njrat | 32208b799047de8f44aeea18a62c8ee4518026141e300ede79494b972c325cc8

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
05-01-2025 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

avaydna.exe
Size

43KB
MD5

63f511fef91ec6145ef47f17947f6d74
SHA1

562dcc427d36d26c98279a53eefc7635f4950652
SHA256

32208b799047de8f44aeea18a62c8ee4518026141e300ede79494b972c325cc8
SHA512

5c0ffecaa517ed2a9be066b9ec5b594d3a22969af7280417c50107202db89eda4671f1014619f1ffdbc0818108d068695e572c99fd8a83579e79e6aa0ed3b3aa
SSDEEP

384:ZZyT5ctOnwtOyW6aEscONE3tvLE02L2IfzgIij+ZsNO3PlpJKkkjh/TzF7pWn61p:7QqAwt/W6ZscONE3RT2LruXQ/oN7+L

Score

10^/10

njrat hacked discovery trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

both-foundations.gl.at.ply.gg:60732

Mutex

Microsoft Edge Updater

Attributes

reg_key
Microsoft Edge Updater
splitter
|Hassan|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avaydna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{50EB7F61-CB4A-11EF-B467-D2C9064578DD} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2380	avaydna.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	avaydna.exe
Token: 33	2380	avaydna.exe
Token: SeIncBasePriorityPrivilege	2380	avaydna.exe
Token: 33	2380	avaydna.exe
Token: SeIncBasePriorityPrivilege	2380	avaydna.exe
Token: 33	2380	avaydna.exe
Token: SeIncBasePriorityPrivilege	2380	avaydna.exe
Token: 33	2380	avaydna.exe
Token: SeIncBasePriorityPrivilege	2380	avaydna.exe
Token: 33	2380	avaydna.exe
Token: SeIncBasePriorityPrivilege	2380	avaydna.exe
Token: 33	2380	avaydna.exe
Token: SeIncBasePriorityPrivilege	2380	avaydna.exe
Token: 33	2380	avaydna.exe
Token: SeIncBasePriorityPrivilege	2380	avaydna.exe
Token: 33	2380	avaydna.exe
Token: SeIncBasePriorityPrivilege	2380	avaydna.exe
Token: 33	2380	avaydna.exe
Token: SeIncBasePriorityPrivilege	2380	avaydna.exe
Token: 33	2380	avaydna.exe
Token: SeIncBasePriorityPrivilege	2380	avaydna.exe
Token: 33	2380	avaydna.exe
Token: SeIncBasePriorityPrivilege	2380	avaydna.exe
Token: 33	2380	avaydna.exe
Token: SeIncBasePriorityPrivilege	2380	avaydna.exe
Token: 33	2380	avaydna.exe
Token: SeIncBasePriorityPrivilege	2380	avaydna.exe
Token: 33	2380	avaydna.exe
Token: SeIncBasePriorityPrivilege	2380	avaydna.exe
Token: 33	2380	avaydna.exe
Token: SeIncBasePriorityPrivilege	2380	avaydna.exe
Token: 33	2380	avaydna.exe
Token: SeIncBasePriorityPrivilege	2380	avaydna.exe
Token: 33	2380	avaydna.exe
Token: SeIncBasePriorityPrivilege	2380	avaydna.exe
Token: 33	2380	avaydna.exe
Token: SeIncBasePriorityPrivilege	2380	avaydna.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2660	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2660	iexplore.exe
2660	iexplore.exe
1260	IEXPLORE.EXE
1260	IEXPLORE.EXE
1260	IEXPLORE.EXE
1260	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2660	2380	avaydna.exe	32
PID 2380 wrote to memory of 2660	2380	avaydna.exe	32
PID 2380 wrote to memory of 2660	2380	avaydna.exe	32
PID 2380 wrote to memory of 2660	2380	avaydna.exe	32
PID 2660 wrote to memory of 1260	2660	iexplore.exe	33
PID 2660 wrote to memory of 1260	2660	iexplore.exe	33
PID 2660 wrote to memory of 1260	2660	iexplore.exe	33
PID 2660 wrote to memory of 1260	2660	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\avaydna.exe
"C:\Users\Admin\AppData\Local\Temp\avaydna.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://meatspin.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2660 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ce02bbeffeeecb80bd8a6c4e3e48cf8

SHA1
c2b799aab8a19e40ca708389540ddba222b4d7dd

SHA256
6de0ca60f61e6803b79565e97a2818009406a14c1162676304f0086cb0524ca8

SHA512
f00445d36258f55400e9b62bf902874f8cb8742397d4a617b63b32b72d8823a173ec3f24263b1878ce483a58034a3e0da65dfb5074cb21e9bddb5a626e7381a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b499c06a0702b9c48d0e42fcc71f5926

