics.exe
Token: SeDebugPrivilege	1308	server.exe
Token: 33	1308	server.exe
Token: SeIncBasePriorityPrivilege	1308	server.exe
Token: 33	1308	server.exe
Token: SeIncBasePriorityPrivilege	1308	server.exe
Token: 33	1308	server.exe
Token: SeIncBasePriorityPrivilege	1308	server.exe
Token: 33	1308	server.exe
Token: SeIncBasePriorityPrivilege	1308	server.exe
Token: 33	1308	server.exe
Token: SeIncBasePriorityPrivilege	1308	server.exe
Token: 33	1308	server.exe
Token: SeIncBasePriorityPrivilege	1308	server.exe
Token: 33	1308	server.exe
Token: SeIncBasePriorityPrivilege	1308	server.exe
Token: 33	1308	server.exe
Token: SeIncBasePriorityPrivilege	1308	server.exe
Token: 33	1308	server.exe
Token: SeIncBasePriorityPrivilege	1308	server.exe
Token: 33	1308	server.exe
Token: SeIncBasePriorityPrivilege	1308	server.exe
Token: 33	1308	server.exe
Token: SeIncBasePriorityPrivilege	1308	server.exe
Token: 33	1308	server.exe
Token: SeIncBasePriorityPrivilege	1308	server.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid	Process
2636	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exeSynaptics.exe._cache_371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exeserver.exe

description	pid	Process	procid_target
PID 2152 wrote to memory of 2800	2152	371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe	31
PID 2152 wrote to memory of 2800	2152	371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe	31
PID 2152 wrote to memory of 2800	2152	371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe	31
PID 2152 wrote to memory of 2800	2152	371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe	31
PID 2152 wrote to memory of 2744	2152	371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe	32
PID 2152 wrote to memory of 2744	2152	371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe	32
PID 2152 wrote to memory of 2744	2152	371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe	32
PID 2152 wrote to memory of 2744	2152	371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe	32
PID 2744 wrote to memory of 2556	2744	Synaptics.exe	33
PID 2744 wrote to memory of 2556	2744	Synaptics.exe	33
PID 2744 wrote to memory of 2556	2744	Synaptics.exe	33
PID 2744 wrote to memory of 2556	2744	Synaptics.exe	33
PID 2800 wrote to memory of 1308	2800	._cache_371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe	36
PID 2800 wrote to memory of 1308	2800	._cache_371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe	36
PID 2800 wrote to memory of 1308	2800	._cache_371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe	36
PID 2800 wrote to memory of 1308	2800	._cache_371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe	36
PID 1308 wrote to memory of 1892	1308	server.exe	37
PID 1308 wrote to memory of 1892	1308	server.exe	37
PID 1308 wrote to memory of 1892	1308	server.exe	37
PID 1308 wrote to memory of 1892	1308	server.exe	37

C:\Users\Admin\AppData\Local\Temp\371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe
"C:\Users\Admin\AppData\Local\Temp\371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Users\Admin\AppData\Local\Temp\._cache_371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1308
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1892
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2556

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
998KB

MD5
f6285298e09929244eb9721e78f1369a

SHA1
0bd100e7a55810b3d9dbd2c302c246c867d20852

SHA256
371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5

SHA512
8139a473deda14e651566f03868c2bd5c760994e749982ae9ad16576040d4098f3985d7979cbc306e91d8c628434ab96337c3f4d11658b58cef6d73a77a5e7fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\axjxB2WS.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\axjxB2WS.xlsm

Filesize
20KB

MD5
ef3c67aa6b3912c86b42340f9e10bb89

SHA1
630498f9f149f86cf0450a4bb1037d9a8c051140

SHA256
379d197c91f2dfc601852ade7686548fc52e5e1fada337087f4953ce8ecc5151

SHA512
55ad013bcacd09779e8c428398c0ca220695d3c8096e2394760045b93e2d033685cab32ebc92bd82c27529f07c84869457fa0571a7c1c204d02e2d2afd3bcbb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\axjxB2WS.xlsm

Filesize
24KB

MD5
26e6c3b54f65127a3533ad4c2072ae44

SHA1
fd8a0298d762cef6e329fded3df3e94b5e8dbb1f

SHA256
e84463332bcdd40db70599beaf6a3b7c5ea1db45a3813b075d624deedbb1b33d

SHA512
7d563fd3244d1d9cf6f957f2d3da517e7e6fea187280b89e9cfe6e2d65900fa4c315204f1c15f29c588ea3303b1a7b28b22738feab91bc92aa4197ee0bac0d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\axjxB2WS.xlsm

Filesize
23KB

MD5
b7560a80020c0f186a4e90c7a26ed140

SHA1
9fbfe52b5854cc5764435667e2a7cda3d5624240

SHA256
90c7587eb2d7a50df2c3f00d7417f5f961bf55a32203f58d71db7d484a98c65c

SHA512
718c73668506dec53962dc8fdc66ccfd242b053aad771159e8554f3d979266e41befe0a85c1dab5a4e0ddb4230ba985a8967a11b9828873eecbb86f164f4a65c

Download Submit
C:\Users\Admin\AppData\Local\Temp\axjxB2WS.xlsm

Filesize
28KB

MD5
e251bf33a8b8c421d1101f086c0c6d5d

SHA1
9cee0e2a6f27af2b3e210c2684b8c172e560c791

SHA256
d9a143b5549ef4d18373dd07e5b44ca832bff9b0cb01bd970bf12845748194dd

SHA512
db58bb6b6b8174b4110e406e973500b466dcdc205409c70df49ec3a2d42fafc0de761c2578a63e65911f440d5ecde0a37ce40e4667069049dea00594df9e6e10

Download Submit
C:\Users\Admin\Documents\~$UsePush.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_371ce0cf99ba5e835f5caebb1dba9c42aad2572af10a461217c4797651ec34d5.exe

Filesize
244KB

MD5
0ae9347f02737113842f37809172da96

SHA1
242a20e1ffdf9fef0b5682cd2bb6738fe8097600

SHA256
7de73d47d9a917d4ebf25264af7144794f69c2046fa2412f4af1f93eb71be032

SHA512
78cc2b7372c5a5c21d9759311772e1b4e82627da278ee9d2d759d2ecceaf9db09ec20bff3f998b3966b6533d860d0c3828581d169ec163fa6bf941955afa9690

Download Submit
memory/2152-29-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2152-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2636-44-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2744-120-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2744-132-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2744-166-0x0000000000400000-0x00000000004FF000-memory.dmp

Filesize
1020KB

Download
memory/2800-32-0x0000000000B00000-0x0000000000B40000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads