njrat | f09c8a7cfd0dbbafc4191ecf15e57329fd1959b6b4da2bcac0ab59f08b8db009

General

Target

Everythingnew.exe
Size

43KB
MD5

e6c670a90c4eb92933de49b9b28d19bc
SHA1

e561d4517df4a7bdf2fafdf4f5dafabedc3c74e0
SHA256

f09c8a7cfd0dbbafc4191ecf15e57329fd1959b6b4da2bcac0ab59f08b8db009
SHA512

552ad265eb09afa523f3ec3fa22300b47630064db6788c97e16051352d55c45cb6a7ca21f01e31246aad391f571adab7e89e567264a9c0a9cf87c8208a60f398
SSDEEP

384:oZy3Oxrt+3qpyeEDLAL3EkPVIVUusVzQIij+ZsNO3PlpJKkkjh/TzF7pWnM7greT:eTwage0LGfNXuXQ/ot7+L

Score

10^/10

njrat stealer discovery persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

stealer

C2

environmental-seeds.gl.at.ply.gg:35534

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Downloads MZ/PE file 1 IoCs

flow	pid	Process
16	4156	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3999859863-1326678182-1452229686-1000\Control Panel\International\Geo\Nation	Everythingnew.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	winsystem.exe

Executes dropped EXE 1 IoCs

pid	Process
3792	winsystem.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3999859863-1326678182-1452229686-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\winsystem.exe\" .."	winsystem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\winsystem.exe\" .."	winsystem.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winsystem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Everythingnew.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
924	MicrosoftEdgeUpdate.exe
4792	cmd.exe
2268	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2268	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4168	Everythingnew.exe
3792	winsystem.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	3792	winsystem.exe
Token: 33	3792	winsystem.exe
Token: SeIncBasePriorityPrivilege	3792	winsystem.exe
Token: 33	3792	winsystem.exe
Token: SeIncBasePriorityPrivilege	3792	winsystem.exe
Token: 33	3792	winsystem.exe
Token: SeIncBasePriorityPrivilege	3792	winsystem.exe
Token: 33	3792	winsystem.exe
Token: SeIncBasePriorityPrivilege	3792	winsystem.exe
Token: 33	3792	winsystem.exe
Token: SeIncBasePriorityPrivilege	3792	winsystem.exe
Token: 33	3792	winsystem.exe
Token: SeIncBasePriorityPrivilege	3792	winsystem.exe
Token: 33	3792	winsystem.exe
Token: SeIncBasePriorityPrivilege	3792	winsystem.exe
Token: 33	3792	winsystem.exe
Token: SeIncBasePriorityPrivilege	3792	winsystem.exe
Token: 33	3792	winsystem.exe
Token: SeIncBasePriorityPrivilege	3792	winsystem.exe
Token: 33	3792	winsystem.exe
Token: SeIncBasePriorityPrivilege	3792	winsystem.exe
Token: 33	3792	winsystem.exe
Token: SeIncBasePriorityPrivilege	3792	winsystem.exe
Token: 33	3792	winsystem.exe
Token: SeIncBasePriorityPrivilege	3792	winsystem.exe
Token: 33	3792	winsystem.exe
Token: SeIncBasePriorityPrivilege	3792	winsystem.exe
Token: 33	3792	winsystem.exe
Token: SeIncBasePriorityPrivilege	3792	winsystem.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4168 wrote to memory of 3792	4168	Everythingnew.exe	88
PID 4168 wrote to memory of 3792	4168	Everythingnew.exe	88
PID 4168 wrote to memory of 3792	4168	Everythingnew.exe	88
PID 3792 wrote to memory of 4792	3792	winsystem.exe	94
PID 3792 wrote to memory of 4792	3792	winsystem.exe	94
PID 3792 wrote to memory of 4792	3792	winsystem.exe	94
PID 4792 wrote to memory of 2268	4792	cmd.exe	96
PID 4792 wrote to memory of 2268	4792	cmd.exe	96
PID 4792 wrote to memory of 2268	4792	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\Everythingnew.exe
"C:\Users\Admin\AppData\Local\Temp\Everythingnew.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Users\Admin\AppData\Roaming\winsystem.exe
  "C:\Users\Admin\AppData\Roaming\winsystem.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3792
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Roaming\winsystem.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - C:\Windows\SysWOW64\PING.EXE
      ping 0 -n 2
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2268

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QzVGOTUwQkUtM0ZCMC00M0QzLUI2NzMtREY2MkYwNkU5MDM0fSIgdXNlcmlkPSJ7Q0NDQzQxM0YtMzJBOC00MjkxLUI0QkMtRTBCREFEQjlBRUU2fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7Q0Y3M0QzM0EtN0E5Ri00M0ZBLTkxOEQtMDlGQTFFMDRBOEMzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMSIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM1NDQ4IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM0MDc5NDg5OTIwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDc2NjU1NDczOCIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\winsystem.exe

Filesize
43KB

MD5
e6c670a90c4eb92933de49b9b28d19bc

SHA1
e561d4517df4a7bdf2fafdf4f5dafabedc3c74e0

SHA256
f09c8a7cfd0dbbafc4191ecf15e57329fd1959b6b4da2bcac0ab59f08b8db009

SHA512
552ad265eb09afa523f3ec3fa22300b47630064db6788c97e16051352d55c45cb6a7ca21f01e31246aad391f571adab7e89e567264a9c0a9cf87c8208a60f398

Download Submit
memory/3792-24-0x0000000006C30000-0x0000000006C48000-memory.dmp

Filesize
96KB

Download
memory/3792-19-0x0000000074260000-0x0000000074A11000-memory.dmp

Filesize
7.7MB

Download
memory/3792-28-0x0000000074260000-0x0000000074A11000-memory.dmp

Filesize
7.7MB

Download
memory/3792-26-0x0000000074260000-0x0000000074A11000-memory.dmp

Filesize
7.7MB

Download
memory/3792-25-0x0000000074260000-0x0000000074A11000-memory.dmp

Filesize
7.7MB

Download
memory/3792-20-0x0000000074260000-0x0000000074A11000-memory.dmp

Filesize
7.7MB

Download
memory/3792-22-0x0000000005250000-0x000000000525A000-memory.dmp

Filesize
40KB

Download
memory/3792-23-0x0000000005310000-0x0000000005376000-memory.dmp

Filesize
408KB

Download
memory/4168-18-0x0000000074260000-0x0000000074A11000-memory.dmp

Filesize
7.7MB

Download
memory/4168-2-0x0000000005530000-0x00000000055CC000-memory.dmp

Filesize
624KB

Download
memory/4168-1-0x0000000000B10000-0x0000000000B22000-memory.dmp

Filesize
72KB

Download
memory/4168-0-0x000000007426E000-0x000000007426F000-memory.dmp

Filesize
4KB

Download
memory/4168-5-0x0000000005920000-0x00000000059B2000-memory.dmp

Filesize
584KB

Download
memory/4168-4-0x0000000074260000-0x0000000074A11000-memory.dmp

Filesize
7.7MB

Download
memory/4168-3-0x0000000005E30000-0x00000000063D6000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads