njrat | 861c62fc1b264801e17d6a61ac6579a3b7d6d39e2f35aec69fc1b8300f42c953

General

Target

ccb06fa4b339cc8ff5ae2331dda084b4_JaffaCakes118.exe
Size

93KB
MD5

ccb06fa4b339cc8ff5ae2331dda084b4
SHA1

0d1af1ebe0cb29ebf9ea4c76a7630661553b64db
SHA256

861c62fc1b264801e17d6a61ac6579a3b7d6d39e2f35aec69fc1b8300f42c953
SHA512

a716f4906ac8ba1135471deef804e886891cfdc7b3f8b8d471a8fec0aadb0a39051b5adb3930c6a715b2c7a6a46168bacb6ef9705925bfd02fd88b4ebc335952
SSDEEP

1536:InwEnYi9bzKuZ+8uZ3nV5XS65mkrPZ58kzQ+e+e+:IwaYi9bsh7J7M+e+e+

Score

10^/10

njrat steam discovery persistence trojan

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

Steam

C2

40.80.147.203:8080

Mutex

Steam

Attributes

reg_key
Steam
splitter
|-F-|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.lnk	Steam.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.exe	Steam.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.exe	Steam.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.exe	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.lnk	ccb06fa4b339cc8ff5ae2331dda084b4_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2012	Steam.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam2 = "C:\\Windows\\Steam.exe"	ccb06fa4b339cc8ff5ae2331dda084b4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Steam.URL"	Steam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Steam2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Steam.URL"	Steam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Steam.URL"	Steam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Steam.URL"	Steam.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Steam.exe	attrib.exe
File created	C:\Windows\Steam.exe	ccb06fa4b339cc8ff5ae2331dda084b4_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ccb06fa4b339cc8ff5ae2331dda084b4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Steam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2012	Steam.exe
Token: 33	2012	Steam.exe
Token: SeIncBasePriorityPrivilege	2012	Steam.exe
Token: 33	2012	Steam.exe
Token: SeIncBasePriorityPrivilege	2012	Steam.exe
Token: 33	2012	Steam.exe
Token: SeIncBasePriorityPrivilege	2012	Steam.exe
Token: 33	2012	Steam.exe
Token: SeIncBasePriorityPrivilege	2012	Steam.exe
Token: 33	2012	Steam.exe
Token: SeIncBasePriorityPrivilege	2012	Steam.exe
Token: 33	2012	Steam.exe
Token: SeIncBasePriorityPrivilege	2012	Steam.exe
Token: 33	2012	Steam.exe
Token: SeIncBasePriorityPrivilege	2012	Steam.exe
Token: 33	2012	Steam.exe
Token: SeIncBasePriorityPrivilege	2012	Steam.exe
Token: 33	2012	Steam.exe
Token: SeIncBasePriorityPrivilege	2012	Steam.exe
Token: 33	2012	Steam.exe
Token: SeIncBasePriorityPrivilege	2012	Steam.exe
Token: 33	2012	Steam.exe
Token: SeIncBasePriorityPrivilege	2012	Steam.exe
Token: 33	2012	Steam.exe
Token: SeIncBasePriorityPrivilege	2012	Steam.exe
Token: 33	2012	Steam.exe
Token: SeIncBasePriorityPrivilege	2012	Steam.exe
Token: 33	2012	Steam.exe
Token: SeIncBasePriorityPrivilege	2012	Steam.exe
Token: 33	2012	Steam.exe
Token: SeIncBasePriorityPrivilege	2012	Steam.exe
Token: 33	2012	Steam.exe
Token: SeIncBasePriorityPrivilege	2012	Steam.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2012	2568	ccb06fa4b339cc8ff5ae2331dda084b4_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2012	2568	ccb06fa4b339cc8ff5ae2331dda084b4_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2012	2568	ccb06fa4b339cc8ff5ae2331dda084b4_JaffaCakes118.exe	31
PID 2568 wrote to memory of 2012	2568	ccb06fa4b339cc8ff5ae2331dda084b4_JaffaCakes118.exe	31
PID 2568 wrote to memory of 388	2568	ccb06fa4b339cc8ff5ae2331dda084b4_JaffaCakes118.exe	32
PID 2568 wrote to memory of 388	2568	ccb06fa4b339cc8ff5ae2331dda084b4_JaffaCakes118.exe	32
PID 2568 wrote to memory of 388	2568	ccb06fa4b339cc8ff5ae2331dda084b4_JaffaCakes118.exe	32
PID 2568 wrote to memory of 388	2568	ccb06fa4b339cc8ff5ae2331dda084b4_JaffaCakes118.exe	32
PID 2012 wrote to memory of 2648	2012	Steam.exe	34
PID 2012 wrote to memory of 2648	2012	Steam.exe	34
PID 2012 wrote to memory of 2648	2012	Steam.exe	34
PID 2012 wrote to memory of 2648	2012	Steam.exe	34
PID 2012 wrote to memory of 2700	2012	Steam.exe	36
PID 2012 wrote to memory of 2700	2012	Steam.exe	36
PID 2012 wrote to memory of 2700	2012	Steam.exe	36
PID 2012 wrote to memory of 2700	2012	Steam.exe	36

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
388	attrib.exe
2648	attrib.exe
2700	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ccb06fa4b339cc8ff5ae2331dda084b4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ccb06fa4b339cc8ff5ae2331dda084b4_JaffaCakes118.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\Steam.exe
  "C:\Windows\Steam.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.exe"
    3⤵
    - Drops startup file
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2648
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Steam.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2700
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +r +s "C:\Windows\Steam.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.lnk

Filesize
1KB

MD5
4a0d927d7a21834daa86eb2a8fcb298d

SHA1
918e73612385cd14ebcdb0e90d28257aa2c15875

SHA256
ed1f23bbec3d7c6ac5743ca690f9e80dc809f31de4049d31758a90e77d3969a5

SHA512
51015e2bf23aa89773385eb87ac206c3cc81cfd5d26cfc6a78222b4c35c05ea20b5f1bf20414c8419fd156e09034451054c0ac2f1e14daa62f22f0a090ca8e40

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Steam.lnk

Filesize
1012B

MD5
a7fe9ba862c08467a7c2db62675eddf5

SHA1
cfb401250b4a508f28e8c0bd4f50c5ac50f2cc6c

SHA256
c0f2f92f9b78c1b6a916b4174116638816e04a6a0f3ed2238182b9f422ed053c

SHA512
f2f148ddc7a8af9e95f84bee5130763777fd075333d3dc6f950c0809b81e728d2f5fc58591ecef8fa5cf35c9a0fb54decdd81b25812e75673ec38eb626b7420a

Download Submit
C:\Windows\Steam.exe

Filesize
93KB

MD5
ccb06fa4b339cc8ff5ae2331dda084b4

SHA1
0d1af1ebe0cb29ebf9ea4c76a7630661553b64db

SHA256
861c62fc1b264801e17d6a61ac6579a3b7d6d39e2f35aec69fc1b8300f42c953

SHA512
a716f4906ac8ba1135471deef804e886891cfdc7b3f8b8d471a8fec0aadb0a39051b5adb3930c6a715b2c7a6a46168bacb6ef9705925bfd02fd88b4ebc335952

Download Submit
memory/2012-11-0x0000000000ED0000-0x0000000000EEE000-memory.dmp

Filesize
120KB

Download
memory/2012-16-0x0000000074630000-0x0000000074D1E000-memory.dmp

Filesize
6.9MB

Download
memory/2012-19-0x0000000074630000-0x0000000074D1E000-memory.dmp

Filesize
6.9MB

Download
memory/2012-20-0x0000000074630000-0x0000000074D1E000-memory.dmp

Filesize
6.9MB

Download
memory/2568-0-0x000000007463E000-0x000000007463F000-memory.dmp

Filesize
4KB

Download
memory/2568-1-0x0000000000FD0000-0x0000000000FEE000-memory.dmp

Filesize
120KB

Download
memory/2568-10-0x000000007463E000-0x000000007463F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads