njrat | b6df3e2662f09e833ed1069cddd625f84c3984c17c29ef8a3a93c7805e0692f0

General

Target

b6df3e2662f09e833ed1069cddd625f84c3984c17c29ef8a3a93c7805e0692f0.exe
Size

300KB
MD5

01270ff6e341bbbce727b7b08c35fbf0
SHA1

049d0466652df9730972ee4351fcaf5f57042f2f
SHA256

b6df3e2662f09e833ed1069cddd625f84c3984c17c29ef8a3a93c7805e0692f0
SHA512

9d87f8f2e7fe25aac9c63528c0f1a4dd36eae0d183756bb85456f1e8aaee855ab603522353fe7446139b1d0f4aa0b46cb4ca96f2b8da724a5bf6abb0d2e09e4c
SSDEEP

1536:vDvE9TzQlzEyQ3FKeh+cMGgdP2WW5MeGD7BKb7+it2SDS29xlqU3u:vDvYgcscId+WWH2cDS29xlqU3u

Score

10^/10

njrat nano discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

nano

C2

haraga.no-ip.org:5552

Mutex

9685b74638ccc581030bfdb825e77a1e

Attributes

reg_key
9685b74638ccc581030bfdb825e77a1e
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1724	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9685b74638ccc581030bfdb825e77a1e.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9685b74638ccc581030bfdb825e77a1e.exe	server.exe

Executes dropped EXE 4 IoCs

pid	Process
2308	LocalzCKQfzctlg.exe
2672	LocalzCKQfzctlg.exe
1060	server.exe
2032	server.exe

Loads dropped DLL 2 IoCs

pid	Process
2672	LocalzCKQfzctlg.exe
1060	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\9685b74638ccc581030bfdb825e77a1e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\9685b74638ccc581030bfdb825e77a1e = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	LocalzCKQfzctlg.exe
File created	C:\autorun.inf	server.exe
File created	C:\autorun.inf	LocalzCKQfzctlg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2308 set thread context of 2672	2308	LocalzCKQfzctlg.exe	32
PID 1060 set thread context of 2032	1060	server.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LocalzCKQfzctlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LocalzCKQfzctlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2308	LocalzCKQfzctlg.exe
2308	LocalzCKQfzctlg.exe
2308	LocalzCKQfzctlg.exe
1060	server.exe
1060	server.exe
1060	server.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	LocalzCKQfzctlg.exe
Token: SeDebugPrivilege	1060	server.exe
Token: SeDebugPrivilege	2032	server.exe
Token: 33	2032	server.exe
Token: SeIncBasePriorityPrivilege	2032	server.exe
Token: 33	2032	server.exe
Token: SeIncBasePriorityPrivilege	2032	server.exe
Token: 33	2032	server.exe
Token: SeIncBasePriorityPrivilege	2032	server.exe
Token: 33	2032	server.exe
Token: SeIncBasePriorityPrivilege	2032	server.exe
Token: 33	2032	server.exe
Token: SeIncBasePriorityPrivilege	2032	server.exe
Token: 33	2032	server.exe
Token: SeIncBasePriorityPrivilege	2032	server.exe
Token: 33	2032	server.exe
Token: SeIncBasePriorityPrivilege	2032	server.exe
Token: 33	2032	server.exe
Token: SeIncBasePriorityPrivilege	2032	server.exe
Token: 33	2032	server.exe
Token: SeIncBasePriorityPrivilege	2032	server.exe
Token: 33	2032	server.exe
Token: SeIncBasePriorityPrivilege	2032	server.exe
Token: 33	2032	server.exe
Token: SeIncBasePriorityPrivilege	2032	server.exe
Token: 33	2032	server.exe
Token: SeIncBasePriorityPrivilege	2032	server.exe
Token: 33	2032	server.exe
Token: SeIncBasePriorityPrivilege	2032	server.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2308	2212	b6df3e2662f09e833ed1069cddd625f84c3984c17c29ef8a3a93c7805e0692f0.exe	30
PID 2212 wrote to memory of 2308	2212	b6df3e2662f09e833ed1069cddd625f84c3984c17c29ef8a3a93c7805e0692f0.exe	30
PID 2212 wrote to memory of 2308	2212	b6df3e2662f09e833ed1069cddd625f84c3984c17c29ef8a3a93c7805e0692f0.exe	30
PID 2212 wrote to memory of 2308	2212	b6df3e2662f09e833ed1069cddd625f84c3984c17c29ef8a3a93c7805e0692f0.exe	30
PID 2308 wrote to memory of 2672	2308	LocalzCKQfzctlg.exe	32
PID 2308 wrote to memory of 2672	2308	LocalzCKQfzctlg.exe	32
PID 2308 wrote to memory of 2672	2308	LocalzCKQfzctlg.exe	32
PID 2308 wrote to memory of 2672	2308	LocalzCKQfzctlg.exe	32
PID 2308 wrote to memory of 2672	2308	LocalzCKQfzctlg.exe	32
PID 2308 wrote to memory of 2672	2308	LocalzCKQfzctlg.exe	32
PID 2672 wrote to memory of 1060	2672	LocalzCKQfzctlg.exe	34
PID 2672 wrote to memory of 1060	2672	LocalzCKQfzctlg.exe	34
PID 2672 wrote to memory of 1060	2672	LocalzCKQfzctlg.exe	34
PID 2672 wrote to memory of 1060	2672	LocalzCKQfzctlg.exe	34
PID 1060 wrote to memory of 2032	1060	server.exe	35
PID 1060 wrote to memory of 2032	1060	server.exe	35
PID 1060 wrote to memory of 2032	1060	server.exe	35
PID 1060 wrote to memory of 2032	1060	server.exe	35
PID 1060 wrote to memory of 2032	1060	server.exe	35
PID 1060 wrote to memory of 2032	1060	server.exe	35
PID 2032 wrote to memory of 1724	2032	server.exe	36
PID 2032 wrote to memory of 1724	2032	server.exe	36
PID 2032 wrote to memory of 1724	2032	server.exe	36
PID 2032 wrote to memory of 1724	2032	server.exe	36

