Overview

overview

10

Static

static

3

BackSide.scr

windows7-x64

10

BackSide.scr

windows10-2004-x64

10

PlaySide.scr

windows7-x64

10

PlaySide.scr

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2024 04:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BackSide.scr

  • Size

    1.2MB

  • MD5

    fc0eda848858a83000947398e4fc5988

  • SHA1

    6a1ef4d79282cf7415e031a1f9597f2f527fb351

  • SHA256

    b3d5d4f086b549051ef58260a81a2b4a8a53423ba17fae0ebc1d5be5fa800d12

  • SHA512

    ffd6eff982feb4848d4b8cd54ce8527eaef415e0dcc780ba2d768be9c5143396e4e9fd7e3ba608a15d24f7d0aa9f11d267d330910c8b314f6eae88c173dddc15

  • SSDEEP

    24576:hs2m37uALHllEhLl9jEfoE+q4B0McK4KrD35N7dfGs:hs2m37uAzAhLlVEfvCCuLAs

Score
10/10
njratjiolliapadefense_evasiondiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

JIoLLIaPa

C2

193.218.141.160:1100

Mutex

25b7ccb5b0dc716d27e2168346698c0b

Attributes
  • reg_key

    25b7ccb5b0dc716d27e2168346698c0b

  • splitter

    |'|'|

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 47 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BackSide.scr
    "C:\Users\Admin\AppData\Local\Temp\BackSide.scr" /S
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:864
    • C:\Users\Admin\AppData\Local\Temp\Screenshot.scr
      "C:\Users\Admin\AppData\Local\Temp\Screenshot.scr" /S
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1284
      • C:\Users\Admin\AppData\Roaming\Windowslog.exe
        "C:\Users\Admin\AppData\Roaming\Windowslog.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3012
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Windowslog.exe" "Windowslog.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2840
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\BackSide.scr" >> NUL
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1332
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CLOVUfy.jpg
    Filesize

    489KB

    MD5

    53d0b470a2d8cb76ba69e5fc18470d3b

    SHA1

    130f1aa5fa9e7dda6d3908a8d871ec6551c2c970

    SHA256

    7c7db1bc19e5034f0be6cd869362ee7f1815724c6ad5a6d0630e24271c988868

    SHA512

    0ba6e9cb3effbc9b2ca2c09efdf193e8649556aa1d67582fd9c25c0c755fde1d502f8b6454be7c3ee4d1812340e14a5439b05142972c2f16f588106b71200325

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Screenshot.scr
    Filesize

    390KB

    MD5

    f242e86161084bd0f36570aa2668e64c

    SHA1

    7b57dc7166b42069cac83d4bd36a3153806c938d

    SHA256

    f6ecd614bf4b9a1559af590275f5daeb7733451b654d1ed2f0ef92a8a1a95396

    SHA512

    bbc9008132c1e44b98c036dc24be3a230076fd5df6404750b3c6e04f44b66c847857fdbaeb6056bf3051f03cb932c7b47a8431bf69467a4d0dd1d63166c35e10

    Download Submit

  • memory/864-11-0x00000000026A0000-0x00000000026A2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1284-10-0x0000000074851000-0x0000000074852000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1284-13-0x0000000074850000-0x0000000074DFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1284-14-0x0000000074850000-0x0000000074DFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1284-22-0x0000000074850000-0x0000000074DFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2452-12-0x00000000001A0000-0x00000000001A2000-memory.dmp

    Filesize

    8KB

    Download