njrat | 17d0bef5296fdef3bca0bee36e09baf19e258c6290f41849c3a92132d0cf54d3

General

Target

Server.exe
Size

43KB
MD5

3b426fddedbb6f2ba8debc7eefe1ffb0
SHA1

8e69d401eb75f78de701954d595156826d324a7e
SHA256

17d0bef5296fdef3bca0bee36e09baf19e258c6290f41849c3a92132d0cf54d3
SHA512

2edb6201132390d985f4e1c1f476cb0de02dba05d826f2087c77b8f577a84ad59a787f46c0a40a01f10a8073cda052e5d9071474248c71cb8bc75358a323d8d4
SSDEEP

384:YZyJj+CdsbhKIyKRBxwOIEWrr2z8Iij+ZsNO3PlpJKkkjh/TzF7pWnvW/greT0pu:u2NiwFKDx3ukuXQ/oCW/+L

Score

10^/10

njrat hacked discovery persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

run-julie.gl.at.ply.gg:56057

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	Dllhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	Dllhost.exe

Executes dropped EXE 3 IoCs

pid	Process
3408	Dllhost.exe
32	Server.exe
2376	Server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Dllhost.exe\" .."	Dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Dllhost.exe\" .."	Dllhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dllhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2416	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
656	Server.exe
3408	Dllhost.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	3408	Dllhost.exe
Token: 33	3408	Dllhost.exe
Token: SeIncBasePriorityPrivilege	3408	Dllhost.exe
Token: 33	3408	Dllhost.exe
Token: SeIncBasePriorityPrivilege	3408	Dllhost.exe
Token: 33	3408	Dllhost.exe
Token: SeIncBasePriorityPrivilege	3408	Dllhost.exe
Token: 33	3408	Dllhost.exe
Token: SeIncBasePriorityPrivilege	3408	Dllhost.exe
Token: 33	3408	Dllhost.exe
Token: SeIncBasePriorityPrivilege	3408	Dllhost.exe
Token: 33	3408	Dllhost.exe
Token: SeIncBasePriorityPrivilege	3408	Dllhost.exe
Token: 33	3408	Dllhost.exe
Token: SeIncBasePriorityPrivilege	3408	Dllhost.exe
Token: 33	3408	Dllhost.exe
Token: SeIncBasePriorityPrivilege	3408	Dllhost.exe
Token: 33	3408	Dllhost.exe
Token: SeIncBasePriorityPrivilege	3408	Dllhost.exe
Token: 33	3408	Dllhost.exe
Token: SeIncBasePriorityPrivilege	3408	Dllhost.exe
Token: 33	3408	Dllhost.exe
Token: SeIncBasePriorityPrivilege	3408	Dllhost.exe
Token: 33	3408	Dllhost.exe
Token: SeIncBasePriorityPrivilege	3408	Dllhost.exe
Token: 33	3408	Dllhost.exe
Token: SeIncBasePriorityPrivilege	3408	Dllhost.exe
Token: 33	3408	Dllhost.exe
Token: SeIncBasePriorityPrivilege	3408	Dllhost.exe
Token: 33	3408	Dllhost.exe
Token: SeIncBasePriorityPrivilege	3408	Dllhost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 656 wrote to memory of 3408	656	Server.exe	79
PID 656 wrote to memory of 3408	656	Server.exe	79
PID 656 wrote to memory of 3408	656	Server.exe	79
PID 3408 wrote to memory of 2416	3408	Dllhost.exe	80
PID 3408 wrote to memory of 2416	3408	Dllhost.exe	80
PID 3408 wrote to memory of 2416	3408	Dllhost.exe	80

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:656
- C:\Users\Admin\AppData\Local\Temp\Dllhost.exe
  "C:\Users\Admin\AppData\Local\Temp\Dllhost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3408
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2416

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:32

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Server.exe.log

Filesize
507B

MD5
a5dcb915b1da3d8018340dba2a1f9974

SHA1
a43d74ff34081e4aa9084823ad1a478db8ab71d8

SHA256
045747003a499b85c29dc17bf70ae48279d05a87b8971b23ede053ba8a404750

SHA512
b778c0ba685be49fe295d2b3dea3dd727db14c7fade7521ddb3fd845641082751abcb8b2c8f59635c576ec550c2218585804890c2e2c4cb28f2ebbf1128142e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dllhost.exe

Filesize
43KB

MD5
3b426fddedbb6f2ba8debc7eefe1ffb0

SHA1
8e69d401eb75f78de701954d595156826d324a7e

SHA256
17d0bef5296fdef3bca0bee36e09baf19e258c6290f41849c3a92132d0cf54d3

SHA512
2edb6201132390d985f4e1c1f476cb0de02dba05d826f2087c77b8f577a84ad59a787f46c0a40a01f10a8073cda052e5d9071474248c71cb8bc75358a323d8d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
86KB

MD5
851ce219d1da80d4bf9d0b6827d99437

SHA1
7802f028715c0972ea314730a7b0cd8b59cf088f

SHA256
45740931b853d9e8531093ec293fe0e69521610684359aa21637097efe00f9b0

SHA512
9b1433617d3cc3e318baed2aa8cb0d6182325f3749f93440b8f89f033b62ae14ed745d11142520b3737324885133cd056bf1f098c80b9d8a65ce77b7f14e2a78

Download Submit
memory/32-27-0x00000000749D0000-0x0000000075181000-memory.dmp

Filesize
7.7MB

Download
memory/32-25-0x00000000749D0000-0x0000000075181000-memory.dmp

Filesize
7.7MB

Download
memory/656-15-0x00000000749D0000-0x0000000075181000-memory.dmp

Filesize
7.7MB

Download
memory/656-4-0x0000000005E20000-0x0000000005EB2000-memory.dmp

Filesize
584KB

Download
memory/656-0-0x00000000749DE000-0x00000000749DF000-memory.dmp

Filesize
4KB

Download
memory/656-5-0x00000000749D0000-0x0000000075181000-memory.dmp

Filesize
7.7MB

Download
memory/656-3-0x0000000006330000-0x00000000068D6000-memory.dmp

Filesize
5.6MB

Download
memory/656-2-0x00000000059E0000-0x0000000005A7C000-memory.dmp

Filesize
624KB

Download
memory/656-1-0x0000000000F10000-0x0000000000F22000-memory.dmp

Filesize
72KB

Download
memory/3408-16-0x00000000749D0000-0x0000000075181000-memory.dmp

Filesize
7.7MB

Download
memory/3408-17-0x00000000749D0000-0x0000000075181000-memory.dmp

Filesize
7.7MB

Download
memory/3408-20-0x00000000749D0000-0x0000000075181000-memory.dmp

Filesize
7.7MB

Download
memory/3408-21-0x00000000749D0000-0x0000000075181000-memory.dmp

Filesize
7.7MB

Download
memory/3408-22-0x0000000005650000-0x000000000565A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads