Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 21:25

General

  • Target

    368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe

  • Size

    119KB

  • MD5

    97f7e589999872e0847d256b24acc848

  • SHA1

    23463d7f8075dff1047f776f80c989f1f435df42

  • SHA256

    368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd

  • SHA512

    fcb53a14a43cb9be8b8d8fd46faf6fed074c57106aef0c590efdc1edba5e20a84a63045eb8c612d1e440f7ca6a6fac7f4cd84010bba8ed4ce9a11384ba821185

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMDLVg+:P5eznsjsguGDFqGZ2rDLT

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Signatures

  • Njrat family
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe
    "C:\Users\Admin\AppData\Local\Temp\368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2312
    • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
      "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1940
      • C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2752
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2576

Network

  • flag-us
    DNS
    crl.microsoft.com
    368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe
    Remote address:
    8.8.8.8:53
    Request
    crl.microsoft.com
    IN A
    Response
    crl.microsoft.com
    IN CNAME
    crl.www.ms.akadns.net
    crl.www.ms.akadns.net
    IN CNAME
    a1363.dscg.akamai.net
    a1363.dscg.akamai.net
    IN A
    2.19.252.143
    a1363.dscg.akamai.net
    IN A
    2.19.252.157
  • flag-gb
    GET
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe
    Remote address:
    2.19.252.143:80
    Request
    GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Wed, 01 May 2024 09:28:59 GMT
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: crl.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1036
    Content-Type: application/octet-stream
    Content-MD5: +oTkvMkqpdtzWrUHEQQM3g==
    Last-Modified: Thu, 12 Dec 2024 00:06:56 GMT
    ETag: 0x8DD1A40E476D877
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: 346168ca-101e-0054-5d36-4c18bd000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Sun, 22 Dec 2024 21:26:01 GMT
    Connection: keep-alive
  • flag-us
    DNS
    www.microsoft.com
    368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe
    Remote address:
    8.8.8.8:53
    Request
    www.microsoft.com
    IN A
    Response
    www.microsoft.com
    IN CNAME
    www.microsoft.com-c-3.edgekey.net
    www.microsoft.com-c-3.edgekey.net
    IN CNAME
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    IN CNAME
    e13678.dscb.akamaiedge.net
    e13678.dscb.akamaiedge.net
    IN A
    184.25.193.234
  • flag-gb
    GET
    http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
    368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe
    Remote address:
    184.25.193.234:80
    Request
    GET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Mon, 03 Jun 2024 21:25:24 GMT
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: www.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1078
    Content-Type: application/octet-stream
    Content-MD5: PjrtHAukbJio72s77Ag5mA==
    Last-Modified: Thu, 31 Oct 2024 23:26:09 GMT
    ETag: 0x8DCFA0366D6C4CA
    x-ms-request-id: ca00f663-501e-0037-2bf2-2b8546000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Sun, 22 Dec 2024 21:26:01 GMT
    Connection: keep-alive
    TLS_version: UNKNOWN
    ms-cv: CASMicrosoftCV6de02c33.0
    ms-cv-esi: CASMicrosoftCV6de02c33.0
    X-RTag: RT
  • flag-us
    DNS
    doddyfire.linkpc.net
    chargeable.exe
    Remote address:
    8.8.8.8:53
    Request
    doddyfire.linkpc.net
    IN A
    Response
    doddyfire.linkpc.net
    IN A
    181.52.175.2
  • 2.19.252.143:80
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    http
    368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe
    445 B
    1.7kB
    5
    4

    HTTP Request

    GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

    HTTP Response

    200
  • 184.25.193.234:80
    http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
    http
    368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe
    439 B
    1.7kB
    5
    4

    HTTP Request

    GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl

    HTTP Response

    200
  • 181.52.175.2:10000
    doddyfire.linkpc.net
    chargeable.exe
    152 B
    3
  • 181.52.175.2:10000
    doddyfire.linkpc.net
    chargeable.exe
    152 B
    3
  • 181.52.175.2:10000
    doddyfire.linkpc.net
    chargeable.exe
    152 B
    3
  • 181.52.175.2:10000
    doddyfire.linkpc.net
    chargeable.exe
    152 B
    3
  • 181.52.175.2:10000
    doddyfire.linkpc.net
    chargeable.exe
    152 B
    3
  • 181.52.175.2:10000
    doddyfire.linkpc.net
    chargeable.exe
    152 B
    3
  • 8.8.8.8:53
    crl.microsoft.com
    dns
    368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe
    63 B
    162 B
    1
    1

    DNS Request

    crl.microsoft.com

    DNS Response

    2.19.252.143
    2.19.252.157

  • 8.8.8.8:53
    www.microsoft.com
    dns
    368cabdf1fc0e857feeacb1d64383965734622a5d9a21cecbb54682ea50114bd.exe
    63 B
    230 B
    1
    1

    DNS Request

    www.microsoft.com

    DNS Response

    184.25.193.234

  • 8.8.8.8:53
    doddyfire.linkpc.net
    dns
    chargeable.exe
    66 B
    82 B
    1
    1

    DNS Request

    doddyfire.linkpc.net

    DNS Response

    181.52.175.2

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FE

    Filesize

    1KB

    MD5

    fa84e4bcc92aa5db735ab50711040cde

    SHA1

    084f1cb4c47fdd3be1c833f58359ec8e16f61eb4

    SHA256

    6d7205e794fde4219a62d9692ecddf612663a5cf20399e79be87b851fca4ca33

    SHA512

    261a327ed1dffd4166e215d17bfd867df5b77017ba72c879fb2675cfb8eef48b374f6de41da0e51ba7adb9c0165bb2c831840603e873f6429963afd0cb93007f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956

    Filesize

    1KB

    MD5

    3e3aed1c0ba46c98a8ef6b3bec083998

    SHA1

    8df2ba67925f2c9580ead34fc567acd35c55b416

    SHA256

    3fab079f84b987b1a1e305228bd9d2c7dc9a4033b62d3715073c009391fc949f

    SHA512

    f0afb50c3ca2843e0dde736e5ce6d327ad2b70ae3e04c46c658878208dbd242059efc414f8eff22e9e6034a4a4948b34bdd612c5156c3d9a7fcbd38238066b29

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE

    Filesize

    264B

    MD5

    a7fbd11e745b97dbbb48161f696e39dd

    SHA1

    410593ec85ab8bc1e470b2519707938412e211ed

    SHA256

    fde70fb8d1e24c168189646f504d21d988a48685317dedb7e4fa6968340e4443

    SHA512

    23453b34d195ddb54d98edf888081661ac7f71d22657abdd3011f140ed3d3f9a32a903cc2bd587dd98330584fb7b74facf5eb553ebb8b37639effe39fcb7e496

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e4eeb0757c8401bfb93a8983bce45eef

    SHA1

    b7dd84b99d378769bb964b33800d171f7bf3f02c

    SHA256

    e89ae9583ae222a3c45a77f2f87e3566111476cf42a4a4059f1f1fcd0077404d

    SHA512

    158c732e9b7b538b1c06cbb8afaedb4b519825b91ce608f8fc982362b39cd17610062ff0dbe3fa2ac541c34405cc9ffdb0237529484e721abcfe8b9c48f18721

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    34db185b1cfc16f965fd4b01a589487b

    SHA1

    4f83ce8b371449ca0479c2ef67314a30f899d5e3

    SHA256

    2bff777dec9b81045c27034713b4f014fe1681ab3c9fa7658462e32f81f9b353

    SHA512

    d1b326fca8e057d7b74e9a2c78817a1b5a2adcad14f42a20fa7d74b947a1f1086d03177f18f704e3177df83ef265e9e1aacbe80f89b820706d01b71dcc135c8d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2f511a33add3618038b08ff9e98d6ef2

    SHA1

    db7a8c29b0497eed2bc4c8b8a83998e991b38dd9

    SHA256

    32accaf02a67fdd93094282bb380b45e5def83ebe4f5bc000f9e028837f4e004

    SHA512

    481c2523ebe97ee46ba71ad2b31a80101ab9be4f5a16def7c4882efe7c704c5fcbed852eaac135a4e33d966b0e028236afbee72dc871f29403ef646ced015562

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956

    Filesize

    252B

    MD5

    f679a43e3b11554013c3576ad920ea7c

    SHA1

    fe608ffe22a20aa0bb2e888ba98f4182288ca1e9

    SHA256

    e8e89434b211147cfaf26a93eb732ab74aafc4aabb8a23c0b96b60da2153d117

    SHA512

    2e8acafe8ab6b4c4b83953fa4747f0421f47cb1fa22363af26de3fe76df39be49421be3843727c9672c62b433e56c8a61161d7513450dca5f6fca6b986a17d48

  • C:\Users\Admin\AppData\Local\Temp\Cab63E3.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar63E6.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \Users\Admin\AppData\Roaming\confuse\chargeable.exe

    Filesize

    119KB

    MD5

    5662d52590ceb2b4f8b079a103b7b8da

    SHA1

    83252151f4619d069443d7601e5be488f04531f9

    SHA256

    54655972e31238e1ea49c9f8f9cb93868a3c79b4f46687987868a1716301010a

    SHA512

    c5586838314136add5bb3dbf802fc3fb5a6f1e270f5882295ee30a229877ddf3283c22105e18c0f0614aa0ec98b533749f2b02a81914de1e86bee47c5da59a62

  • memory/2312-183-0x00000000742D0000-0x000000007487B000-memory.dmp

    Filesize

    5.7MB

  • memory/2312-0-0x00000000742D1000-0x00000000742D2000-memory.dmp

    Filesize

    4KB

  • memory/2312-8-0x00000000742D0000-0x000000007487B000-memory.dmp

    Filesize

    5.7MB

  • memory/2312-173-0x00000000742D0000-0x000000007487B000-memory.dmp

    Filesize

    5.7MB

  • memory/2752-351-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2752-354-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2752-353-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.