njrat | df90ae97f50e8ad1bedc8b533026c4708561a2ea1a025008c28584b32a7ba3ca

General

Target

d606478b39abb92571298cb94cfc4443_JaffaCakes118.vbs
Size

242KB
MD5

d606478b39abb92571298cb94cfc4443
SHA1

4115e36c0e742454ac4042d97cc117e575a6410b
SHA256

df90ae97f50e8ad1bedc8b533026c4708561a2ea1a025008c28584b32a7ba3ca
SHA512

2579094c2835f98bfba058780fa5afd3f1219f0f752b007c28b187c11bd450c6bf8c9de1f623ada4acab1b5531b79ef139e6e51f23adc7991ffcbb558d1d0484
SSDEEP

384:/KVQZIj66moj854oQ9NlJSRJY/LaNaIhlaKwco+iLw4wvagZCk6evnWAxWAxbvfK:5BNwBWBvWBvUjeXMEMELfNw4r

Score

10^/10

njrat zerooo discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

zerooo

C2

abssa2016.ddns.net:1177

Mutex

5b2d8a2a5ef35052f655e43339797018

Attributes

reg_key
5b2d8a2a5ef35052f655e43339797018
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2144	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5b2d8a2a5ef35052f655e43339797018.exe	update.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5b2d8a2a5ef35052f655e43339797018.exe	update.exe

Executes dropped EXE 2 IoCs

pid	Process
2328	txw45g.exe
2276	update.exe

Loads dropped DLL 1 IoCs

pid	Process
2328	txw45g.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	txw45g.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe
2276	update.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2276	update.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2328	2380	WScript.exe	30
PID 2380 wrote to memory of 2328	2380	WScript.exe	30
PID 2380 wrote to memory of 2328	2380	WScript.exe	30
PID 2380 wrote to memory of 2328	2380	WScript.exe	30
PID 2328 wrote to memory of 2276	2328	txw45g.exe	31
PID 2328 wrote to memory of 2276	2328	txw45g.exe	31
PID 2328 wrote to memory of 2276	2328	txw45g.exe	31
PID 2328 wrote to memory of 2276	2328	txw45g.exe	31
PID 2328 wrote to memory of 2276	2328	txw45g.exe	31
PID 2328 wrote to memory of 2276	2328	txw45g.exe	31
PID 2328 wrote to memory of 2276	2328	txw45g.exe	31
PID 2276 wrote to memory of 2144	2276	update.exe	32
PID 2276 wrote to memory of 2144	2276	update.exe	32
PID 2276 wrote to memory of 2144	2276	update.exe	32
PID 2276 wrote to memory of 2144	2276	update.exe	32

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d606478b39abb92571298cb94cfc4443_JaffaCakes118.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\txw45g.exe
  C:\Users\Admin\AppData\Local\Temp\txw45g.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Users\Admin\AppData\Roaming\update.exe
    "C:\Users\Admin\AppData\Roaming\update.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\update.exe" "update.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\txw45g.exe

Filesize
29KB

MD5
949123bcd9695f83b2062ef921cc5759

SHA1
fd0de2a20461284492f7cebf94c62c82f3241199

SHA256
d55ef228ed1c48b12b954d3fe4dc68b0a061a8e8e52c466a21f782457c6aeb97

SHA512
b334e147fd64c5fe2efa602e8b6971ee45e60178be8fd121743a6e4a282607cbe40535dcd1418f6632a4e152b25bcd4a534102e14c4ca10e1a94c4662dbbfd73

Download Submit
memory/2276-16-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/2276-18-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/2328-5-0x0000000074841000-0x0000000074842000-memory.dmp

Filesize
4KB

Download
memory/2328-6-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/2328-7-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download
memory/2328-15-0x0000000074840000-0x0000000074DEB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads