njrat | 96fffb7a76f1b3c9073d35f35292f987304538e1e8c7b8b234872a47c94aab0d | Triage

Sharing

General

Target

5815e2a52d0329e01dd7b725079d214b
Size

98KB
Sample

220621-rt8qmaebdj
MD5

5815e2a52d0329e01dd7b725079d214b
SHA1

7a21939657d41ead3a20e9bd777b8370ca393de9
SHA256

96fffb7a76f1b3c9073d35f35292f987304538e1e8c7b8b234872a47c94aab0d
SHA512

cb43f81d887e9b192e440c8bf3626f3ecf4e89771de4c573a2c72f3096d2994e466060a667c970f4fd8f9d372c0dbda043b5304cd19f70c41fac1f6e0e296041

Score

10^/10

njrat vjw0rm hacked by mustymoney evasion persistence trojan worm

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed By MustyMoney

C2

104.168.7.110:5552

Mutex

72f64d4ec723544c65ffca1cd7ba4ee6

Attributes

reg_key
72f64d4ec723544c65ffca1cd7ba4ee6
splitter
|'|'|

Targets

- Target
  
  MgBMOjoQWC_hwstub.js
- Size
  
  51KB
- MD5
  
  0c7657296a9994e6446ff500bc1b76c3
- SHA1
  
  bfdc4584c89faa7f3356549494331ccc8497ab33
- SHA256
  
  692a8be00d69e5d0782766f270046aa871fea041e63d125da9e1252b135623f3
- SHA512
  
  8549c221d3316d3a57feb5c4bdca51ae504f5479e22b83150a9eca82fb0b5f8ef8b2aa134d2b96c5bef42a170cc7c4dc8099606f71fabcd490732f7b8926213d
Score

10^/10

vjw0rm persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2
- Target
  
  bJHtVihBXX_acserver.js
- Size
  
  70KB
- MD5
  
  3fb233467088b6906ae7ea8002352e86
- SHA1
  
  7f318b6db9a28e39bd0162945295f787956eba61
- SHA256
  
  db2525eb120cddd924084eb2d3adada700a65066f46f6c3675e47377ef09ee20
- SHA512
  
  e36763c44d0c1e46a986299e3499d476e6e920e8c6d8e704c832457d0ff7725dfa3f29944025a3c9b4205234e285bfdbb69c281f22e1945bcda6094488824cd2
Score

10^/10

njrat vjw0rm hacked by mustymoney evasion persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Blocklisted process makes network request
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral3 behavioral4
- Target
  
  sYCuOOjDOl_vjstub.js
- Size
  
  29KB
- MD5
  
  dac9ed798f79a40ef59756c710f61593
- SHA1
  
  199bfa38a09181e9396cef4d3b29b0762c5ba987
- SHA256
  
  94036cd95dde4d8ec66e76a24755a15ac474c64b12e74ec87d29ff9b8a889160
- SHA512
  
  ec5119052e545e0246234b51777bc3a1a3a64ea0c9a3eab98b948896235bd5a49eca1616788636dc09ddd8328382f00b03e5c39139972cff2198667baf5bbcef
Score

10^/10

vjw0rm persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral5 behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Modify Existing Service

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

vjw0rmpersistencetrojanworm

behavioral2

vjw0rmpersistencetrojanworm

behavioral3

njratvjw0rmhacked by mustymoneyevasionpersistencetrojanworm

behavioral4

njratvjw0rmhacked by mustymoneyevasionpersistencetrojanworm

behavioral5

vjw0rmpersistencetrojanworm

behavioral6

vjw0rmpersistencetrojanworm