njrat | 29d75037536856471105669f9ddb32362bd9b319c03cce30e88648700c816b12

General

Target

29d75037536856471105669f9ddb32362bd9b319c03cce30e88648700c816b12N.exe
Size

43KB
MD5

f3c6a39bbcdf14222e36ac9fcb1764c0
SHA1

52d80a72eaefd786e069e888b11c6d7bd8c4ce97
SHA256

29d75037536856471105669f9ddb32362bd9b319c03cce30e88648700c816b12
SHA512

a43e887a4033c0aa580af5c92afa9698b6b7f3d1b7aeae88a4ddb3cd741588c34c2160bfe35b19d39a1b901c76e2c9970297e7947386b6190777f272e876315b
SSDEEP

384:1ZyLaNU1SoycwJepJ3WhYYWOVOKEbv5Y8Gzz0Iij+ZsNO3PlpJKkkjh/TzF7pWnx:fJqglcwJEDMOtBY/uXQ/o2+L

Score

10^/10

njrat roshaders discovery trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

RoShaders

C2

127.0.0.1:8848

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	29d75037536856471105669f9ddb32362bd9b319c03cce30e88648700c816b12N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\_auto_file\shell\Read\command	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1728	29d75037536856471105669f9ddb32362bd9b319c03cce30e88648700c816b12N.exe
2292	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2292	AcroRd32.exe
2292	AcroRd32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2472	1728	29d75037536856471105669f9ddb32362bd9b319c03cce30e88648700c816b12N.exe	30
PID 1728 wrote to memory of 2472	1728	29d75037536856471105669f9ddb32362bd9b319c03cce30e88648700c816b12N.exe	30
PID 1728 wrote to memory of 2472	1728	29d75037536856471105669f9ddb32362bd9b319c03cce30e88648700c816b12N.exe	30
PID 1728 wrote to memory of 2472	1728	29d75037536856471105669f9ddb32362bd9b319c03cce30e88648700c816b12N.exe	30
PID 1728 wrote to memory of 2472	1728	29d75037536856471105669f9ddb32362bd9b319c03cce30e88648700c816b12N.exe	30
PID 1728 wrote to memory of 2472	1728	29d75037536856471105669f9ddb32362bd9b319c03cce30e88648700c816b12N.exe	30
PID 1728 wrote to memory of 2472	1728	29d75037536856471105669f9ddb32362bd9b319c03cce30e88648700c816b12N.exe	30
PID 2472 wrote to memory of 2292	2472	rundll32.exe	31
PID 2472 wrote to memory of 2292	2472	rundll32.exe	31
PID 2472 wrote to memory of 2292	2472	rundll32.exe	31
PID 2472 wrote to memory of 2292	2472	rundll32.exe	31

C:\Users\Admin\AppData\Local\Temp\29d75037536856471105669f9ddb32362bd9b319c03cce30e88648700c816b12N.exe
"C:\Users\Admin\AppData\Local\Temp\29d75037536856471105669f9ddb32362bd9b319c03cce30e88648700c816b12N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\RoShaders
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\RoShaders"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
5a1e5eda5ecfb9d2f5a2b0d052ae1834

SHA1
a1758325b6efaa5a2c76653e1e2b7efd618a43c8

SHA256
d389129c3a32984a908fbd291e8e97356c38c1af6aca0cddf060a38d59b4c5d6

SHA512
0d5f4b9028cdad46c01cc6f579a3f3a6813ae5fc6aba9c0db61f04e533a27e4f820f52605af297bdce60c69cb8db2671033977c6e19d2e4990d83f615e94c316

Download Submit
C:\Users\Admin\AppData\Roaming\RoShaders

Filesize
43KB

MD5
f3c6a39bbcdf14222e36ac9fcb1764c0

SHA1
52d80a72eaefd786e069e888b11c6d7bd8c4ce97

SHA256
29d75037536856471105669f9ddb32362bd9b319c03cce30e88648700c816b12

SHA512
a43e887a4033c0aa580af5c92afa9698b6b7f3d1b7aeae88a4ddb3cd741588c34c2160bfe35b19d39a1b901c76e2c9970297e7947386b6190777f272e876315b

Download Submit
memory/1728-0-0x00000000744CE000-0x00000000744CF000-memory.dmp

Filesize
4KB

Download
memory/1728-1-0x0000000000B10000-0x0000000000B22000-memory.dmp

Filesize
72KB

Download
memory/1728-2-0x00000000744C0000-0x0000000074BAE000-memory.dmp

Filesize
6.9MB

Download
memory/1728-5-0x00000000744C0000-0x0000000074BAE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing