Analytics Story: NjRAT

Date: 2023-09-07 ID: f6d52454-6cf3-4759-9627-5868a3e2b2b1 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

NjRat is a notorious remote access trojan (RAT) predominantly wielded by malicious operators to infiltrate and wield remote control over compromised systems. This analytical story harnesses targeted search methodologies to uncover and investigate activities that could be indicative of NjRAT's presence. These activities include tracking file write operations for dropped files, scrutinizing registry modifications aimed at establishing persistence mechanisms, monitoring suspicious processes, self-deletion behaviors, browser credential parsing, firewall configuration alterations, spread itself via removable drive and an array of other potentially malicious actions.

Why it matters

NjRat is also known as Bladabindi malware that was first discovered in the wild in 2012. Since then this malware remain active and uses different campaign to spred its malware. While its primary infection vectors are phishing attacks and drive-by downloads, it also has "worm" capability to spread itself via infected removable drives. This RAT has various of capabilities including keylogging, webcam access, browser credential parsing, file upload and downloads, file and process list, service list, shell command execution, registry modification, screen capture, view the desktop of the infected computer and many more. NjRat does not target any industry in particular, but attacking a wide variety of individuals and organizations to gather sensitive information.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Allow Inbound Traffic By Firewall Rule Registry Remote Desktop Protocol, Remote Services TTP
Allow Network Discovery In Firewall Disable or Modify Cloud Firewall, Impair Defenses TTP
CMD Carry Out String Command Parameter Windows Command Shell, Command and Scripting Interpreter Hunting
Disable Registry Tool Disable or Modify Tools, Impair Defenses, Modify Registry TTP
Disabling CMD Application Disable or Modify Tools, Impair Defenses, Modify Registry TTP
Disabling SystemRestore In Registry Inhibit System Recovery TTP
Disabling Task Manager Disable or Modify Tools, Impair Defenses TTP
Excessive Usage Of Taskkill Disable or Modify Tools, Impair Defenses Anomaly
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Firewall Allowed Program Enable Disable or Modify System Firewall, Impair Defenses Anomaly
Non Chrome Process Accessing Chrome Default Dir Credentials from Password Stores, Credentials from Web Browsers Anomaly
Non Firefox Process Access Firefox Profile Dir Credentials from Password Stores, Credentials from Web Browsers Anomaly
Office Application Spawn rundll32 process Phishing, Spearphishing Attachment TTP
Office Document Executing Macro Code Phishing, Spearphishing Attachment TTP
Office Document Spawned Child Process To Download Phishing, Spearphishing Attachment TTP
Office Product Spawn CMD Process Phishing, Spearphishing Attachment TTP
Office Product Spawning MSHTA Phishing, Spearphishing Attachment TTP
Powershell Fileless Script Contains Base64 Encoded Content Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell TTP
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task, Scheduled Task/Job TTP
Windows Abused Web Services Web Service TTP
Windows Admin Permission Discovery Local Groups Anomaly
Windows Boot or Logon Autostart Execution In Startup Folder Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution Anomaly
Windows Credentials from Password Stores Chrome LocalState Access Query Registry Anomaly
Windows Credentials from Password Stores Chrome Login Data Access Query Registry Anomaly
Windows Delete or Modify System Firewall Impair Defenses, Disable or Modify System Firewall Anomaly
Windows Disable or Modify Tools Via Taskkill Impair Defenses, Disable or Modify Tools Anomaly
Windows Executable in Loaded Modules Shared Modules TTP
Windows Modify Registry With MD5 Reg Key Name Modify Registry TTP
Windows Modify System Firewall with Notable Process Path Disable or Modify System Firewall, Impair Defenses TTP
Windows Njrat Fileless Storage via Registry Fileless Storage, Obfuscated Files or Information TTP
Windows Raw Access To Disk Volume Partition Disk Structure Wipe, Disk Wipe Anomaly
Windows Raw Access To Master Boot Record Drive Disk Structure Wipe, Disk Wipe TTP
Windows Replication Through Removable Media Replication Through Removable Media TTP
Windows System LogOff Commandline System Shutdown/Reboot Anomaly
Windows System Reboot CommandLine System Shutdown/Reboot Anomaly
Windows System Shutdown CommandLine System Shutdown/Reboot Anomaly
Windows Time Based Evasion Virtualization/Sandbox Evasion, Time Based Evasion TTP
Windows Unsigned DLL Side-Loading DLL Side-Loading Anomaly
Windows User Execution Malicious URL Shortcut File Malicious File, User Execution TTP
Wscript Or Cscript Suspicious Child Process Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 9 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 2