SHA1
efbd128f78afb17b5018c224cf8c08b400c77642

SHA256
6e0b2b3aa2ccd99a280d6f7081a44f9b630107583ea81a09cd0d38cb23ff479f

SHA512
1a4e96e5040254acb114b10080fdde7a1f58ab09b725750aaf94e66399e62579121d439b1699dcd0ba4f109edabf1c4b85fa34c8cb1a85867c384fd8207c03b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ccd4410d0eeae66e32d82b63ba2908fc

SHA1
8cab75360c4c74b5dca470482e1ed56dab746cd2

SHA256
60aca89e7ec644d5acf1b92d3386c690c220b1d15e0dcf6a50737470c40c0dde

SHA512
7f6e7d89ad5ab400a45a9b203d306ca7798407629568169a4611358c86c00ad245c82584370ea46338d1c689a6895886c563463aba912051c8eb92e20ba5be04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d475892c85fc6c8849015c3e4379d29

SHA1
83c3337e2f7948a921888cd1ea5fa29a3de6ecba

SHA256
bfeaa3f238c068f0c70c9442e88e16de9d9cee9f55d4499f4279c132aa20c87d

SHA512
50c84f15b9b4bc885b51ca50223c31d9670ad12a045e8d8eec1247193b77e60c7c59ae936730f9570307db9d3ccc952bb43edc5698797260971a03ecbfc6cf57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff70fb817682664a40dfad3b4edd3525

SHA1
8f01dc7344eeb18fa8a23d3e47be6b9f23f76e39

SHA256
a6b624b946bb87443e8f6f243bb500f8b080aba8c81bfb59c30f5196f52767e0

SHA512
0fdcc8431084e0d49e2e1122ae7eca54635ab582956103417ae51af314c083306532c0c0d9d37586d80b4818ac9c8a8e93c7d3beaed2b99691df207c4fdbf22b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4582297d651068cb46fca03c1bdaf8d

SHA1
9365fc1ff695fb7f7baf1209ea4b23b010d7ff97

SHA256
41ac6d6dafa225da1602c2ec4f3d9f5c9330a91e225949b5bd073b631fe3147a

SHA512
a9193933f57c6a031ffb08f3d6bd53bd538c5c1c686f2b0ad98a7cda6a9d3fdaf61cc1aa84f3beeaf139bae764fa0fbd70a2f32f78b1e4fd776003cc74eb9429

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1805d52c89b5c0bf7e1bef160d8dd55

SHA1
583b0f49fe2c0645b6981bdfcb1d8664b201504f

SHA256
c8c5448faba1b435ae7b8714f8136dd533f83b85e0ffe6ecfb0259acaa3492af

SHA512
b2b134b61746697788cd6c44ecf58856d4e1f1ca7923967ab2488c7b608bd49cd7584932c8403cf4896d7783774e12ed3d7f6400a3df00eccc73c765bee22dd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34152633bd0197beb86d73908656726b

SHA1
293ccb52f5f70391e9be6f2567004455e18af3e6

SHA256
42392a48ef1ab6cd258528eb1162c051bc0e6abf289269de833fd6408e0ca89b

SHA512
a22c9a7feabb3fa134189b322ba85221b7708f1db506b26f54c3bc6f348e6f90feec3f4e7556b1dd2c47406e389e5a1b5a51259dbf68223b00ea5236ff843c9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87ac56a6499cf4c4bea4693112d47315

SHA1
7a90309ae6e40714b417783f674443dada7711af

SHA256
78694e8de0c1a9edc7e23a091f596ef139a5727e5753134d3a57b68898605f18

SHA512
a3ed6327e2f3a52fff8a3c8a22cc14d09dccafafa473debe49b24612d59105014aac213229cc57c225991074c66dfad6de4243e44082b7dea6c852e7ecad9821

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCADF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCAE2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2380-0-0x00000000747EE000-0x00000000747EF000-memory.dmp

Filesize
4KB

Download
memory/2380-7-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/2380-6-0x00000000747E0000-0x0000000074ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2380-5-0x00000000747E0000-0x0000000074ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2380-4-0x00000000747E0000-0x0000000074ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2380-3-0x00000000747EE000-0x00000000747EF000-memory.dmp

Filesize
4KB

Download
memory/2380-2-0x00000000747E0000-0x0000000074ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2380-1-0x0000000000840000-0x0000000000852000-memory.dmp

Filesize
72KB

Download