Overview

overview

10

Static

static

10

1916-1-0x0...ry.exe

windows7-x64

10

1916-1-0x0...ry.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1916-1-0x00000000009A0000-0x00000000009B8000-memory.dmp

  • Size

    96KB

  • Sample

    230908-zk964afc59

  • MD5

    c00262699ae0facbf297badd09233876

  • SHA1

    305a02a7c0623004c6b9fa2c91a883f840d751bc

  • SHA256

    00b3837b4417d77fce4803de069ccd1c7c453542067e52601947b744f9bf5239

  • SHA512

    845e7df25e8e4db1203b5f4abeef885c556f9a453ae99333cd0e2ff081f740245fdc1fc6311e1e83349d06895affa640808c67dd93e176fc8fd463c8ceb6ea65

  • SSDEEP

    1536:qExAU0oN36tuQviFw15GHyBnvb3fLteF3nLrB9z3nOaF9bhS9vM:bxAU0oN36tuQviFCYSBnDfWl9zeaF9bV

Score
10/10
njratcheatspersistencetrojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

Cheats

C2

127.0.0.1:1

Mutex

smss.exe

Attributes
  • reg_key

    smss.exe

  • splitter

    |Ghost|

Targets

    • Target

      1916-1-0x00000000009A0000-0x00000000009B8000-memory.dmp

    • Size

      96KB

    • MD5

      c00262699ae0facbf297badd09233876

    • SHA1

      305a02a7c0623004c6b9fa2c91a883f840d751bc

    • SHA256

      00b3837b4417d77fce4803de069ccd1c7c453542067e52601947b744f9bf5239

    • SHA512

      845e7df25e8e4db1203b5f4abeef885c556f9a453ae99333cd0e2ff081f740245fdc1fc6311e1e83349d06895affa640808c67dd93e176fc8fd463c8ceb6ea65

    • SSDEEP

      1536:qExAU0oN36tuQviFw15GHyBnvb3fLteF3nLrB9z3nOaF9bhS9vM:bxAU0oN36tuQviFCYSBnDfWl9zeaF9bV

    Score
    10/10
    njratcheatspersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks