#njrat observations 12-08-2017 to 12-12-2017

1. #njrat observations
2. 12/12/2017
3. sha256 fbfbd93fa406eec618170b711abe1b01b06cef21a3c6e14f1cb10ade1676c78e
4. https://www.reverse.it/sample/fbfbd93fa406eec618170b711abe1b01b06cef21a3c6e14f1cb10ade1676c78e?environmentId=100
5.  
6. unusual non-web port ( 176.33.216.101 on port 1177 )
7. process hierarchy [ exe -> somewhat legit looking EXE name -> netsh.exe netsh firewall add allowedprogram]
8. no cmd.exe ping command found
9.  
10. 12/11/2017
11. sha256 9e6d619c5835be753e903c1b6a84e8bfc0bf169ae42d53c3d8b76a8b7510a0f5
12. https://www.reverse.it/sample/9e6d619c5835be753e903c1b6a84e8bfc0bf169ae42d53c3d8b76a8b7510a0f5?environmentId=100
13.  
14. unusual non-web port ( 141.255.146.55 on port 8085 )
15. process hierarchy [ exe -> somewhat legit looking EXE name -> netsh.exe netsh firewall add allowedprogram]
16. cmd.exe ping command in strings
17.  
18. 12/9/2017
19. sha256 78852535581f2d1d55f8ae1c37020e106c450d9dd67f9a47c27d86c9ae8788fd
20. https://www.reverse.it/sample/78852535581f2d1d55f8ae1c37020e106c450d9dd67f9a47c27d86c9ae8788fd?environmentId=100
21.  
22. unusual non-web port ( 5.2.76.91 on port 1111 )
23. process hierarchy [ exe -> somewhat legit looking EXE name]
24. no cmd.exe ping command found
25.  
26. 12/8/2017
27. sha256 67f5691549e0eb08c6603f4cc6fd30a3549fd7a0a587fe76bc6117506657675c
28. https://www.reverse.it/sample/67f5691549e0eb08c6603f4cc6fd30a3549fd7a0a587fe76bc6117506657675c?environmentId=100
29.  
30. unusual non-web port ( 41.227.36.161 on port 5552 )
31. process hierarchy [ exe -> somewhat legit looking EXE name -> netsh.exe netsh firewall add allowedprogram]
32. cmd.exe ping command in strings