njrat | b9350cb2aee92e998966724ea417cd190168c04aa7076a066a501bfe11ba6634 | Triage

Sharing

General

Target

79b9b099156256cb19fa71a76875af42_JaffaCakes118
Size

1.4MB
Sample

240527-tvrjvaaa8z
MD5

79b9b099156256cb19fa71a76875af42
SHA1

f06b7e33bdab81575ad1104487f6a2344471af22
SHA256

b9350cb2aee92e998966724ea417cd190168c04aa7076a066a501bfe11ba6634
SHA512

9d8fa141fd1c548f3b6e242dd26e9b9d178c30a1d978c148f6c37fcbc1ad86d5f5a6ebdc402f14f306932ff06c27c813545e15b65828a7a22a472110fc1d32ca
SSDEEP

24576:kNWYB+HYByYMrWroN7+vqyh4CDPKZ4MCxtuwnFD:kEYBdproB+vsOCZbwnN

Score

10^/10

njrat cairooo evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

CAIROOO

C2

milla.publicvm.com:1177

Mutex

aec7032e3c9359479964a262190da620

Attributes

reg_key
aec7032e3c9359479964a262190da620
splitter
|'|'|

Targets

- Target
  
  79b9b099156256cb19fa71a76875af42_JaffaCakes118
- Size
  
  1.4MB
- MD5
  
  79b9b099156256cb19fa71a76875af42
- SHA1
  
  f06b7e33bdab81575ad1104487f6a2344471af22
- SHA256
  
  b9350cb2aee92e998966724ea417cd190168c04aa7076a066a501bfe11ba6634
- SHA512
  
  9d8fa141fd1c548f3b6e242dd26e9b9d178c30a1d978c148f6c37fcbc1ad86d5f5a6ebdc402f14f306932ff06c27c813545e15b65828a7a22a472110fc1d32ca
- SSDEEP
  
  24576:kNWYB+HYByYMrWroN7+vqyh4CDPKZ4MCxtuwnFD:kEYBdproB+vsOCZbwnN
Score

10^/10

njrat cairooo evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratcairoooevasionpersistencetrojan

behavioral2

njratcairoooevasionpersistencetrojan