Overview

overview

10

Static

static

10

niggaOS.exe

windows7-x64

10

niggaOS.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    niggaOS.exe

  • Size

    46KB

  • Sample

    221020-txhdysdea7

  • MD5

    6298049d70017cf38ac1f2c815221e48

  • SHA1

    e2206d5750377917486eec1a24cc1fe5f7d6e0d7

  • SHA256

    9e41fdbb903f822603a8e2d311238de70ed00109a1e68c36e2b4abee31b28cee

  • SHA512

    1af2449f76172cb123fcbfb0906c469d3c319793f485b447d8540d20ac0cd76e59a3ac55a5b558de83fe67d5e68112642dd3f11254893fa7b38ab527d22bbcd9

  • SSDEEP

    768:drqHpR9Ef5HOiCFsZrM+rMRa8NuR9thA:dWHpRyhHAa6+gRJNuh

Score
10/10
njratlimeevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

Lime

C2

enderop44-36084.portmap.host:36084

Mutex

6878a8a311cfa64f9d4241424faeca3d

Attributes
  • reg_key

    6878a8a311cfa64f9d4241424faeca3d

  • splitter

    |'|'|

Targets

    • Target

      niggaOS.exe

    • Size

      46KB

    • MD5

      6298049d70017cf38ac1f2c815221e48

    • SHA1

      e2206d5750377917486eec1a24cc1fe5f7d6e0d7

    • SHA256

      9e41fdbb903f822603a8e2d311238de70ed00109a1e68c36e2b4abee31b28cee

    • SHA512

      1af2449f76172cb123fcbfb0906c469d3c319793f485b447d8540d20ac0cd76e59a3ac55a5b558de83fe67d5e68112642dd3f11254893fa7b38ab527d22bbcd9

    • SSDEEP

      768:drqHpR9Ef5HOiCFsZrM+rMRa8NuR9thA:dWHpRyhHAa6+gRJNuh

    Score
    10/10
    njratlimeevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Impact

Tasks