C:\Users\Admin\AppData\Local\Temp\b6df3e2662f09e833ed1069cddd625f84c3984c17c29ef8a3a93c7805e0692f0.exe
"C:\Users\Admin\AppData\Local\Temp\b6df3e2662f09e833ed1069cddd625f84c3984c17c29ef8a3a93c7805e0692f0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\LocalzCKQfzctlg.exe
  "C:\Users\Admin\AppData\LocalzCKQfzctlg.exe"
  2⤵
  - Executes dropped EXE
  - Drops autorun.inf file
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Users\Admin\AppData\LocalzCKQfzctlg.exe
    C:\Users\Admin\AppData\LocalzCKQfzctlg.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops autorun.inf file
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1060
    - - C:\Users\Admin\AppData\Local\Temp\server.exe
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2032
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalzCKQfzctlg.exe

Filesize
242KB

MD5
433ae07b66bf4e2dfe0c17044f07cd0d

SHA1
eef7146234aa72a8129319d4244dbe7ac95ea58c

SHA256
643290b2148f53b035be768bac88429db0a326faef5fe8420f12e754470a0e18

SHA512
d2e47855fc7f88b77019c8cebd32e119624147ea410fc798cd75a3ae82e8d11a5585eedf6ea44dac4fff0e3a5dd06375082e65708d75dc6d9604e0f0d596b009

Download Submit
memory/1060-56-0x0000000000FB0000-0x0000000000FF2000-memory.dmp

Filesize
264KB

Download
memory/2212-13-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

Filesize
9.6MB

Download
memory/2212-9-0x000007FEF5B60000-0x000007FEF64FD000-memory.dmp

Filesize
9.6MB

Download
memory/2212-10-0x0000000002200000-0x0000000002210000-memory.dmp

Filesize
64KB

Download
memory/2212-12-0x000007FEF5E1E000-0x000007FEF5E1F000-memory.dmp

Filesize
4KB

Download
memory/2212-0-0x000007FEF5E1E000-0x000007FEF5E1F000-memory.dmp

Filesize
4KB

Download
memory/2308-43-0x0000000000320000-0x0000000000420000-memory.dmp

Filesize
1024KB

Download
memory/2308-39-0x0000000000320000-0x0000000000420000-memory.dmp

Filesize
1024KB

Download
memory/2308-15-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/2308-18-0x0000000000320000-0x0000000000420000-memory.dmp

Filesize
1024KB

Download
memory/2308-19-0x0000000000320000-0x0000000000420000-memory.dmp

Filesize
1024KB

Download
memory/2308-11-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/2308-42-0x0000000000320000-0x0000000000420000-memory.dmp

Filesize
1024KB

Download
memory/2308-41-0x0000000000320000-0x0000000000420000-memory.dmp

Filesize
1024KB

Download
memory/2308-40-0x0000000000320000-0x0000000000420000-memory.dmp

Filesize
1024KB

Download
memory/2308-14-0x0000000002170000-0x00000000021B0000-memory.dmp

Filesize
256KB

Download
memory/2308-38-0x0000000000320000-0x0000000000420000-memory.dmp

Filesize
1024KB

Download
memory/2308-8-0x0000000000CA0000-0x0000000000CE2000-memory.dmp

Filesize
264KB

Download
memory/2308-48-0x0000000002170000-0x00000000021B0000-memory.dmp

Filesize
256KB

Download
memory/2308-33-0x0000000000320000-0x0000000000420000-memory.dmp

Filesize
1024KB

Download
memory/2308-32-0x0000000000320000-0x0000000000420000-memory.dmp

Filesize
1024KB

Download
memory/2672-29-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2672-35-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2672-37-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads