njrat | 3f0fea74bd93e7e438d8047a44cae4cca888b4495d46675edcbef5db4f1f520b

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-11-2024 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nJrat.exe
Size

33KB
MD5

9ad8bb137f921a286d36e30c1d23d208
SHA1

a42fd2f68ffe8bc9b74ffae4b3a860f2ad84feba
SHA256

3f0fea74bd93e7e438d8047a44cae4cca888b4495d46675edcbef5db4f1f520b
SHA512

4e15a33e3817b433d1991d26f5d5bf70460aebde05678efe23e78d5d37173dcf85957c5797e9fd23d34ea113113d62b61feafe30374c9bab2ea9b94da5d48d68
SSDEEP

768:VvTQspjbMaYvF9xdRdDqaws0RFfvJebgXrSw5G:tQs6vFDdXV0vfvJYQrSL

Score

10^/10

njrat hacked discovery trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

127.0.0.1:5552

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2340	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2340	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2340	AcroRd32.exe
2340	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2548	2120	nJrat.exe	31
PID 2120 wrote to memory of 2548	2120	nJrat.exe	31
PID 2120 wrote to memory of 2548	2120	nJrat.exe	31
PID 2548 wrote to memory of 2340	2548	rundll32.exe	32
PID 2548 wrote to memory of 2340	2548	rundll32.exe	32
PID 2548 wrote to memory of 2340	2548	rundll32.exe	32
PID 2548 wrote to memory of 2340	2548	rundll32.exe	32

C:\Users\Admin\AppData\Local\Temp\nJrat.exe
"C:\Users\Admin\AppData\Local\Temp\nJrat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\aaa
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\aaa"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2340

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aaa

Filesize
33KB

MD5
9ad8bb137f921a286d36e30c1d23d208

SHA1
a42fd2f68ffe8bc9b74ffae4b3a860f2ad84feba

SHA256
3f0fea74bd93e7e438d8047a44cae4cca888b4495d46675edcbef5db4f1f520b

SHA512
4e15a33e3817b433d1991d26f5d5bf70460aebde05678efe23e78d5d37173dcf85957c5797e9fd23d34ea113113d62b61feafe30374c9bab2ea9b94da5d48d68

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
2583dbf824fdcb0aef31a9fe42724cb3

SHA1
6758dbd9a994d320def4f82c4a410b7a88249626

SHA256
b664141aa26dfd960f0b1d761420aa1eb22d5a96d8d379c2f3a3150d374fe26c

SHA512
eeb2c4a26d4d77a11db1c3ced7f7dd4937e9934cb531f63cb6f42f7deb28a55cf998d2674f850879ae54a0f054bf0ddc35a4adfeeab5d0ff21ccc0278233113b

Download Submit
memory/2120-0-0x000007FEF5C0E000-0x000007FEF5C0F000-memory.dmp

Filesize
4KB

Download
memory/2120-1-0x0000000000300000-0x0000000000316000-memory.dmp

Filesize
88KB

Download
memory/2120-2-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

Filesize
9.6MB

Download
memory/2120-5-0x000007FEF5950000-0x000007FEF62ED000-memory.dmp

Filesize
9.6MB

Download