njrat | 9decfe095e019e7ffaa267ff01fef96d135459f262d5d6c660304029dd36849f

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 07:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9decfe095e019e7ffaa267ff01fef96d135459f262d5d6c660304029dd36849fN.exe
Size

93KB
MD5

302cf7032efe524349fa1850ce0661c0
SHA1

9c2ea1f3d82970b7168432536c983fc6dd990b88
SHA256

9decfe095e019e7ffaa267ff01fef96d135459f262d5d6c660304029dd36849f
SHA512

bd5c444b332d122aba426b0a96c5d479387b47a676402bc714e2b8ee37495d7be7aec2873c1227c4764fc3d8278d68a8a3461b0bc44ba23b75ca7b68e0ed98af
SSDEEP

768:LY3mUByZnDQMMpAZrGSt6udttXymsahkGJiXxrjEtCdnl2pi1Rz4Rk3lsGdp5gS7:LUUZD3rGWNd7DhkhjEwzGi1dDVD5gS

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

hakim32.ddns.net:2000

0.tcp.eu.ngrok.io:12507

Mutex

fde06e51ba752addef229f6178664e93

Attributes

reg_key
fde06e51ba752addef229f6178664e93
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1884	netsh.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fde06e51ba752addef229f6178664e93Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fde06e51ba752addef229f6178664e93Windows Update.exe	server.exe

Executes dropped EXE 1 IoCs

pid	Process
2300	server.exe

Loads dropped DLL 2 IoCs

pid	Process
2000	9decfe095e019e7ffaa267ff01fef96d135459f262d5d6c660304029dd36849fN.exe
2000	9decfe095e019e7ffaa267ff01fef96d135459f262d5d6c660304029dd36849fN.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	0.tcp.eu.ngrok.io
20	0.tcp.eu.ngrok.io
23	0.tcp.eu.ngrok.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9decfe095e019e7ffaa267ff01fef96d135459f262d5d6c660304029dd36849fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2300	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2300	server.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2300	server.exe
Token: 33	2300	server.exe
Token: SeIncBasePriorityPrivilege	2300	server.exe
Token: 33	2300	server.exe
Token: SeIncBasePriorityPrivilege	2300	server.exe
Token: 33	2300	server.exe
Token: SeIncBasePriorityPrivilege	2300	server.exe
Token: 33	2300	server.exe
Token: SeIncBasePriorityPrivilege	2300	server.exe
Token: 33	2300	server.exe
Token: SeIncBasePriorityPrivilege	2300	server.exe
Token: 33	2300	server.exe
Token: SeIncBasePriorityPrivilege	2300	server.exe
Token: 33	2300	server.exe
Token: SeIncBasePriorityPrivilege	2300	server.exe
Token: 33	2300	server.exe
Token: SeIncBasePriorityPrivilege	2300	server.exe
Token: 33	2300	server.exe
Token: SeIncBasePriorityPrivilege	2300	server.exe
Token: 33	2300	server.exe
Token: SeIncBasePriorityPrivilege	2300	server.exe
Token: 33	2300	server.exe
Token: SeIncBasePriorityPrivilege	2300	server.exe
Token: 33	2300	server.exe
Token: SeIncBasePriorityPrivilege	2300	server.exe
Token: 33	2300	server.exe
Token: SeIncBasePriorityPrivilege	2300	server.exe
Token: 33	2300	server.exe
Token: SeIncBasePriorityPrivilege	2300	server.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2300	2000	9decfe095e019e7ffaa267ff01fef96d135459f262d5d6c660304029dd36849fN.exe	31
PID 2000 wrote to memory of 2300	2000	9decfe095e019e7ffaa267ff01fef96d135459f262d5d6c660304029dd36849fN.exe	31
PID 2000 wrote to memory of 2300	2000	9decfe095e019e7ffaa267ff01fef96d135459f262d5d6c660304029dd36849fN.exe	31
PID 2000 wrote to memory of 2300	2000	9decfe095e019e7ffaa267ff01fef96d135459f262d5d6c660304029dd36849fN.exe	31
PID 2300 wrote to memory of 1884	2300	server.exe	32
PID 2300 wrote to memory of 1884	2300	server.exe	32
PID 2300 wrote to memory of 1884	2300	server.exe	32
PID 2300 wrote to memory of 1884	2300	server.exe	32

C:\Users\Admin\AppData\Local\Temp\9decfe095e019e7ffaa267ff01fef96d135459f262d5d6c660304029dd36849fN.exe
"C:\Users\Admin\AppData\Local\Temp\9decfe095e019e7ffaa267ff01fef96d135459f262d5d6c660304029dd36849fN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2000
- C:\ProgramData\server.exe
  "C:\ProgramData\server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\ProgramData\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
bbcd2be775370c1e106e66d077a93f3b

SHA1
a44b6a98f30e3275fc304bc3b29e0eab8ae47f20

SHA256
a7aa76f137ba550c381cfb8e5195a01963ae49db167e1cd1e0a8b902ed81eda1

SHA512
bb6e0d1f24253a9525fd538debf8ca68eb7078cb8539140c184331a854ecdea192fbcc314c4154a0a474c9aec41a79efeb8150922454c3c9e71eeb5297ae2f72

Download Submit
\ProgramData\server.exe

Filesize
93KB

MD5
302cf7032efe524349fa1850ce0661c0

SHA1
9c2ea1f3d82970b7168432536c983fc6dd990b88

SHA256
9decfe095e019e7ffaa267ff01fef96d135459f262d5d6c660304029dd36849f

SHA512
bd5c444b332d122aba426b0a96c5d479387b47a676402bc714e2b8ee37495d7be7aec2873c1227c4764fc3d8278d68a8a3461b0bc44ba23b75ca7b68e0ed98af

Download Submit
memory/2000-0-0x0000000074C01000-0x0000000074C02000-memory.dmp

Filesize
4KB

Download
memory/2000-1-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2000-2-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2000-15-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2300-14-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2300-16-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download
memory/2300-22-0x0000000074C00000-0x00000000751AB000-memory.dmp

Filesize
5.7MB

Download