njrat | 431e12f989dd7a4c9d8235f4fa9f3e026a4b55921aa2fb4942563f857681f06c

General

Target

1917739297383bb37d4f159e8540b70b.exe
Size

43KB
MD5

1917739297383bb37d4f159e8540b70b
SHA1

12447834e3ce0745f5756f492aee4487c6c1cef4
SHA256

431e12f989dd7a4c9d8235f4fa9f3e026a4b55921aa2fb4942563f857681f06c
SHA512

7c8b032480dd4e9d972eceb1e1dc354ce5be2c66d777a12a45e267220e5ab601cbfc95d724379a903f59cdc39265a2e62e3d1a9fa66fbe4d8d71c0fa736489c5
SSDEEP

384:HZyGdElQ5GoyyBrlr0DiEuEe83H/zIIij+ZsNO3PlpJKkkjh/TzF7pWnI/greT0k:5gmolyBr907NRuXQ/o1/+L

Score

10^/10

njrat hacked discovery persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

2.tcp.eu.ngrok.io:11048

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	Dllhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	Dllhost.exe

Executes dropped EXE 3 IoCs

pid	Process
2392	Dllhost.exe
2144	Server.exe
1616	Server.exe

Loads dropped DLL 1 IoCs

pid	Process
2520	1917739297383bb37d4f159e8540b70b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Dllhost.exe\" .."	Dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Dllhost.exe\" .."	Dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
14	2.tcp.eu.ngrok.io
30	2.tcp.eu.ngrok.io
32	2.tcp.eu.ngrok.io
2	2.tcp.eu.ngrok.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1917739297383bb37d4f159e8540b70b.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3036	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2520	1917739297383bb37d4f159e8540b70b.exe
2392	Dllhost.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2392	Dllhost.exe
Token: 33	2392	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2392	Dllhost.exe
Token: 33	2392	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2392	Dllhost.exe
Token: 33	2392	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2392	Dllhost.exe
Token: 33	2392	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2392	Dllhost.exe
Token: 33	2392	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2392	Dllhost.exe
Token: 33	2392	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2392	Dllhost.exe
Token: 33	2392	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2392	Dllhost.exe
Token: 33	2392	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2392	Dllhost.exe
Token: 33	2392	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2392	Dllhost.exe
Token: 33	2392	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2392	Dllhost.exe
Token: 33	2392	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2392	Dllhost.exe
Token: 33	2392	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2392	Dllhost.exe
Token: 33	2392	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2392	Dllhost.exe
Token: 33	2392	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2392	Dllhost.exe
Token: 33	2392	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2392	Dllhost.exe
Token: 33	2392	Dllhost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2392	2520	1917739297383bb37d4f159e8540b70b.exe	31
PID 2520 wrote to memory of 2392	2520	1917739297383bb37d4f159e8540b70b.exe	31
PID 2520 wrote to memory of 2392	2520	1917739297383bb37d4f159e8540b70b.exe	31
PID 2520 wrote to memory of 2392	2520	1917739297383bb37d4f159e8540b70b.exe	31
PID 2392 wrote to memory of 3036	2392	Dllhost.exe	32
PID 2392 wrote to memory of 3036	2392	Dllhost.exe	32
PID 2392 wrote to memory of 3036	2392	Dllhost.exe	32
PID 2392 wrote to memory of 3036	2392	Dllhost.exe	32
PID 2288 wrote to memory of 2144	2288	taskeng.exe	35
PID 2288 wrote to memory of 2144	2288	taskeng.exe	35
PID 2288 wrote to memory of 2144	2288	taskeng.exe	35
PID 2288 wrote to memory of 2144	2288	taskeng.exe	35
PID 2288 wrote to memory of 1616	2288	taskeng.exe	36
PID 2288 wrote to memory of 1616	2288	taskeng.exe	36
PID 2288 wrote to memory of 1616	2288	taskeng.exe	36
PID 2288 wrote to memory of 1616	2288	taskeng.exe	36

C:\Users\Admin\AppData\Local\Temp\1917739297383bb37d4f159e8540b70b.exe
"C:\Users\Admin\AppData\Local\Temp\1917739297383bb37d4f159e8540b70b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Roaming\Dllhost.exe
  "C:\Users\Admin\AppData\Roaming\Dllhost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3036

C:\Windows\system32\taskeng.exe
taskeng.exe {1528CC60-E192-46D9-8094-AA9B47D889D3} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp/Server.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2144
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp/Server.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Dllhost.exe

Filesize
43KB

MD5
1917739297383bb37d4f159e8540b70b

SHA1
12447834e3ce0745f5756f492aee4487c6c1cef4

SHA256
431e12f989dd7a4c9d8235f4fa9f3e026a4b55921aa2fb4942563f857681f06c

SHA512
7c8b032480dd4e9d972eceb1e1dc354ce5be2c66d777a12a45e267220e5ab601cbfc95d724379a903f59cdc39265a2e62e3d1a9fa66fbe4d8d71c0fa736489c5

Download Submit
memory/2144-20-0x00000000008B0000-0x00000000008C2000-memory.dmp

Filesize
72KB

Download
memory/2392-10-0x0000000074A80000-0x000000007516E000-memory.dmp

Filesize
6.9MB

Download
memory/2392-11-0x00000000009F0000-0x0000000000A02000-memory.dmp

Filesize
72KB

Download
memory/2392-12-0x0000000074A80000-0x000000007516E000-memory.dmp

Filesize
6.9MB

Download
memory/2392-16-0x0000000074A80000-0x000000007516E000-memory.dmp

Filesize
6.9MB

Download
memory/2392-17-0x0000000074A80000-0x000000007516E000-memory.dmp

Filesize
6.9MB

Download
memory/2520-0-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

Filesize
4KB

Download
memory/2520-1-0x0000000000C10000-0x0000000000C22000-memory.dmp

Filesize
72KB

Download
memory/2520-2-0x0000000074A80000-0x000000007516E000-memory.dmp

Filesize
6.9MB

Download
memory/2520-13-0x0000000074A80000-0x000000007516E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads