njrat | bd0be20774a92281bace372798dd040d22139c183c75640d234a3df26d4bd089

General

Target

HQ Dorks Generator.exe
Size

848KB
MD5

a920b8ebf266ee37c1e114ae12dba6a1
SHA1

ad742e8769fbe8e089707bc3d81f3348b54f6838
SHA256

bd0be20774a92281bace372798dd040d22139c183c75640d234a3df26d4bd089
SHA512

cbb9b70c7fe3ff38b7141ab7a3278b9864b0c1300ea40f374b61f4c062e70aad1fa04efc92415585104c4524f468c0bcbc3d133e0eb12782c1bef599f1c126a4
SSDEEP

12288:0/t6UGM7QsdexpZwbsfxOXurBjpOUREzLw2f1WrG8HXXQG6:RG5+obsfxlrBj0+EzLwW1T8HQ

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

10cpanel.hackcrack.io:33982

Mutex

Windows Explorer

Attributes

reg_key
Windows Explorer
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1956	netsh.exe

Executes dropped EXE 6 IoCs

pid	Process
2540	Setup.exe
2180	Setup.exe
1900	HQ Dorks Generator .exe
2788	svchost.exe
1668	explorer.exe
1708	explorer.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HQ Dorks Generator .exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1900	HQ Dorks Generator .exe
Token: SeDebugPrivilege	1708	explorer.exe
Token: 33	1708	explorer.exe
Token: SeIncBasePriorityPrivilege	1708	explorer.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2540	3016	HQ Dorks Generator.exe	30
PID 3016 wrote to memory of 2540	3016	HQ Dorks Generator.exe	30
PID 3016 wrote to memory of 2540	3016	HQ Dorks Generator.exe	30
PID 3016 wrote to memory of 2180	3016	HQ Dorks Generator.exe	31
PID 3016 wrote to memory of 2180	3016	HQ Dorks Generator.exe	31
PID 3016 wrote to memory of 2180	3016	HQ Dorks Generator.exe	31
PID 3016 wrote to memory of 1900	3016	HQ Dorks Generator.exe	32
PID 3016 wrote to memory of 1900	3016	HQ Dorks Generator.exe	32
PID 3016 wrote to memory of 1900	3016	HQ Dorks Generator.exe	32
PID 3016 wrote to memory of 1900	3016	HQ Dorks Generator.exe	32
PID 2540 wrote to memory of 2788	2540	Setup.exe	33
PID 2540 wrote to memory of 2788	2540	Setup.exe	33
PID 2540 wrote to memory of 2788	2540	Setup.exe	33
PID 2788 wrote to memory of 1668	2788	svchost.exe	35
PID 2788 wrote to memory of 1668	2788	svchost.exe	35
PID 2788 wrote to memory of 1668	2788	svchost.exe	35
PID 1668 wrote to memory of 1708	1668	explorer.exe	36
PID 1668 wrote to memory of 1708	1668	explorer.exe	36
PID 1668 wrote to memory of 1708	1668	explorer.exe	36
PID 1708 wrote to memory of 1956	1708	explorer.exe	37
PID 1708 wrote to memory of 1956	1708	explorer.exe	37
PID 1708 wrote to memory of 1956	1708	explorer.exe	37

C:\Users\Admin\AppData\Local\Temp\HQ Dorks Generator.exe
"C:\Users\Admin\AppData\Local\Temp\HQ Dorks Generator.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1668
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1708
      - C:\Windows\system32\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1956
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Users\Admin\AppData\Local\Temp\HQ Dorks Generator .exe
  "C:\Users\Admin\AppData\Local\Temp\HQ Dorks Generator .exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HQ Dorks Generator .exe

Filesize
352KB

MD5
047f6a433933c39cde9f6025d5d1a9cd

SHA1
29ce4ed295f8bdb648abfdb3fa43daa320573fca

SHA256
87260300a5d5575a76dd44c3f0ae8c4bad7e94000990d67c9e7fffcedb586473

SHA512
9227991f2126d7948ccb30c80d62162b82e12119edf5c9503a19b60d4b6b2bfe899536e7df47d960ec1128e70bb30a1fa0c93557e9d179c144298d133448d065

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
477KB

MD5
0e6c9432cba1614fccc232f201028c72

SHA1
6082cf9489faa785c066195f108548e705a6d407

SHA256
c9a2faffee3de29e278a89e54b07edb1f520f5e665480a1002d401fd83cde2e8

SHA512
c341000eb6f10c3ee1fb722914abb8ba2e1a3ab32a0ccdd92561c0604d58924699d3f9886b8bd03ab13223c9c78eef74045b181520298dba3323a2809c670abb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
358KB

MD5
59a4e3557cba5cd6e3241bc17cabb577

SHA1
d668b5fc3bd2fdf0b556cc62d863cc663c859d14

SHA256
524f0223999e825f11898e1bac85bcf7526902da9d2796f42a068144cdd0dc53

SHA512
64e3ae8f6ad577fd51446f6013efcd6d4883c7b27effdc89993c17a2b8f4570bee0ae1557fc76483220064b1b799b01b821b8fc5d9180e9d76f10b96ac278ecb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

Filesize
339KB

MD5
301e8d9a2445dd999ce816c17d8dbbb3

SHA1
b91163babeb738bd4d0f577ac764cee17fffe564

SHA256
2ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb

SHA512
4941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3

Download Submit
memory/1668-48-0x0000000000310000-0x000000000031C000-memory.dmp

Filesize
48KB

Download
memory/1900-22-0x0000000001310000-0x0000000001370000-memory.dmp

Filesize
384KB

Download
memory/1900-35-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/2540-20-0x00000000009C0000-0x00000000009EC000-memory.dmp

Filesize
176KB

Download
memory/2540-15-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

Filesize
9.6MB

Download
memory/2540-34-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

Filesize
9.6MB

Download
memory/2540-18-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

Filesize
9.6MB

Download
memory/2788-33-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3016-0-0x000007FEF633E000-0x000007FEF633F000-memory.dmp

Filesize
4KB

Download
memory/3016-19-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

Filesize
9.6MB

Download
memory/3016-3-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

Filesize
9.6MB

Download
memory/3016-2-0x000007FEF6080000-0x000007FEF6A1D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads