njrat | ac23fc53a20f5a19e8183bfba89bcf040d64bec45628c8f50fd80d13d4641081 | Triage

Submit
Reports

Overview

overview

Static

static

7

74b00da0f2...18.exe

windows7-x64

74b00da0f2...18.exe

windows10-2004-x64

Sharing

General

Target

74b00da0f2e4d0c8b6e2875d02fefcec_JaffaCakes118
Size

3.7MB
Sample

240526-hwl5zaah2t
MD5

74b00da0f2e4d0c8b6e2875d02fefcec
SHA1

2b8e618271ad1899c2caa9d4ee5dbd4529198046
SHA256

ac23fc53a20f5a19e8183bfba89bcf040d64bec45628c8f50fd80d13d4641081
SHA512

7a1bca3e407c263f64665713a2a94b6e4035e21b0a91adb86e7f820de5351ea9e8d7c68757264907213b9456d2c35326d4ad19b938ee3ca29cfd642cddb2e943
SSDEEP

98304:7957ilusIkAkVtXWZXo9Xph6w2vbXgaoqyy:vwrIkAomq9ZWbXrFyy

Score

10^/10

njrat octubre evasion themida trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

74b00da0f2e4d0c8b6e2875d02fefcec_JaffaCakes118.exe

Resource

win7-20240508-en

njrat octubre evasion themida trojan upx

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

74b00da0f2e4d0c8b6e2875d02fefcec_JaffaCakes118.exe

Resource

win10v2004-20240508-en

njrat octubre evasion themida trojan upx

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

Octubre

C2

njratnew.duckdns.org:3042

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
123

Targets

- Target
  
  74b00da0f2e4d0c8b6e2875d02fefcec_JaffaCakes118
- Size
  
  3.7MB
- MD5
  
  74b00da0f2e4d0c8b6e2875d02fefcec
- SHA1
  
  2b8e618271ad1899c2caa9d4ee5dbd4529198046
- SHA256
  
  ac23fc53a20f5a19e8183bfba89bcf040d64bec45628c8f50fd80d13d4641081
- SHA512
  
  7a1bca3e407c263f64665713a2a94b6e4035e21b0a91adb86e7f820de5351ea9e8d7c68757264907213b9456d2c35326d4ad19b938ee3ca29cfd642cddb2e943
- SSDEEP
  
  98304:7957ilusIkAkVtXWZXo9Xph6w2vbXgaoqyy:vwrIkAomq9ZWbXrFyy
Score

10^/10

njrat octubre evasion themida trojan upx
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratoctubreevasionthemidatrojanupx

behavioral2

njratoctubreevasionthemidatrojanupx

© 2018-2024

Terms | Privacy