njrat | 861c62fc1b264801e17d6a61ac6579a3b7d6d39e2f35aec69fc1b8300f42c953

General

Target

ccb06fa4b339cc8ff5ae2331dda084b4_JaffaCakes118.exe
Size

93KB
MD5

ccb06fa4b339cc8ff5ae2331dda084b4
SHA1

0d1af1ebe0cb29ebf9ea4c76a7630661553b64db
SHA256

861c62fc1b264801e17d6a61ac6579a3b7d6d39e2f35aec69fc1b8300f42c953
SHA512

a716f4906ac8ba1135471deef804e886891cfdc7b3f8b8d471a8fec0aadb0a39051b5adb3930c6a715b2c7a6a46168bacb6ef9705925bfd02fd88b4ebc335952
SSDEEP

1536:InwEnYi9bzKuZ+8uZ3nV5XS65mkrPZ58kzQ+e+e+:IwaYi9bsh7J7M+e+e+

Score

10^/10

njrat steam discovery persistence trojan

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

Steam

C2

40.80.147.203:8080

Mutex

Steam

Attributes

reg_key
Steam
splitter
|-F-|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	ccb06fa4b339cc8ff5ae2331dda084b4_JaffaCakes118.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.lnk	ccb06fa4b339cc8ff5ae2331dda084b4_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.lnk	Steam.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.exe	Steam.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.exe	Steam.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.exe	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
968	Steam.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Steam.URL"	Steam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam2 = "C:\\Windows\\Steam.exe"	ccb06fa4b339cc8ff5ae2331dda084b4_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Steam.URL"	Steam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Steam2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Steam.URL"	Steam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Steam.URL"	Steam.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Steam.exe	ccb06fa4b339cc8ff5ae2331dda084b4_JaffaCakes118.exe
File opened for modification	C:\Windows\Steam.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ccb06fa4b339cc8ff5ae2331dda084b4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Steam.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	968	Steam.exe
Token: 33	968	Steam.exe
Token: SeIncBasePriorityPrivilege	968	Steam.exe
Token: 33	968	Steam.exe
Token: SeIncBasePriorityPrivilege	968	Steam.exe
Token: 33	968	Steam.exe
Token: SeIncBasePriorityPrivilege	968	Steam.exe
Token: 33	968	Steam.exe
Token: SeIncBasePriorityPrivilege	968	Steam.exe
Token: 33	968	Steam.exe
Token: SeIncBasePriorityPrivilege	968	Steam.exe
Token: 33	968	Steam.exe
Token: SeIncBasePriorityPrivilege	968	Steam.exe
Token: 33	968	Steam.exe
Token: SeIncBasePriorityPrivilege	968	Steam.exe
Token: 33	968	Steam.exe
Token: SeIncBasePriorityPrivilege	968	Steam.exe
Token: 33	968	Steam.exe
Token: SeIncBasePriorityPrivilege	968	Steam.exe
Token: 33	968	Steam.exe
Token: SeIncBasePriorityPrivilege	968	Steam.exe
Token: 33	968	Steam.exe
Token: SeIncBasePriorityPrivilege	968	Steam.exe
Token: 33	968	Steam.exe
Token: SeIncBasePriorityPrivilege	968	Steam.exe
Token: 33	968	Steam.exe
Token: SeIncBasePriorityPrivilege	968	Steam.exe
Token: 33	968	Steam.exe
Token: SeIncBasePriorityPrivilege	968	Steam.exe
Token: 33	968	Steam.exe
Token: SeIncBasePriorityPrivilege	968	Steam.exe
Token: 33	968	Steam.exe
Token: SeIncBasePriorityPrivilege	968	Steam.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 968	1236	ccb06fa4b339cc8ff5ae2331dda084b4_JaffaCakes118.exe	87
PID 1236 wrote to memory of 968	1236	ccb06fa4b339cc8ff5ae2331dda084b4_JaffaCakes118.exe	87
PID 1236 wrote to memory of 968	1236	ccb06fa4b339cc8ff5ae2331dda084b4_JaffaCakes118.exe	87
PID 1236 wrote to memory of 2916	1236	ccb06fa4b339cc8ff5ae2331dda084b4_JaffaCakes118.exe	88
PID 1236 wrote to memory of 2916	1236	ccb06fa4b339cc8ff5ae2331dda084b4_JaffaCakes118.exe	88
PID 1236 wrote to memory of 2916	1236	ccb06fa4b339cc8ff5ae2331dda084b4_JaffaCakes118.exe	88
PID 968 wrote to memory of 4356	968	Steam.exe	101
PID 968 wrote to memory of 4356	968	Steam.exe	101
PID 968 wrote to memory of 4356	968	Steam.exe	101
PID 968 wrote to memory of 4468	968	Steam.exe	102
PID 968 wrote to memory of 4468	968	Steam.exe	102
PID 968 wrote to memory of 4468	968	Steam.exe	102

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2916	attrib.exe
4356	attrib.exe
4468	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ccb06fa4b339cc8ff5ae2331dda084b4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ccb06fa4b339cc8ff5ae2331dda084b4_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Windows\Steam.exe
  "C:\Windows\Steam.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.exe"
    3⤵
    - Drops startup file
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4356
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Steam.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4468
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +r +s "C:\Windows\Steam.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.lnk

Filesize
1KB

MD5
3b03ef5a61fda1718d52f11cdda22f20

SHA1
9b4a071a8dbfa593ad6b7f4670f7898810b56127

SHA256
2fe5de2e6a4ddaff4a436a55c4567207a248e8010a0af015e282f89a16a0cb4b

SHA512
ee55c6697c9802e2f0032c5157243034320a8253f9831d8b7a020dba721fc0af9288327ba3c905c0095cdfacd5838187063a26c3157f4515fe3f35f660cf578d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Steam.lnk

Filesize
1KB

MD5
36b82059347893bb0c00905481692cab

SHA1
ac7079b0ae702d9aaf06adfaf8b84ceabdf9c59f

SHA256
f72eade760b200d9ba5ebcec2ae7135fe2c9d5ced68a32433777424e2d686e45

SHA512
a1b96ef3c6172b08c70429290b1b438741e415ddbb170c6009c3e0f16c0b62a18220321aef4edf7d34478d3c627e39d293997d6ef613dd807e6e0e85329a51b2

Download Submit
C:\Windows\Steam.exe

Filesize
93KB

MD5
ccb06fa4b339cc8ff5ae2331dda084b4

SHA1
0d1af1ebe0cb29ebf9ea4c76a7630661553b64db

SHA256
861c62fc1b264801e17d6a61ac6579a3b7d6d39e2f35aec69fc1b8300f42c953

SHA512
a716f4906ac8ba1135471deef804e886891cfdc7b3f8b8d471a8fec0aadb0a39051b5adb3930c6a715b2c7a6a46168bacb6ef9705925bfd02fd88b4ebc335952

Download Submit
memory/968-22-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/968-16-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/968-23-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/968-25-0x00000000055B0000-0x0000000005642000-memory.dmp

Filesize
584KB

Download
memory/968-26-0x0000000005590000-0x000000000559A000-memory.dmp

Filesize
40KB

Download
memory/968-27-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/1236-5-0x0000000005AC0000-0x0000000006064000-memory.dmp

Filesize
5.6MB

Download
memory/1236-15-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/1236-2-0x0000000004D20000-0x0000000004DBC000-memory.dmp

Filesize
624KB

Download
memory/1236-1-0x0000000000320000-0x000000000033E000-memory.dmp

Filesize
120KB

Download
memory/1236-0-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads