njrat | 56cb9a9aba2aa8d2ffa070fc15524cc0d4cb4b971cfd4f2c5fd089f18a9159bf

Analysis

max time kernel
359s
max time network
360s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-11-2024 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spam_discord.exe
Size

33KB
MD5

ae8f6efb07eca4eddd606257a09db80d
SHA1

1aec86f9a257129e92328cc499788ef9d634dbfd
SHA256

56cb9a9aba2aa8d2ffa070fc15524cc0d4cb4b971cfd4f2c5fd089f18a9159bf
SHA512

05e0baa914947c9ac8cd29dcc7f374e4935167ee8a1c60ddf894a799bd9d7d7d0ae266e4ca64b06e5bf0411a36b558be1942763e349580c9929079a51d59c3a4
SSDEEP

768:VvTRf6qjU4X10zbvQX0O7yOCPijnXkWebNiPVSRiR:tRf6qjV1Qbv60O75CKjkWUG4y

Score

10^/10

njrat hacked discovery trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

127.0.0.1:5552

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\_auto_file\	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2112	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2112	AcroRd32.exe
2112	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 2348	2572	spam_discord.exe	30
PID 2572 wrote to memory of 2348	2572	spam_discord.exe	30
PID 2572 wrote to memory of 2348	2572	spam_discord.exe	30
PID 2348 wrote to memory of 2112	2348	rundll32.exe	31
PID 2348 wrote to memory of 2112	2348	rundll32.exe	31
PID 2348 wrote to memory of 2112	2348	rundll32.exe	31
PID 2348 wrote to memory of 2112	2348	rundll32.exe	31

C:\Users\Admin\AppData\Local\Temp\spam_discord.exe
"C:\Users\Admin\AppData\Local\Temp\spam_discord.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\aaa
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\aaa"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2112

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aaa

Filesize
33KB

MD5
ae8f6efb07eca4eddd606257a09db80d

SHA1
1aec86f9a257129e92328cc499788ef9d634dbfd

SHA256
56cb9a9aba2aa8d2ffa070fc15524cc0d4cb4b971cfd4f2c5fd089f18a9159bf

SHA512
05e0baa914947c9ac8cd29dcc7f374e4935167ee8a1c60ddf894a799bd9d7d7d0ae266e4ca64b06e5bf0411a36b558be1942763e349580c9929079a51d59c3a4

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
3ec5e2bf15039729d763c14b3bd9e06e

SHA1
9676ad5c00ab2660c57008a0516e6035604289c9

SHA256
09aa6aa8c1e5ccaeb68c64283115d50e42c613bec6bfc87ef2b5cc3345584faa

SHA512
c9f30d23bfce09b4b9a6d0b7e55d3b2d165ee01fd7948cd8309c83bb57d776438db10383481ee6d2a1d4c41772a57ca8b0aecb60ac662939c5c68cac3d61e74d

Download Submit
memory/2572-0-0x000007FEF5C7E000-0x000007FEF5C7F000-memory.dmp

Filesize
4KB

Download
memory/2572-1-0x00000000002E0000-0x00000000002F6000-memory.dmp

Filesize
88KB

Download
memory/2572-2-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

Filesize
9.6MB

Download
memory/2572-5-0x000007FEF59C0000-0x000007FEF635D000-memory.dmp

Filesize
9.6MB

Download