njrat | a426c17474c33a3bc9f5088bebbe240e211696e33e5417a99615d04a5ff55fb3

General

Target

8d2dc9f89bbf0657829b0e6cc54e4df0N.exe
Size

2.0MB
MD5

8d2dc9f89bbf0657829b0e6cc54e4df0
SHA1

3e715c611dfd6785cfe456d61b91f2b71ed9f629
SHA256

a426c17474c33a3bc9f5088bebbe240e211696e33e5417a99615d04a5ff55fb3
SHA512

b5421c8f3401b7e59b5e76967efef13875fc66a9d863e57e38e146c6528c73d8444dcfd0d61aab922367f14beee062919db6c1d50668660115da3d1b6b8a4b36
SSDEEP

24576:iKC8qbbQzLEGplivuaN7oCXmDNfwG92pmbcaQMwaTqYfwug1L:0rbUXEGpliz7oCWDPcacY

Score

10^/10

njrat 复复美制美 discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

复复美制美

C2

hakim32.ddns.net:2000

147.185.221.21:33869

Mutex

5d9b545ac4ee41f57768dba98a8ebbb2

Attributes

reg_key
5d9b545ac4ee41f57768dba98a8ebbb2
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4932	netsh.exe
4616	netsh.exe
1464	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	8d2dc9f89bbf0657829b0e6cc54e4df0N.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5d9b545ac4ee41f57768dba98a8ebbb2Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5d9b545ac4ee41f57768dba98a8ebbb2Windows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe	server.exe

Executes dropped EXE 4 IoCs

pid	Process
2188	server.exe
4824	StUpdate.exe
4048	StUpdate.exe
4736	StUpdate.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Explower.exe	server.exe
File opened for modification	C:\Program Files (x86)\Explower.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d2dc9f89bbf0657829b0e6cc54e4df0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3968	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2188	server.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	server.exe
Token: 33	2188	server.exe
Token: SeIncBasePriorityPrivilege	2188	server.exe
Token: 33	2188	server.exe
Token: SeIncBasePriorityPrivilege	2188	server.exe
Token: 33	2188	server.exe
Token: SeIncBasePriorityPrivilege	2188	server.exe
Token: 33	2188	server.exe
Token: SeIncBasePriorityPrivilege	2188	server.exe
Token: 33	2188	server.exe
Token: SeIncBasePriorityPrivilege	2188	server.exe
Token: 33	2188	server.exe
Token: SeIncBasePriorityPrivilege	2188	server.exe
Token: 33	2188	server.exe
Token: SeIncBasePriorityPrivilege	2188	server.exe
Token: 33	2188	server.exe
Token: SeIncBasePriorityPrivilege	2188	server.exe
Token: 33	2188	server.exe
Token: SeIncBasePriorityPrivilege	2188	server.exe
Token: 33	2188	server.exe
Token: SeIncBasePriorityPrivilege	2188	server.exe
Token: 33	2188	server.exe
Token: SeIncBasePriorityPrivilege	2188	server.exe
Token: 33	2188	server.exe
Token: SeIncBasePriorityPrivilege	2188	server.exe
Token: 33	2188	server.exe
Token: SeIncBasePriorityPrivilege	2188	server.exe
Token: 33	2188	server.exe
Token: SeIncBasePriorityPrivilege	2188	server.exe
Token: 33	2188	server.exe
Token: SeIncBasePriorityPrivilege	2188	server.exe
Token: 33	2188	server.exe
Token: SeIncBasePriorityPrivilege	2188	server.exe
Token: 33	2188	server.exe
Token: SeIncBasePriorityPrivilege	2188	server.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 2188	4044	8d2dc9f89bbf0657829b0e6cc54e4df0N.exe	92
PID 4044 wrote to memory of 2188	4044	8d2dc9f89bbf0657829b0e6cc54e4df0N.exe	92
PID 4044 wrote to memory of 2188	4044	8d2dc9f89bbf0657829b0e6cc54e4df0N.exe	92
PID 2188 wrote to memory of 4932	2188	server.exe	99
PID 2188 wrote to memory of 4932	2188	server.exe	99
PID 2188 wrote to memory of 4932	2188	server.exe	99
PID 2188 wrote to memory of 4616	2188	server.exe	102
PID 2188 wrote to memory of 4616	2188	server.exe	102
PID 2188 wrote to memory of 4616	2188	server.exe	102
PID 2188 wrote to memory of 1464	2188	server.exe	103
PID 2188 wrote to memory of 1464	2188	server.exe	103
PID 2188 wrote to memory of 1464	2188	server.exe	103
PID 2188 wrote to memory of 3968	2188	server.exe	105
PID 2188 wrote to memory of 3968	2188	server.exe	105
PID 2188 wrote to memory of 3968	2188	server.exe	105

C:\Users\Admin\AppData\Local\Temp\8d2dc9f89bbf0657829b0e6cc54e4df0N.exe
"C:\Users\Admin\AppData\Local\Temp\8d2dc9f89bbf0657829b0e6cc54e4df0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Users\Admin\server.exe
  "C:\Users\Admin\server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4932
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Users\Admin\server.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4616
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1464
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3968

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4824

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4048

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\StUpdate.exe.log

Filesize
1KB

MD5
04028bdf246e6049a92de5d6abb95273

SHA1
0e7be4490d3399ebc8836fad0400474793a975a7

SHA256
a6f0c94b5f7d30aa3e9108890273f6c33a4cd41ed57ecbd23e3f4fd4ff00a6ef

SHA512
2502a049fb1b6821e314f5bad4daa42e7280939d691985b71b14fa501e5bcf38c9c7cf3de1960cf8c284e70e8d5f423653563ef966b5865ac8090fa7ce574140

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
8f11404a507cfb98455f89a534077f73

SHA1
0716c668f504450353527aff1a6457b8348cf435

SHA256
f7c301f3fcce1c2444b540090e5024f0cea1806ab8ae1d81901ecc3b63334cbb

SHA512
85403dd06da5851e8c4d727ca8d87cc0e7ff4974942ec22123366684ed0e51b543a29b6d2521e2e65784c69884fde8d711e5064f104b098293fcd18c44769492

Download Submit
C:\Users\Admin\server.exe

Filesize
2.0MB

MD5
8d2dc9f89bbf0657829b0e6cc54e4df0

SHA1
3e715c611dfd6785cfe456d61b91f2b71ed9f629

SHA256
a426c17474c33a3bc9f5088bebbe240e211696e33e5417a99615d04a5ff55fb3

SHA512
b5421c8f3401b7e59b5e76967efef13875fc66a9d863e57e38e146c6528c73d8444dcfd0d61aab922367f14beee062919db6c1d50668660115da3d1b6b8a4b36

Download Submit
memory/2188-42-0x0000000005640000-0x0000000005656000-memory.dmp

Filesize
88KB

Download
memory/2188-40-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/2188-66-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/2188-65-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/2188-57-0x00000000069B0000-0x00000000069BA000-memory.dmp

Filesize
40KB

Download
memory/2188-41-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/4044-7-0x0000000005D00000-0x0000000005D1C000-memory.dmp

Filesize
112KB

Download
memory/4044-39-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/4044-3-0x0000000005A80000-0x0000000005B12000-memory.dmp

Filesize
584KB

Download
memory/4044-0-0x0000000074EEE000-0x0000000074EEF000-memory.dmp

Filesize
4KB

Download
memory/4044-2-0x00000000060E0000-0x0000000006684000-memory.dmp

Filesize
5.6MB

Download
memory/4044-4-0x0000000005BD0000-0x0000000005C6C000-memory.dmp

Filesize
624KB

Download
memory/4044-6-0x0000000005A70000-0x0000000005A86000-memory.dmp

Filesize
88KB

Download
memory/4044-5-0x0000000074EE0000-0x0000000075690000-memory.dmp

Filesize
7.7MB

Download
memory/4044-1-0x0000000000EA0000-0x00000000010A0000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads