njrat | 03966a81834fb029ed4539180f98f9d69942f0858edc0034994944a0ca5836ed | Triage

Sharing

General

Target

70c3d829bdae416936ca9d91f3af0377_JaffaCakes118
Size

123KB
Sample

240525-ebv1lade73
MD5

70c3d829bdae416936ca9d91f3af0377
SHA1

ead7d66cfdfc2107b6f066c8d847f6329e575eaa
SHA256

03966a81834fb029ed4539180f98f9d69942f0858edc0034994944a0ca5836ed
SHA512

8449dd8b097f429b5cd25b0dde808f1ff521b8eac85746c45406c06bf0cddfcc7c5ab2bacc76064af44663ee6d6492245b053d5609233c71de14059e8c064c18
SSDEEP

768:jCBNRrJkz1jeEbsnhuo5pHEWJGTTMHVMwNTR/E7EfffX71P1z1:jCBzCz1jPqh9Ht1

Score

10^/10

njrat bobao evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

bobao

C2

mectref.duckdns.org:2020

Mutex

a474c6d2b75d64b3ed1078b377b83c48

Attributes

reg_key
a474c6d2b75d64b3ed1078b377b83c48
splitter
|'|'|

Targets

- Target
  
  70c3d829bdae416936ca9d91f3af0377_JaffaCakes118
- Size
  
  123KB
- MD5
  
  70c3d829bdae416936ca9d91f3af0377
- SHA1
  
  ead7d66cfdfc2107b6f066c8d847f6329e575eaa
- SHA256
  
  03966a81834fb029ed4539180f98f9d69942f0858edc0034994944a0ca5836ed
- SHA512
  
  8449dd8b097f429b5cd25b0dde808f1ff521b8eac85746c45406c06bf0cddfcc7c5ab2bacc76064af44663ee6d6492245b053d5609233c71de14059e8c064c18
- SSDEEP
  
  768:jCBNRrJkz1jeEbsnhuo5pHEWJGTTMHVMwNTR/E7EfffX71P1z1:jCBzCz1jPqh9Ht1
Score

10^/10

njrat bobao evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratbobaoevasionpersistencetrojan

behavioral2

njratbobaoevasionpersistencetrojan