Try in Splunk Security Cloud
Description
NjRat is a notorious remote access trojan (RAT) predominantly wielded by malicious operators to infiltrate and wield remote control over compromised systems. This analytical story harnesses targeted search methodologies to uncover and investigate activities that could be indicative of NjRAT’s presence. These activities include tracking file write operations for dropped files, scrutinizing registry modifications aimed at establishing persistence mechanisms, monitoring suspicious processes, self-deletion behaviors, browser credential parsing, firewall configuration alterations, spread itself via removable drive and an array of other potentially malicious actions.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2023-09-07
- Author: Teoderick Contreras, Splunk
- ID: f6d52454-6cf3-4759-9627-5868a3e2b2b1
Narrative
NjRat is also known as Bladabindi malware that was first discovered in the wild in 2012. Since then this malware remain active and uses different campaign to spred its malware. While its primary infection vectors are phishing attacks and drive-by downloads, it also has “worm” capability to spread itself via infected removable drives. This RAT has various of capabilities including keylogging, webcam access, browser credential parsing, file upload and downloads, file and process list, service list, shell command execution, registry modification, screen capture, view the desktop of the infected computer and many more. NjRat does not target any industry in particular, but attacking a wide variety of individuals and organizations to gather sensitive information.
Detections
Name |
Technique |
Type |
Allow Inbound Traffic By Firewall Rule Registry |
Remote Desktop Protocol, Remote Services |
TTP |
Allow Network Discovery In Firewall |
Disable or Modify Cloud Firewall, Impair Defenses |
TTP |
CMD Carry Out String Command Parameter |
Windows Command Shell, Command and Scripting Interpreter |
Hunting |
Disable Registry Tool |
Disable or Modify Tools, Impair Defenses, Modify Registry |
TTP |
Disabling CMD Application |
Disable or Modify Tools, Impair Defenses, Modify Registry |
TTP |
Disabling SystemRestore In Registry |
Inhibit System Recovery |
TTP |
Disabling Task Manager |
Disable or Modify Tools, Impair Defenses |
TTP |
Excessive Usage Of Taskkill |
Disable or Modify Tools, Impair Defenses |
Anomaly |
Executables Or Script Creation In Suspicious Path |
Masquerading |
Anomaly |
Firewall Allowed Program Enable |
Disable or Modify System Firewall, Impair Defenses |
Anomaly |
Non Chrome Process Accessing Chrome Default Dir |
Credentials from Password Stores, Credentials from Web Browsers |
Anomaly |
Non Firefox Process Access Firefox Profile Dir |
Credentials from Password Stores, Credentials from Web Browsers |
Anomaly |
Office Application Spawn rundll32 process |
Phishing, Spearphishing Attachment |
TTP |
Office Document Executing Macro Code |
Phishing, Spearphishing Attachment |
TTP |
Office Document Spawned Child Process To Download |
Phishing, Spearphishing Attachment |
TTP |
Office Product Spawn CMD Process |
Phishing, Spearphishing Attachment |
TTP |
Office Product Spawning MSHTA |
Phishing, Spearphishing Attachment |
TTP |
Powershell Fileless Script Contains Base64 Encoded Content |
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell |
TTP |
Registry Keys Used For Persistence |
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution |
TTP |
Scheduled Task Deleted Or Created via CMD |
Scheduled Task, Scheduled Task/Job |
TTP |
Windows Abused Web Services |
Web Service |
TTP |
Windows Admin Permission Discovery |
Local Groups |
Anomaly |
Windows Boot or Logon Autostart Execution In Startup Folder |
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution |
Anomaly |
Windows Credentials from Password Stores Chrome LocalState Access |
Query Registry |
Anomaly |
Windows Credentials from Password Stores Chrome Login Data Access |
Query Registry |
Anomaly |
Windows Delete or Modify System Firewall |
Impair Defenses, Disable or Modify System Firewall |
Anomaly |
Windows Disable or Modify Tools Via Taskkill |
Impair Defenses, Disable or Modify Tools |
Anomaly |
Windows Executable in Loaded Modules |
Shared Modules |
TTP |
Windows Modify Registry With MD5 Reg Key Name |
Modify Registry |
TTP |
Windows Modify System Firewall with Notable Process Path |
Disable or Modify System Firewall, Impair Defenses |
TTP |
Windows Njrat Fileless Storage via Registry |
Fileless Storage, Obfuscated Files or Information |
TTP |
Windows Raw Access To Disk Volume Partition |
Disk Structure Wipe, Disk Wipe |
Anomaly |
Windows Raw Access To Master Boot Record Drive |
Disk Structure Wipe, Disk Wipe |
TTP |
Windows Replication Through Removable Media |
Replication Through Removable Media |
TTP |
Windows System LogOff Commandline |
System Shutdown/Reboot |
Anomaly |
Windows System Reboot CommandLine |
System Shutdown/Reboot |
Anomaly |
Windows System Shutdown CommandLine |
System Shutdown/Reboot |
Anomaly |
Windows Time Based Evasion |
Virtualization/Sandbox Evasion, Time Based Evasion |
TTP |
Windows Unsigned DLL Side-Loading |
DLL Side-Loading |
Anomaly |
Windows User Execution Malicious URL Shortcut File |
Malicious File, User Execution |
TTP |
Wscript Or Cscript Suspicious Child Process |
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation |
TTP |
Reference
source | version: 2