njrat | 4e92e905f57ebec8e22df1c735211425dbbd2b64c9e77ad2ca774ff1dfbca13f | Triage

Sharing

General

Target

3beb45c3bb9d1b1d1470c960dddd4eac
Size

40KB
Sample

220627-qqatrabdbn
MD5

3beb45c3bb9d1b1d1470c960dddd4eac
SHA1

2d96cf028711c9cf6cc9482e387c1cbc43946255
SHA256

4e92e905f57ebec8e22df1c735211425dbbd2b64c9e77ad2ca774ff1dfbca13f
SHA512

0209c0afcc8968a0043c91483d050aa7a597a4ca79fb3d2fb210c9d2dbe37a2ef81a6555840e84c0bff2b61a911943da9f54910c9aa6d416508153e7df315b23

Score

10^/10

njrat vjw0rm hacked jfk evasion persistence suricata trojan worm

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HACKED JFK

C2

103.149.13.61:4545

Mutex

782e4e93b9158d4d448232ed139fc0db

Attributes

reg_key
782e4e93b9158d4d448232ed139fc0db
splitter
|'|'|

Targets

- Target
  
  Payloads.js
- Size
  
  58KB
- MD5
  
  94c08ba8dc8fa3697207c53665c1ddb3
- SHA1
  
  1af6156240c60e2b39269e3649b2a30f981e75b9
- SHA256
  
  40de3b364abfeae905e92cd564381d46a80c386c6011e37ce95df860abb572eb
- SHA512
  
  11e1a9c810ed146a09aa79ee3d500af4a24d1c2432d5e3b62e125738bf0737dcc110c6926224850e5436b6af6a95ce25b4f8b4de4070f1e53d12a0fbc616dedf
Score

10^/10

njrat vjw0rm hacked jfk evasion persistence suricata trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
  suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
  suricata
- suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
  suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
  suricata
- Blocklisted process makes network request
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratvjw0rmhacked jfkevasionpersistencesuricatatrojanworm

behavioral2

njratvjw0rmhacked jfkevasionpersistencesuricatatrojanworm