njrat | cc749c708de955f129b1bf7ff198b28c906f6a233ac6dba95fe2acfd3009a32d

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-01-2025 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LuaInjector.exe
Size

7.0MB
MD5

b97c8aab67e949a5e43905ceed9b0319
SHA1

5b9f0aa33a1e4e325370711d950fdf06b737993f
SHA256

cc749c708de955f129b1bf7ff198b28c906f6a233ac6dba95fe2acfd3009a32d
SHA512

e2c3a1773859c6e76a1dc155593ff96983cd1d499c4e9e3ff732027167d81b484c0d774652a7486e778b66b7abcb4d645b1d31c6b8199b95c4000ea6e7d40580
SSDEEP

98304:iSLCUGG+t+aCnfFXL/LNIRDB3YP1SnPWMO5RadDNkZCXA/G3Ra3Eql:8UGGw+zRIRFIP1Y+MooOHwRa3v

Score

10^/10

njrat lammer defense_evasion discovery execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

station-gps.gl.at.ply.gg:26933

Mutex

ded5a8703334377d83da00a864706211

Attributes

reg_key
ded5a8703334377d83da00a864706211
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2452	netsh.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ded5a8703334377d83da00a864706211.exe	System.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ded5a8703334377d83da00a864706211.exe	System.exe

Executes dropped EXE 4 IoCs

pid	Process
2244	SilentPatcher.exe
2852	Lua Injector.exe
2744	Lammer.exe
2612	System.exe

Loads dropped DLL 6 IoCs

pid	Process
3052	LuaInjector.exe
3052	LuaInjector.exe
2740	Process not Found
3052	LuaInjector.exe
3052	LuaInjector.exe
2744	Lammer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ded5a8703334377d83da00a864706211 = "\"C:\\ProgramData\\System.exe\" .."	System.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ded5a8703334377d83da00a864706211 = "\"C:\\ProgramData\\System.exe\" .."	System.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2860	sc.exe
2816	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lammer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LuaInjector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lua Injector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	System.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe
2852	Lua Injector.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2612	System.exe
Token: 33	2612	System.exe
Token: SeIncBasePriorityPrivilege	2612	System.exe
Token: 33	2612	System.exe
Token: SeIncBasePriorityPrivilege	2612	System.exe
Token: 33	2612	System.exe
Token: SeIncBasePriorityPrivilege	2612	System.exe
Token: 33	2612	System.exe
Token: SeIncBasePriorityPrivilege	2612	System.exe
Token: 33	2612	System.exe
Token: SeIncBasePriorityPrivilege	2612	System.exe
Token: 33	2612	System.exe
Token: SeIncBasePriorityPrivilege	2612	System.exe
Token: 33	2612	System.exe
Token: SeIncBasePriorityPrivilege	2612	System.exe
Token: 33	2612	System.exe
Token: SeIncBasePriorityPrivilege	2612	System.exe
Token: 33	2612	System.exe
Token: SeIncBasePriorityPrivilege	2612	System.exe
Token: 33	2612	System.exe
Token: SeIncBasePriorityPrivilege	2612	System.exe
Token: 33	2612	System.exe
Token: SeIncBasePriorityPrivilege	2612	System.exe
Token: 33	2612	System.exe
Token: SeIncBasePriorityPrivilege	2612	System.exe
Token: 33	2612	System.exe
Token: SeIncBasePriorityPrivilege	2612	System.exe
Token: 33	2612	System.exe
Token: SeIncBasePriorityPrivilege	2612	System.exe
Token: 33	2612	System.exe
Token: SeIncBasePriorityPrivilege	2612	System.exe
Token: 33	2612	System.exe
Token: SeIncBasePriorityPrivilege	2612	System.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2244	3052	LuaInjector.exe	30
PID 3052 wrote to memory of 2244	3052	LuaInjector.exe	30
PID 3052 wrote to memory of 2244	3052	LuaInjector.exe	30
PID 3052 wrote to memory of 2244	3052	LuaInjector.exe	30
PID 3052 wrote to memory of 2852	3052	LuaInjector.exe	32
PID 3052 wrote to memory of 2852	3052	LuaInjector.exe	32
PID 3052 wrote to memory of 2852	3052	LuaInjector.exe	32
PID 3052 wrote to memory of 2852	3052	LuaInjector.exe	32
PID 3052 wrote to memory of 2744	3052	LuaInjector.exe	34
PID 3052 wrote to memory of 2744	3052	LuaInjector.exe	34
PID 3052 wrote to memory of 2744	3052	LuaInjector.exe	34
PID 3052 wrote to memory of 2744	3052	LuaInjector.exe	34
PID 2852 wrote to memory of 2812	2852	Lua Injector.exe	35
PID 2852 wrote to memory of 2812	2852	Lua Injector.exe	35
PID 2852 wrote to memory of 2812	2852	Lua Injector.exe	35
PID 2852 wrote to memory of 2812	2852	Lua Injector.exe	35
PID 2812 wrote to memory of 2860	2812	cmd.exe	36
PID 2812 wrote to memory of 2860	2812	cmd.exe	36
PID 2812 wrote to memory of 2860	2812	cmd.exe	36
PID 2812 wrote to memory of 2860	2812	cmd.exe	36
PID 2852 wrote to memory of 2640	2852	Lua Injector.exe	37
PID 2852 wrote to memory of 2640	2852	Lua Injector.exe	37
PID 2852 wrote to memory of 2640	2852	Lua Injector.exe	37
PID 2852 wrote to memory of 2640	2852	Lua Injector.exe	37
PID 2640 wrote to memory of 2816	2640	cmd.exe	38
PID 2640 wrote to memory of 2816	2640	cmd.exe	38
PID 2640 wrote to memory of 2816	2640	cmd.exe	38
PID 2640 wrote to memory of 2816	2640	cmd.exe	38
PID 2744 wrote to memory of 2612	2744	Lammer.exe	39
PID 2744 wrote to memory of 2612	2744	Lammer.exe	39
PID 2744 wrote to memory of 2612	2744	Lammer.exe	39
PID 2744 wrote to memory of 2612	2744	Lammer.exe	39
PID 2612 wrote to memory of 2452	2612	System.exe	40
PID 2612 wrote to memory of 2452	2612	System.exe	40
PID 2612 wrote to memory of 2452	2612	System.exe	40
PID 2612 wrote to memory of 2452	2612	System.exe	40

C:\Users\Admin\AppData\Local\Temp\LuaInjector.exe
"C:\Users\Admin\AppData\Local\Temp\LuaInjector.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\SilentPatcher.exe
  "C:\Users\Admin\AppData\Local\Temp\SilentPatcher.exe"
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Users\Admin\AppData\Local\Temp\Lua Injector.exe
  "C:\Users\Admin\AppData\Local\Temp\Lua Injector.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc start FairplayKD > NUL 2>&1
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\sc.exe
      sc start FairplayKD
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop %c > NUL 2>&1
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\SysWOW64\sc.exe
      sc stop %c
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2816
- C:\Users\Admin\AppData\Local\Temp\Lammer.exe
  "C:\Users\Admin\AppData\Local\Temp\Lammer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\ProgramData\System.exe
    "C:\ProgramData\System.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\ProgramData\System.exe" "System.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Lammer.exe

Filesize
23KB

MD5
8ef1c362e7a42893a331a657d021d665

SHA1
fdfe06f05c2a51ef8968ddc1d9a7595d694c93f8

SHA256
db27bc172a5de048b3514746a8d78bfda52828ac10bf929fc89839b2cdc9deab

SHA512
978e8ea7504b32f1d4f18a34f7822c60593ea5bda821cd63d77b7e2e9b13f4fabfc5f89ec681cbcf88669138b2936394761e4da58e223d80c3948e28148ce299

Download Submit
\Users\Admin\AppData\Local\Temp\Lua Injector.exe

Filesize
2.1MB

MD5
6b1ae040f09a43a4f0eee6fd964e2a47

SHA1
5d5ae0e6d89612fa55286f12f3a09443408ac1df

SHA256
d1163ec121ee6bdd11496c227b5f09a69cd2172aca93d111fac1be0cf73be0f2

SHA512
e6a7ad8d8245b7fa009b77c77e5d85059bcc6802247b72a5bf927a97390650d446f83984c43a3fd6cd5f5a35f747bda6b5d1e408aa59f212a856cc9eaca861a1

Download Submit
\Users\Admin\AppData\Local\Temp\SilentPatcher.exe

Filesize
2.6MB

MD5
7145358dc4b4908c33481df669f6a0f4

SHA1
87f13e788bd0bc105f1a9e992166ac819488d9c5

SHA256
d1035e2bc6fe5b8450d60f6c45c4d9479a014cec0f15cfd00a23a65a5e10634a

SHA512
164c6506b0df97877e15f1b2a668f06521b510817575d9c6df716bdf51e6deac20e2c78eb4ca1f42f4337aec7b747f7ebbcc5d7821a3ce92ac68aca8bd0c184a

Download Submit
memory/3052-0-0x0000000000400000-0x0000000000B04000-memory.dmp

Filesize
7.0MB

Download