njrat | 04e97dbc7db19b374dafa082b33ccc15634a03efc983df464b31a9361dd0381b

General

Target

PRo.exe
Size

549KB
MD5

d9b36da4c6f7bfab1273c40a4bbe1bfd
SHA1

1165f3771e2ea625998bcf9f6ebbc8d613dee7e4
SHA256

28b04371a3ff0a336d17dcf8f5d5a3db75f99bc0d3ed580c5f8081946f17a441
SHA512

709c8a6ea279b335713a2e64480fd30590d9f3cc67c6379ac46c72ffa7b8308437c3a4edef579a535d70e07686ff691b6037e81850d4eeac1e1173b3a67e3a24
SSDEEP

12288:J0nyfXuIBDtfurD6DmzHPoxhJeFRvGOozGATzQiwml41q:Gny/f9ur+DkUeFRvGpFTciwml+q

Score

10^/10

njrat سيرفر هكر من شبح discovery evasion persistence privilege_escalation trojan vmprotect

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

سيرفر هكر من شبح

C2

networkishacj.ddnsking.com:1177

Mutex

2f4a36e5ad189c706256137bb03a7d93

Attributes

reg_key
2f4a36e5ad189c706256137bb03a7d93
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2540	netsh.exe

Executes dropped EXE 3 IoCs

pid	Process
2060	PRo.exe
1248	Fapro.exe
2768	svchost.exe

Loads dropped DLL 7 IoCs

pid	Process
2592	PRo.exe
2592	PRo.exe
2592	PRo.exe
2592	PRo.exe
2592	PRo.exe
2592	PRo.exe
2592	PRo.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000700000001707c-44.dat	vmprotect
behavioral1/files/0x0008000000016edb-47.dat	vmprotect

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\2f4a36e5ad189c706256137bb03a7d93 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2f4a36e5ad189c706256137bb03a7d93 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .."	svchost.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_259446120	PRo.exe
File created	C:\Windows\SysWOW64\Fapro.exe	PRo.exe
File opened for modification	C:\Windows\SysWOW64\Fapro.exe	PRo.exe
File created	C:\Windows\SysWOW64\PRo.exe	PRo.exe
File opened for modification	C:\Windows\SysWOW64\PRo.exe	PRo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRo.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	svchost.exe
Token: 33	2768	svchost.exe
Token: SeIncBasePriorityPrivilege	2768	svchost.exe
Token: 33	2768	svchost.exe
Token: SeIncBasePriorityPrivilege	2768	svchost.exe
Token: 33	2768	svchost.exe
Token: SeIncBasePriorityPrivilege	2768	svchost.exe
Token: 33	2768	svchost.exe
Token: SeIncBasePriorityPrivilege	2768	svchost.exe
Token: 33	2768	svchost.exe
Token: SeIncBasePriorityPrivilege	2768	svchost.exe
Token: 33	2768	svchost.exe
Token: SeIncBasePriorityPrivilege	2768	svchost.exe
Token: 33	2768	svchost.exe
Token: SeIncBasePriorityPrivilege	2768	svchost.exe
Token: 33	2768	svchost.exe
Token: SeIncBasePriorityPrivilege	2768	svchost.exe
Token: 33	2768	svchost.exe
Token: SeIncBasePriorityPrivilege	2768	svchost.exe
Token: 33	2768	svchost.exe
Token: SeIncBasePriorityPrivilege	2768	svchost.exe
Token: 33	2768	svchost.exe
Token: SeIncBasePriorityPrivilege	2768	svchost.exe
Token: 33	2768	svchost.exe
Token: SeIncBasePriorityPrivilege	2768	svchost.exe
Token: 33	2768	svchost.exe
Token: SeIncBasePriorityPrivilege	2768	svchost.exe
Token: 33	2768	svchost.exe
Token: SeIncBasePriorityPrivilege	2768	svchost.exe
Token: 33	2768	svchost.exe
Token: SeIncBasePriorityPrivilege	2768	svchost.exe
Token: 33	2768	svchost.exe
Token: SeIncBasePriorityPrivilege	2768	svchost.exe
Token: 33	2768	svchost.exe
Token: SeIncBasePriorityPrivilege	2768	svchost.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 2060	2592	PRo.exe	31
PID 2592 wrote to memory of 2060	2592	PRo.exe	31
PID 2592 wrote to memory of 2060	2592	PRo.exe	31
PID 2592 wrote to memory of 2060	2592	PRo.exe	31
PID 2592 wrote to memory of 2060	2592	PRo.exe	31
PID 2592 wrote to memory of 2060	2592	PRo.exe	31
PID 2592 wrote to memory of 2060	2592	PRo.exe	31
PID 2592 wrote to memory of 1248	2592	PRo.exe	32
PID 2592 wrote to memory of 1248	2592	PRo.exe	32
PID 2592 wrote to memory of 1248	2592	PRo.exe	32
PID 2592 wrote to memory of 1248	2592	PRo.exe	32
PID 1248 wrote to memory of 2768	1248	Fapro.exe	33
PID 1248 wrote to memory of 2768	1248	Fapro.exe	33
PID 1248 wrote to memory of 2768	1248	Fapro.exe	33
PID 2768 wrote to memory of 2540	2768	svchost.exe	34
PID 2768 wrote to memory of 2540	2768	svchost.exe	34
PID 2768 wrote to memory of 2540	2768	svchost.exe	34

C:\Users\Admin\AppData\Local\Temp\PRo.exe
"C:\Users\Admin\AppData\Local\Temp\PRo.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\SysWOW64\PRo.exe
  "C:\Windows\System32\PRo.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2060
- C:\Windows\SysWOW64\Fapro.exe
  "C:\Windows\System32\Fapro.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\System32\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PRo\12.0.exe

Filesize
92KB

MD5
c057d336406f0cf2ffd0f8fa593a8448

SHA1
8df9101423568954bf71436cafaae597d98a111a

SHA256
5744035d8c53b308edf4ee9529acccebb0b9df46b11d4d1465256f9109764920

SHA512
acd34140ddeb521cfaf6c615b42c97b89d2f6bdd82a840b4c108f7b9cbcc83137db1f8e90699dd309f5bf55172a0f0fd59e61654108a845b125b83592b82e7b9

Download Submit
C:\PRo\FapCF2.dll

Filesize
136KB

MD5
94a22069399eb7a16b18d0d3518aca22

SHA1
ac712e856dc2c7b9135a7c84c05e5de673885100

SHA256
0806d5ec3ba3ffe76e01948378b4e085d63c2b455b4b995ca6e363283ab7931f

SHA512
adfe8e4d37a5366272a284695f97234fde4333aec93da015a0d9e47ea8799f067cf1dcdccc3d1e05cf9f7f6bcabcf79d17e92c819254a324badf1bf1747bc61f

Download Submit
C:\Windows\SysWOW64\Fapro.exe

Filesize
120KB

MD5
4c17d7686f25134e7ab0dab92b25cbd4

SHA1
5dc415f33bd8a00d09c3ff602f119917ff050208

SHA256
94cd58c5c2ecfcd77d3809bb043171becf0ac834afc4280322dbc4f8ed0dd705

SHA512
750b989f63abc392ca2afa187b8435aae51afa1b5756c7970d6e5fa81ce25cacfd3dab6de6627b328bbb962dfa40103f71afe0412e64549a0162cc870f9f2814

Download Submit
\Windows\SysWOW64\PRo.exe

Filesize
394KB

MD5
751be58d227f0f7a57fb9e243213d406

SHA1
84cf1828ccbae0328f8565734f73f534f1601c4c

SHA256
1b11eb1d7ec59e01ad81115cb0570834d0298e4cfa67d861aa218ff7f307b1b9

SHA512
30b809fe8172abbcd8628d04e7496b2471afe04b3b0106722de56248781de05e6e5bb1402cff3cf548e42d282aa7e684fabf5dc8e138630ae9385c296bf223fd

Download Submit
memory/1248-29-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads