Malware Analysis Report

2025-01-22 14:04

Sample ID 240229-m4bfnaeh5x
Target ae59fdf5c21e0dede4be06c7f82c2597
SHA256 7bc5235538284e3133614ad8992df1a6c758250c9afe4e6ba83a1aff4c11d579
Tags
njrat hacked evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7bc5235538284e3133614ad8992df1a6c758250c9afe4e6ba83a1aff4c11d579

Threat Level: Known bad

The file ae59fdf5c21e0dede4be06c7f82c2597 was found to be: Known bad.

Malicious Activity Summary

njrat hacked evasion persistence trojan

njRAT/Bladabindi

Modifies Windows Firewall

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-29 11:00

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-29 11:00

Reported

2024-02-29 11:03

Platform

win7-20240221-en

Max time kernel

149s

Max time network

118s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddos.vbs"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\50c3e7591aec55d568f0177f1a3e4984 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\50c3e7591aec55d568f0177f1a3e4984 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddos.vbs"

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 karrar123.ddns.net udp

Files

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 de2ee0ffdf773819123bfd5767721e40
SHA1 6ed6fa8a0e6ac6a96d16f05a86b072f6df85e414
SHA256 f3760948ff637f8382edb827e50a01f4913ef2996879dce02daf3f84b60961d1
SHA512 baa86476573acd36df112cc1a56a6a7cbee371b0753f95871a7ea210a9f47848a943ab9c6ec0f0f3eb8ce13685db95ed402f73d99b44d5c35867e50d07079cf3

memory/2620-6-0x0000000074340000-0x00000000748EB000-memory.dmp

memory/2620-7-0x00000000021D0000-0x0000000002210000-memory.dmp

memory/2620-8-0x0000000074340000-0x00000000748EB000-memory.dmp

memory/2620-16-0x0000000074340000-0x00000000748EB000-memory.dmp

memory/2524-18-0x00000000020C0000-0x0000000002100000-memory.dmp

memory/2524-17-0x0000000074340000-0x00000000748EB000-memory.dmp

memory/2524-19-0x0000000074340000-0x00000000748EB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-29 11:00

Reported

2024-02-29 11:03

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddos.vbs"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\50c3e7591aec55d568f0177f1a3e4984 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\50c3e7591aec55d568f0177f1a3e4984 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddos.vbs"

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 karrar123.ddns.net udp
US 8.8.8.8:53 karrar123.ddns.net udp
US 8.8.8.8:53 karrar123.ddns.net udp
US 8.8.8.8:53 karrar123.ddns.net udp
US 8.8.8.8:53 karrar123.ddns.net udp
US 8.8.8.8:53 karrar123.ddns.net udp
US 8.8.8.8:53 karrar123.ddns.net udp
US 8.8.8.8:53 karrar123.ddns.net udp
US 8.8.8.8:53 karrar123.ddns.net udp
US 8.8.8.8:53 karrar123.ddns.net udp
US 8.8.8.8:53 karrar123.ddns.net udp
US 8.8.8.8:53 karrar123.ddns.net udp
US 8.8.8.8:53 karrar123.ddns.net udp
US 8.8.8.8:53 karrar123.ddns.net udp
US 8.8.8.8:53 karrar123.ddns.net udp
US 8.8.8.8:53 karrar123.ddns.net udp
US 8.8.8.8:53 karrar123.ddns.net udp
US 8.8.8.8:53 karrar123.ddns.net udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
IE 209.85.202.95:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 karrar123.ddns.net udp
US 8.8.8.8:53 95.202.85.209.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 de2ee0ffdf773819123bfd5767721e40
SHA1 6ed6fa8a0e6ac6a96d16f05a86b072f6df85e414
SHA256 f3760948ff637f8382edb827e50a01f4913ef2996879dce02daf3f84b60961d1
SHA512 baa86476573acd36df112cc1a56a6a7cbee371b0753f95871a7ea210a9f47848a943ab9c6ec0f0f3eb8ce13685db95ed402f73d99b44d5c35867e50d07079cf3

memory/5036-8-0x00000000752F0000-0x00000000758A1000-memory.dmp

memory/5036-9-0x00000000752F0000-0x00000000758A1000-memory.dmp

memory/5036-10-0x0000000001030000-0x0000000001040000-memory.dmp

memory/1540-20-0x00000000752F0000-0x00000000758A1000-memory.dmp

memory/5036-21-0x00000000752F0000-0x00000000758A1000-memory.dmp

memory/1540-22-0x00000000014C0000-0x00000000014D0000-memory.dmp

memory/1540-23-0x00000000752F0000-0x00000000758A1000-memory.dmp

memory/1540-24-0x00000000752F0000-0x00000000758A1000-memory.dmp

memory/1540-25-0x00000000014C0000-0x00000000014D0000-memory.dmp