njrat | 30a97424de37700e28594490078fd4f83771b5ed41353e2d741b6e5197f3bd50 | Triage

Sharing

General

Target

610bbd7b80a378cbbb32e0f6526ac6d9_JaffaCakes118
Size

669KB
Sample

240520-12nvvshb78
MD5

610bbd7b80a378cbbb32e0f6526ac6d9
SHA1

0dab71c2cbd2a9ea09daa98f84daaffd47906de5
SHA256

30a97424de37700e28594490078fd4f83771b5ed41353e2d741b6e5197f3bd50
SHA512

431c32790ad97917b2959de8d3cfc2dc3b1946eb8e74531331f450aa4a3bb5df23f9d2bcef7e57d111a98fec408e6ee2ab6c95868b6e58eda0ed3cf13f1b1ac3
SSDEEP

12288:Mg+RvKEDbSTME1GUa+VX1Q1J+oRvK4D0bip4U2KEv1kQVRTM:MgyN+TdlQj+IziC4U2T9h

Score

10^/10

njrat تم الاختراق من قبل دكتور الغربية #agilenet evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

تم الاختراق من قبل دكتور الغربية #

C2

Dr187.ddns.net:999

Mutex

59e66e4fd01ed7a53bb65713760bdb7d

Attributes

reg_key
59e66e4fd01ed7a53bb65713760bdb7d
splitter
|'|'|

Targets

- Target
  
  610bbd7b80a378cbbb32e0f6526ac6d9_JaffaCakes118
- Size
  
  669KB
- MD5
  
  610bbd7b80a378cbbb32e0f6526ac6d9
- SHA1
  
  0dab71c2cbd2a9ea09daa98f84daaffd47906de5
- SHA256
  
  30a97424de37700e28594490078fd4f83771b5ed41353e2d741b6e5197f3bd50
- SHA512
  
  431c32790ad97917b2959de8d3cfc2dc3b1946eb8e74531331f450aa4a3bb5df23f9d2bcef7e57d111a98fec408e6ee2ab6c95868b6e58eda0ed3cf13f1b1ac3
- SSDEEP
  
  12288:Mg+RvKEDbSTME1GUa+VX1Q1J+oRvK4D0bip4U2KEv1kQVRTM:MgyN+TdlQj+IziC4U2T9h
Score

10^/10

njrat تم الاختراق من قبل دكتور الغربية #agilenet evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratتم الاختراق من قبل دكتور الغربية #agilenetevasionpersistencetrojan

behavioral2

njratتم الاختراق من قبل دكتور الغربية #agilenetevasionpersistencetrojan