njrat | d0ee969dc5fb1cfa809e66fe2d0fb3d2ce5d9f2a258272d24675c279b285460b | Triage

Sharing

Copy URL Twitter E-mail

General

Target

5dc0f493b2eae8b86a9168d5269f8087_JaffaCakes118
Size

1.7MB
Sample

240520-hr53aagg48
MD5

5dc0f493b2eae8b86a9168d5269f8087
SHA1

b69e1c4571d303f3d26782d647ed42e868f57859
SHA256

d0ee969dc5fb1cfa809e66fe2d0fb3d2ce5d9f2a258272d24675c279b285460b
SHA512

a5626e39924a113c04cd510957e6f91eb9d95acfc3026fd94447b689b5922bca8c227a1ef541521c80faec64f783043fb5bcf3060148fbb7271f4bb720a9fadf
SSDEEP

24576:8sVo64ePI5181pSw6Gc+IOskmcPpCxwyQuzxgaXC+sv23DBLLNq/FGW:8iooP68rSw6GGOVB92lL

Score

10^/10

njrat cairooo evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

CAIROOO

C2

milla.publicvm.com:1177

Mutex

c74355ef32f6fb648297e3c65ba28fb4

Attributes

reg_key
c74355ef32f6fb648297e3c65ba28fb4
splitter
|'|'|

Targets

- Target
  
  5dc0f493b2eae8b86a9168d5269f8087_JaffaCakes118
- Size
  
  1.7MB
- MD5
  
  5dc0f493b2eae8b86a9168d5269f8087
- SHA1
  
  b69e1c4571d303f3d26782d647ed42e868f57859
- SHA256
  
  d0ee969dc5fb1cfa809e66fe2d0fb3d2ce5d9f2a258272d24675c279b285460b
- SHA512
  
  a5626e39924a113c04cd510957e6f91eb9d95acfc3026fd94447b689b5922bca8c227a1ef541521c80faec64f783043fb5bcf3060148fbb7271f4bb720a9fadf
- SSDEEP
  
  24576:8sVo64ePI5181pSw6Gc+IOskmcPpCxwyQuzxgaXC+sv23DBLLNq/FGW:8iooP68rSw6GGOVB92lL
Score

10^/10

njrat cairooo evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratcairoooevasionpersistencetrojan

behavioral2

njratcairoooevasionpersistencetrojan