njrat | c36053ad92f2655500d2105b00967617cf9ee90356b905a8377a186273117f97

General

Target

c36053ad92f2655500d2105b00967617cf9ee90356b905a8377a186273117f97N.exe
Size

117KB
MD5

b689a019b75e19b2a16a6bab417d24e0
SHA1

3605d3a0257f804d23d9eaca3f2bdf109661997d
SHA256

c36053ad92f2655500d2105b00967617cf9ee90356b905a8377a186273117f97
SHA512

a3b3b624d08dbc091f64f7106a32d9f2486ba47de4b36391522a4e56b307af46b856b96bf4ede8bbad3a1f503ba1f6190ca0f3e6c92d9cb27d67921610f2c46a
SSDEEP

1536:Tl+qMz7zRwM73ifqkWThNgktlw9C2hBjsVbR1YLOl+qMz7zRwM7:Tb8iYHkyNgzC2vLOb8iY

Score

10^/10

njrat defense_evasion discovery persistence privilege_escalation trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3080	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	c36053ad92f2655500d2105b00967617cf9ee90356b905a8377a186273117f97N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	dll.exe

Executes dropped EXE 2 IoCs

pid	Process
3120	dll.exe
2664	javaupdate.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4a5906bc047587dfba7c89a4d5cd271a = "\"C:\\Users\\Admin\\AppData\\Roaming\\javaupdate.exe\" .."	javaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4a5906bc047587dfba7c89a4d5cd271a = "\"C:\\Users\\Admin\\AppData\\Roaming\\javaupdate.exe\" .."	javaupdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c36053ad92f2655500d2105b00967617cf9ee90356b905a8377a186273117f97N.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	javaupdate.exe
Token: 33	2664	javaupdate.exe
Token: SeIncBasePriorityPrivilege	2664	javaupdate.exe
Token: 33	2664	javaupdate.exe
Token: SeIncBasePriorityPrivilege	2664	javaupdate.exe
Token: 33	2664	javaupdate.exe
Token: SeIncBasePriorityPrivilege	2664	javaupdate.exe
Token: 33	2664	javaupdate.exe
Token: SeIncBasePriorityPrivilege	2664	javaupdate.exe
Token: 33	2664	javaupdate.exe
Token: SeIncBasePriorityPrivilege	2664	javaupdate.exe
Token: 33	2664	javaupdate.exe
Token: SeIncBasePriorityPrivilege	2664	javaupdate.exe
Token: 33	2664	javaupdate.exe
Token: SeIncBasePriorityPrivilege	2664	javaupdate.exe
Token: 33	2664	javaupdate.exe
Token: SeIncBasePriorityPrivilege	2664	javaupdate.exe
Token: 33	2664	javaupdate.exe
Token: SeIncBasePriorityPrivilege	2664	javaupdate.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 3120	4728	c36053ad92f2655500d2105b00967617cf9ee90356b905a8377a186273117f97N.exe	99
PID 4728 wrote to memory of 3120	4728	c36053ad92f2655500d2105b00967617cf9ee90356b905a8377a186273117f97N.exe	99
PID 4728 wrote to memory of 3120	4728	c36053ad92f2655500d2105b00967617cf9ee90356b905a8377a186273117f97N.exe	99
PID 3120 wrote to memory of 2664	3120	dll.exe	101
PID 3120 wrote to memory of 2664	3120	dll.exe	101
PID 3120 wrote to memory of 2664	3120	dll.exe	101
PID 2664 wrote to memory of 3080	2664	javaupdate.exe	102
PID 2664 wrote to memory of 3080	2664	javaupdate.exe	102
PID 2664 wrote to memory of 3080	2664	javaupdate.exe	102

C:\Users\Admin\AppData\Local\Temp\c36053ad92f2655500d2105b00967617cf9ee90356b905a8377a186273117f97N.exe
"C:\Users\Admin\AppData\Local\Temp\c36053ad92f2655500d2105b00967617cf9ee90356b905a8377a186273117f97N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Users\Admin\AppData\Local\Temp\dll.exe
  "C:\Users\Admin\AppData\Local\Temp\dll.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Users\Admin\AppData\Roaming\javaupdate.exe
    "C:\Users\Admin\AppData\Roaming\javaupdate.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\javaupdate.exe" "javaupdate.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dll.exe

Filesize
23KB

MD5
51a2cf9f7d9d16fd126851230b9fd65f

SHA1
1b28295dfb2826af4e1ef8bacdb5c6a9c41b3da4

SHA256
7022fe4aeff865cb8ebbef92a53666af65b6235eaa78764a7b582b1237025092

SHA512
627888416fa15fdcb32deab921972bb34d8680ee1de47fb10755e30a46df8bce72bc2e9cbb159ff790606ae8212c78dec09c09384778579e0b14a5092f9efd07

Download Submit
memory/2664-33-0x000000006EF60000-0x000000006F511000-memory.dmp

Filesize
5.7MB

Download
memory/2664-32-0x000000006EF60000-0x000000006F511000-memory.dmp

Filesize
5.7MB

Download
memory/2664-31-0x000000006EF60000-0x000000006F511000-memory.dmp

Filesize
5.7MB

Download
memory/3120-30-0x000000006EF60000-0x000000006F511000-memory.dmp

Filesize
5.7MB

Download
memory/3120-20-0x000000006EF60000-0x000000006F511000-memory.dmp

Filesize
5.7MB

Download
memory/3120-19-0x000000006EF60000-0x000000006F511000-memory.dmp

Filesize
5.7MB

Download
memory/3120-18-0x000000006EF62000-0x000000006EF63000-memory.dmp

Filesize
4KB

Download
memory/4728-4-0x0000000004F70000-0x0000000004F7A000-memory.dmp

Filesize
40KB

Download
memory/4728-9-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download
memory/4728-8-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

Filesize
4KB

Download
memory/4728-7-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download
memory/4728-6-0x0000000006C50000-0x0000000006CEC000-memory.dmp

Filesize
624KB

Download
memory/4728-5-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download
memory/4728-0-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

Filesize
4KB

Download
memory/4728-3-0x0000000004FE0000-0x0000000005072000-memory.dmp

Filesize
584KB

Download
memory/4728-2-0x0000000005590000-0x0000000005B34000-memory.dmp

Filesize
5.6MB

Download
memory/4728-1-0x0000000000550000-0x0000000000572000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads