njrat | 94036cd95dde4d8ec66e76a24755a15ac474c64b12e74ec87d29ff9b8a889160

General

Target

sYCuOOjDOlvjstub.js
Size

29KB
MD5

dac9ed798f79a40ef59756c710f61593
SHA1

199bfa38a09181e9396cef4d3b29b0762c5ba987
SHA256

94036cd95dde4d8ec66e76a24755a15ac474c64b12e74ec87d29ff9b8a889160
SHA512

ec5119052e545e0246234b51777bc3a1a3a64ea0c9a3eab98b948896235bd5a49eca1616788636dc09ddd8328382f00b03e5c39139972cff2198667baf5bbcef

Score

10^/10

njrat vjw0rm hacked by mustemonee hacked by mustymoney evasion persistence suricata trojan worm

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed By MustyMoney

C2

104.168.7.110:5552

Mutex

72f64d4ec723544c65ffca1cd7ba4ee6

Attributes

reg_key
72f64d4ec723544c65ffca1cd7ba4ee6
splitter
|'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed By MusteMonee

C2

104.168.7.110:5552

Mutex

eca56299e0fd252052e571b07f78b218

Attributes

reg_key
eca56299e0fd252052e571b07f78b218
splitter
|'|'|

Extracted

Family

vjw0rm

C2

http://104.168.7.110:7974

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata

Blocklisted process makes network request 22 IoCs

Processes:

wscript.exewscript.exewscript.exe

flow	pid	process
6	4428	wscript.exe
14	3740	wscript.exe
18	3764	wscript.exe
22	3740	wscript.exe
43	3764	wscript.exe
44	3740	wscript.exe
53	3764	wscript.exe
54	3740	wscript.exe
58	3764	wscript.exe
59	3740	wscript.exe
66	3764	wscript.exe
75	3740	wscript.exe
85	3764	wscript.exe
86	3740	wscript.exe
91	3764	wscript.exe
92	3740	wscript.exe
93	3764	wscript.exe
95	3740	wscript.exe
96	3764	wscript.exe
97	3740	wscript.exe
98	3764	wscript.exe
99	3740	wscript.exe

Executes dropped EXE 2 IoCs

Processes:

Server.exetmp7CE1.tmp.exe

pid process

4528 Server.exe
3152 tmp7CE1.tmp.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

3284 netsh.exe
2084 netsh.exe

pid	process
4528	Server.exe
3152	tmp7CE1.tmp.exe

pid	process
3284	netsh.exe
2084	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeServer.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 4 IoCs

Processes:

wscript.exewscript.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NYWMTCgCLF.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\egqENcOXOr.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\egqENcOXOr.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NYWMTCgCLF.js	wscript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Server.exetmp7CE1.tmp.exewscript.exewscript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\72f64d4ec723544c65ffca1cd7ba4ee6 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Server.exe\" .."	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eca56299e0fd252052e571b07f78b218 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp7CE1.tmp.exe\" .."	tmp7CE1.tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eca56299e0fd252052e571b07f78b218 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp7CE1.tmp.exe\" .."	tmp7CE1.tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\egqENcOXOr.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\NYWMTCgCLF.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\72f64d4ec723544c65ffca1cd7ba4ee6 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Server.exe\" .."	Server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings wscript.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

Server.exetmp7CE1.tmp.exe

pid process

4528 Server.exe
3152 tmp7CE1.tmp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	wscript.exe

pid	process
4528	Server.exe
3152	tmp7CE1.tmp.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

Server.exetmp7CE1.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4528	Server.exe
Token: 33	4528	Server.exe
Token: SeIncBasePriorityPrivilege	4528	Server.exe
Token: 33	4528	Server.exe
Token: SeIncBasePriorityPrivilege	4528	Server.exe
Token: 33	4528	Server.exe
Token: SeIncBasePriorityPrivilege	4528	Server.exe
Token: 33	4528	Server.exe
Token: SeIncBasePriorityPrivilege	4528	Server.exe
Token: 33	4528	Server.exe
Token: SeIncBasePriorityPrivilege	4528	Server.exe
Token: SeDebugPrivilege	3152	tmp7CE1.tmp.exe
Token: 33	3152	tmp7CE1.tmp.exe
Token: SeIncBasePriorityPrivilege	3152	tmp7CE1.tmp.exe
Token: 33	4528	Server.exe
Token: SeIncBasePriorityPrivilege	4528	Server.exe
Token: 33	3152	tmp7CE1.tmp.exe
Token: SeIncBasePriorityPrivilege	3152	tmp7CE1.tmp.exe
Token: 33	4528	Server.exe
Token: SeIncBasePriorityPrivilege	4528	Server.exe
Token: 33	3152	tmp7CE1.tmp.exe
Token: SeIncBasePriorityPrivilege	3152	tmp7CE1.tmp.exe
Token: 33	4528	Server.exe
Token: SeIncBasePriorityPrivilege	4528	Server.exe
Token: 33	3152	tmp7CE1.tmp.exe
Token: SeIncBasePriorityPrivilege	3152	tmp7CE1.tmp.exe
Token: 33	4528	Server.exe
Token: SeIncBasePriorityPrivilege	4528	Server.exe
Token: 33	3152	tmp7CE1.tmp.exe
Token: SeIncBasePriorityPrivilege	3152	tmp7CE1.tmp.exe
Token: 33	4528	Server.exe
Token: SeIncBasePriorityPrivilege	4528	Server.exe
Token: 33	3152	tmp7CE1.tmp.exe
Token: SeIncBasePriorityPrivilege	3152	tmp7CE1.tmp.exe
Token: 33	4528	Server.exe
Token: SeIncBasePriorityPrivilege	4528	Server.exe
Token: 33	3152	tmp7CE1.tmp.exe
Token: SeIncBasePriorityPrivilege	3152	tmp7CE1.tmp.exe
Token: 33	4528	Server.exe
Token: SeIncBasePriorityPrivilege	4528	Server.exe
Token: 33	3152	tmp7CE1.tmp.exe
Token: SeIncBasePriorityPrivilege	3152	tmp7CE1.tmp.exe
Token: 33	4528	Server.exe
Token: SeIncBasePriorityPrivilege	4528	Server.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

wscript.exeWScript.exeServer.exetmp7CE1.tmp.exe

description	pid	process	target process
PID 4428 wrote to memory of 3764	4428	wscript.exe	wscript.exe
PID 4428 wrote to memory of 3764	4428	wscript.exe	wscript.exe
PID 4428 wrote to memory of 2532	4428	wscript.exe	WScript.exe
PID 4428 wrote to memory of 2532	4428	wscript.exe	WScript.exe
PID 2532 wrote to memory of 3740	2532	WScript.exe	wscript.exe
PID 2532 wrote to memory of 3740	2532	WScript.exe	wscript.exe
PID 2532 wrote to memory of 4528	2532	WScript.exe	Server.exe
PID 2532 wrote to memory of 4528	2532	WScript.exe	Server.exe
PID 4528 wrote to memory of 3284	4528	Server.exe	netsh.exe
PID 4528 wrote to memory of 3284	4528	Server.exe	netsh.exe
PID 4528 wrote to memory of 3152	4528	Server.exe	tmp7CE1.tmp.exe
PID 4528 wrote to memory of 3152	4528	Server.exe	tmp7CE1.tmp.exe
PID 3152 wrote to memory of 2084	3152	tmp7CE1.tmp.exe	netsh.exe
PID 3152 wrote to memory of 2084	3152	tmp7CE1.tmp.exe	netsh.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\sYCuOOjDOlvjstub.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4428

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\egqENcOXOr.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:3764

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44L6NW8IFT.js"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NYWMTCgCLF.js"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:3740

C:\Users\Admin\AppData\Roaming\Server.exe
"C:\Users\Admin\AppData\Roaming\Server.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4528

C:\Windows\SYSTEM32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Server.exe" "Server.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:3284

C:\Users\Admin\AppData\Local\Temp\tmp7CE1.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7CE1.tmp.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\SYSTEM32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\tmp7CE1.tmp.exe" "tmp7CE1.tmp.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:2084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\44L6NW8IFT.js
Filesize
69KB

MD5
1e7844cfd3891b2b8ccc1ff0c4f005f7

SHA1
8d2c5ed0869da9b4146605a9b01bc9e65ff89970

SHA256
feb5d1bed4c5358d93a65af508a67c777761405f5491426ee3a80b2b1d21d8b0

SHA512
e826c9c8db9471afc4cbad7437ec59bae342a5107fb8e0f46a34d82440e7d2623ca9950cab872ead2a098c69b2fc0b7e7d0f9925b07927bdc0193c49bab22d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7CE1.tmp.exe
Filesize
25KB

MD5
7b306a90f5fa8c9e37d12da97901ab91

SHA1
5495f79e2716cc87fb5c97bcd66c4b9da0c65723

SHA256
1e650f32a1ff24effa0ca2ab8d694b085d79a28e44bf930ac484864d3fc33016

SHA512
e912af8d124476c948e8397c86710b2fbdb2e6bf1b516e9d7d21436a4e2f56bcf16baa388b857da49a1d612426502d1bb994472e8d66806e782da1e0cf5fba45

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7CE1.tmp.exe
Filesize
25KB

MD5
7b306a90f5fa8c9e37d12da97901ab91

SHA1
5495f79e2716cc87fb5c97bcd66c4b9da0c65723

SHA256
1e650f32a1ff24effa0ca2ab8d694b085d79a28e44bf930ac484864d3fc33016

SHA512
e912af8d124476c948e8397c86710b2fbdb2e6bf1b516e9d7d21436a4e2f56bcf16baa388b857da49a1d612426502d1bb994472e8d66806e782da1e0cf5fba45

Download Submit
C:\Users\Admin\AppData\Roaming\NYWMTCgCLF.js
Filesize
10KB

MD5
fd447e6df0608645bb7c39365c6df8ce

SHA1
13a8b0a5ab75f3552188aa409ed072d3ca800fa2

SHA256
c72a3508ab2c2f766178f28b2f69130ac67219210537a7bef3db71f4a8fdbda8

SHA512
5bcc990d0c7c10ae97d6a5067c3cee7473f248e844acd44e0c86c43ad41aa79f446cd7ccbd9b8dea4fd415fceb76bb48e86cb4138045b81c5a4506703c8201ed

Download Submit
C:\Users\Admin\AppData\Roaming\Server.exe
Filesize
24KB

MD5
c2f4ae9580de684b7651bade5022107a

SHA1
1e3cbb87a009c26d25469b006713a73d20dc2da7

SHA256
9b86135d4413f51f91c65879d2c3377eba9ccfa348f6d882f471f929ca133bb3

SHA512
8af8df4b6a79bf4a02437f40f37d5c830fc4a92d282616e49f942d0440c6151c9ffac3ed8c3a4f64e152589a960c02dc3c2726550673c5a143625bf0116b3579

Download Submit
C:\Users\Admin\AppData\Roaming\Server.exe
Filesize
24KB

MD5
c2f4ae9580de684b7651bade5022107a

SHA1
1e3cbb87a009c26d25469b006713a73d20dc2da7

SHA256
9b86135d4413f51f91c65879d2c3377eba9ccfa348f6d882f471f929ca133bb3

SHA512
8af8df4b6a79bf4a02437f40f37d5c830fc4a92d282616e49f942d0440c6151c9ffac3ed8c3a4f64e152589a960c02dc3c2726550673c5a143625bf0116b3579

Download Submit
C:\Users\Admin\AppData\Roaming\egqENcOXOr.js
Filesize
10KB

MD5
dffdb0fc6b534c658575b72bfd4826ae

SHA1
d6cc3039c628b6d9e8a137933fa953e785a9ef0b

SHA256
7e4297ebdde73b716fafb213529d79007e6825b786a471ca7e5a52024fddb939

SHA512
c9f4be68cc09ad027a65745233363940ed7ee7b82ecf919096336ddfec90932ad707ec30089e40f8e2918df2b14f400c96d3d854c0d89ae56897e06e849637ae

Download Submit
memory/2084-149-0x0000000000000000-mapping.dmp

Download
memory/2532-132-0x0000000000000000-mapping.dmp

Download
memory/3152-146-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/3152-143-0x0000000000000000-mapping.dmp

Download
memory/3152-147-0x00007FF980B00000-0x00007FF9815C1000-memory.dmp

Filesize
10.8MB

Download
memory/3152-148-0x00007FF980B00000-0x00007FF9815C1000-memory.dmp

Filesize
10.8MB

Download
memory/3284-140-0x0000000000000000-mapping.dmp

Download
memory/3740-134-0x0000000000000000-mapping.dmp

Download
memory/3764-130-0x0000000000000000-mapping.dmp

Download
memory/4528-141-0x00007FF980B00000-0x00007FF9815C1000-memory.dmp

Filesize
10.8MB

Download
memory/4528-142-0x00007FF980B00000-0x00007FF9815C1000-memory.dmp

Filesize
10.8MB

Download
memory/4528-139-0x0000000000E10000-0x0000000000E1C000-memory.dmp

Filesize
48KB

Download
memory/4528-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads