njrat | cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310

General

Target

cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe
Size

1.7MB
MD5

b0dc514d703c941c8f2a0301611d40fc
SHA1

24e11b8026836601b58c6c5669edbea8c5cd5704
SHA256

cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310
SHA512

8db960f7868bc6cf31ec9fb5542df3c72dc43f74ac26e68d349700a91e34427cde463337f7e3bf1e0a2fdde952e2c535304c0f7aa6c8105ab3ce3b9edd2b4fea
SSDEEP

49152:95JYY7I66osv7LysFBAmsx0Rbt0FPTudDO:pYYbrsCsFnH0F72DO

Score

10^/10

njrat strangerjack discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

strangerjack

C2

127.0.0.1:6666

Mutex

11449a6d98419174eacab32de56c3d2c

Attributes

reg_key
11449a6d98419174eacab32de56c3d2c
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4700	netsh.exe

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/384-1-0x0000000000F00000-0x00000000010BC000-memory.dmp	net_reactor

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	384	cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe
Token: 33	384	cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe
Token: SeIncBasePriorityPrivilege	384	cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe
Token: 33	384	cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe
Token: SeIncBasePriorityPrivilege	384	cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe
Token: 33	384	cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe
Token: SeIncBasePriorityPrivilege	384	cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe
Token: 33	384	cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe
Token: SeIncBasePriorityPrivilege	384	cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe
Token: 33	384	cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe
Token: SeIncBasePriorityPrivilege	384	cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe
Token: 33	384	cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe
Token: SeIncBasePriorityPrivilege	384	cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe
Token: 33	384	cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe
Token: SeIncBasePriorityPrivilege	384	cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe
Token: 33	384	cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe
Token: SeIncBasePriorityPrivilege	384	cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe
Token: 33	384	cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe
Token: SeIncBasePriorityPrivilege	384	cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe
Token: 33	384	cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe
Token: SeIncBasePriorityPrivilege	384	cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe
Token: 33	384	cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe
Token: SeIncBasePriorityPrivilege	384	cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe
Token: 33	384	cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe
Token: SeIncBasePriorityPrivilege	384	cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe
Token: 33	384	cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe
Token: SeIncBasePriorityPrivilege	384	cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 4700	384	cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe	92
PID 384 wrote to memory of 4700	384	cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe	92
PID 384 wrote to memory of 4700	384	cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe	92

C:\Users\Admin\AppData\Local\Temp\cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe
"C:\Users\Admin\AppData\Local\Temp\cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:384
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe" "cd1bf46e23edc59c8ede6605c0c090ce9e82e9ae5160e3bd85238d23f784c310.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/384-0-0x000000007536E000-0x000000007536F000-memory.dmp

Filesize
4KB

Download
memory/384-1-0x0000000000F00000-0x00000000010BC000-memory.dmp

Filesize
1.7MB

Download
memory/384-2-0x000000007536E000-0x000000007536F000-memory.dmp

Filesize
4KB

Download
memory/384-3-0x0000000005B30000-0x0000000005BCC000-memory.dmp

Filesize
624KB

Download
memory/384-4-0x00000000033D0000-0x00000000033E0000-memory.dmp

Filesize
64KB

Download
memory/384-5-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/384-6-0x00000000073B0000-0x0000000007954000-memory.dmp

Filesize
5.6MB

Download
memory/384-7-0x0000000006F30000-0x0000000006FC2000-memory.dmp

Filesize
584KB

Download
memory/384-8-0x0000000005580000-0x000000000558A000-memory.dmp

Filesize
40KB

Download
memory/384-9-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads