njrat | 33474be63039cfdd63aec01663d5390eb5080534905830238418fcd3c24ea1f9 | Triage

Sharing

General

Target

92d8c364561a545dfc4fb648f72cddaa_JaffaCakes118
Size

23KB
Sample

240603-2kfctsbf6t
MD5

92d8c364561a545dfc4fb648f72cddaa
SHA1

ea72e78d48afdba8a8b9ca73e95107ef3933997d
SHA256

33474be63039cfdd63aec01663d5390eb5080534905830238418fcd3c24ea1f9
SHA512

fb27e8aa8ac753a1a6ff4c333f440888d3d0b304b7a02301fe817a98a5b467d1428c52c479859056e3a68d90bd2d45f58fc2e6984f99e32096b32ab19414d3cc
SSDEEP

384:GYmCsw/yJrQ7tRGSQCY1r46JgfCcBjdhmRvR6JZlbw8hqIusZzZDV:p7GktQBRpcnuu

Score

10^/10

njrat fud-02/10/63 evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

FUD-02/10/63

C2

ddnshost-microsofts.serveftp.com:69

Mutex

04e031bc9b9f40f12845cc2f6c2e6b95

Attributes

reg_key
04e031bc9b9f40f12845cc2f6c2e6b95
splitter
|'|'|

Targets

- Target
  
  92d8c364561a545dfc4fb648f72cddaa_JaffaCakes118
- Size
  
  23KB
- MD5
  
  92d8c364561a545dfc4fb648f72cddaa
- SHA1
  
  ea72e78d48afdba8a8b9ca73e95107ef3933997d
- SHA256
  
  33474be63039cfdd63aec01663d5390eb5080534905830238418fcd3c24ea1f9
- SHA512
  
  fb27e8aa8ac753a1a6ff4c333f440888d3d0b304b7a02301fe817a98a5b467d1428c52c479859056e3a68d90bd2d45f58fc2e6984f99e32096b32ab19414d3cc
- SSDEEP
  
  384:GYmCsw/yJrQ7tRGSQCY1r46JgfCcBjdhmRvR6JZlbw8hqIusZzZDV:p7GktQBRpcnuu
Score

10^/10

njrat fud-02/10/63 evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

fud-02/10/63njrat

behavioral1

njratfud-02/10/63evasionpersistencetrojan

behavioral2

njratevasionpersistencetrojan