njrat | cfe9dc76a15fae96808fa814135113d763fcf418aae410cea34580b15fb00edd | Triage

Submit
Reports

Overview

overview

Static

static

File 2.js

windows7_x64

File 2.js

windows10-2004_x64

Sharing

General

Target

File 2.js
Size

51KB
Sample

220616-mrm9paecdk
MD5

199c37a6953be6415f368cafa8525133
SHA1

c28cfdd4d9f80ba3873a134f9f21815e0b6540bc
SHA256

cfe9dc76a15fae96808fa814135113d763fcf418aae410cea34580b15fb00edd
SHA512

4cb1beada3ec189732331926b5db39d51654dbea5ae9bfe764d63636adf788312c2be7513c40186480d4140882b0a251dda292e7437aa3fc8ca437508ba7c044

Score

10^/10

njrat vjw0rm hacked by mustymoney evasion persistence suricata trojan worm

Static task

static1

Behavioral task

behavioral1

Sample

File 2.js

Resource

win7-20220414-en

vjw0rm persistence suricata trojan worm

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

File 2.js

Resource

win10v2004-20220414-en

njrat vjw0rm hacked by mustymoney evasion persistence suricata trojan worm

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed By MustyMoney

C2

104.168.7.110:5552

Mutex

72f64d4ec723544c65ffca1cd7ba4ee6

Attributes

reg_key
72f64d4ec723544c65ffca1cd7ba4ee6
splitter
|'|'|

Targets

- Target
  
  File 2.js
- Size
  
  51KB
- MD5
  
  199c37a6953be6415f368cafa8525133
- SHA1
  
  c28cfdd4d9f80ba3873a134f9f21815e0b6540bc
- SHA256
  
  cfe9dc76a15fae96808fa814135113d763fcf418aae410cea34580b15fb00edd
- SHA512
  
  4cb1beada3ec189732331926b5db39d51654dbea5ae9bfe764d63636adf788312c2be7513c40186480d4140882b0a251dda292e7437aa3fc8ca437508ba7c044
Score

10^/10

vjw0rm persistence suricata trojan worm njrat hacked by mustymoney evasion
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
  suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
  suricata
- suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
  suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
  suricata
- suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
  suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
  suricata
- Blocklisted process makes network request
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

vjw0rmpersistencesuricatatrojanworm

behavioral2

njratvjw0rmhacked by mustymoneyevasionpersistencesuricatatrojanworm

© 2018-2024

Terms | Privacy