njrat | c7cc2d0b72eba9ef36f0ec9ad721b8a9e0dbaacb9121ccbead85b9751eb6f45b | Triage

Sharing

General

Target

wscript.exe
Size

93KB
Sample

240423-a9bmdsae31
MD5

50af5e7d5d665f6e9cca447af7e8b1e5
SHA1

8cde307749103cf895cd8c2d87a8a73aa1017fa8
SHA256

c7cc2d0b72eba9ef36f0ec9ad721b8a9e0dbaacb9121ccbead85b9751eb6f45b
SHA512

abdcb709f2c1c7e951b9f4a61b0766db965376476043fba7c8f182740ece3e2be6ca2e7a66e09c1327274af2f507fb2cf3f5e39b2b80619f5aa33b8fb28117e2
SSDEEP

768:QY3CUfhWXxyFcxovUKUJuROprXtWNEpeYhYbmXxrjEtCdnl2pi1Rz4Rk3lsGdpc3:KU5WhIUKcuOJRpPhBjEwzGi1dD1DcgS

Score

10^/10

njrat hacked evasion

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

wscript.ddns.net:5552

Mutex

7cf4c2536f30115b1e3e9ebf8675233a

Attributes

reg_key
7cf4c2536f30115b1e3e9ebf8675233a
splitter
|'|'|

Targets

- Target
  
  wscript.exe
- Size
  
  93KB
- MD5
  
  50af5e7d5d665f6e9cca447af7e8b1e5
- SHA1
  
  8cde307749103cf895cd8c2d87a8a73aa1017fa8
- SHA256
  
  c7cc2d0b72eba9ef36f0ec9ad721b8a9e0dbaacb9121ccbead85b9751eb6f45b
- SHA512
  
  abdcb709f2c1c7e951b9f4a61b0766db965376476043fba7c8f182740ece3e2be6ca2e7a66e09c1327274af2f507fb2cf3f5e39b2b80619f5aa33b8fb28117e2
- SSDEEP
  
  768:QY3CUfhWXxyFcxovUKUJuROprXtWNEpeYhYbmXxrjEtCdnl2pi1Rz4Rk3lsGdpc3:KU5WhIUKcuOJRpPhBjEwzGi1dD1DcgS
Score

8^/10

evasion
- Modifies Windows Firewall
  evasion
- Drops startup file
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2