njrat | b3980e29888786493c8cad1243df744f4edf730e911d6a8725df1ab73d0a3d0f | Triage

Sharing

General

Target

fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118
Size

677KB
Sample

240420-eyg29ahb4v
MD5

fbea1348950ebaa7d90f9d51dd0a7a9c
SHA1

9b37e6de95224163cc1378d2be066e1189fbe387
SHA256

b3980e29888786493c8cad1243df744f4edf730e911d6a8725df1ab73d0a3d0f
SHA512

ecf7f1fb093bd9b768e329b1a918484be751fb995fce22fb3fa9deeb21a08080020bd607415f1aaec5fa3087a11202c1479508dc0fa574a2a558df72d6a4d60b
SSDEEP

12288:55VfzdeGreeF09DPa5b9h7ukziWy9EUKFTZdXTZdHXTZdXTZdVfzdeGreeF09DP0:5bdm2x9ESiWy9EFFTZdXTZdHXTZdXTZ5

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

62.227.124.106:5552

Mutex

b65a1c967a241651fee52d79e3eaa41f

Attributes

reg_key
b65a1c967a241651fee52d79e3eaa41f
splitter
|'|'|

Targets

- Target
  
  fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118
- Size
  
  677KB
- MD5
  
  fbea1348950ebaa7d90f9d51dd0a7a9c
- SHA1
  
  9b37e6de95224163cc1378d2be066e1189fbe387
- SHA256
  
  b3980e29888786493c8cad1243df744f4edf730e911d6a8725df1ab73d0a3d0f
- SHA512
  
  ecf7f1fb093bd9b768e329b1a918484be751fb995fce22fb3fa9deeb21a08080020bd607415f1aaec5fa3087a11202c1479508dc0fa574a2a558df72d6a4d60b
- SSDEEP
  
  12288:55VfzdeGreeF09DPa5b9h7ukziWy9EUKFTZdXTZdHXTZdXTZdVfzdeGreeF09DP0:5bdm2x9ESiWy9EFFTZdXTZdHXTZdXTZ5
Score

10^/10

njrat hacked evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Disables Task Manager via registry modification
  evasion
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

Execution

Persistence

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Replication Through Removable Media

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

njrathackedevasionpersistencetrojan

behavioral2

njratpersistencetrojan