Overview

overview

10

Static

static

1

3c1e278589...cs.exe

windows7-x64

10

3c1e278589...cs.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3c1e278589484e8e5d535155b08573e0_NeikiAnalytics.exe

  • Size

    115KB

  • Sample

    240618-m3xx9svcnl

  • MD5

    3c1e278589484e8e5d535155b08573e0

  • SHA1

    273bddc784418ccaa0822201854276c0c9379d2a

  • SHA256

    972c24bd1d0c675187a1f65fc7c4b4a3fce48b23ec1ed198d49bbe116d4d6192

  • SHA512

    9c02d45412d83df6bb973559627cf5696c2dbc42346cbf15d8be1700a4edc3fbaa027367bba8707beb6d4b7bf69b32f6f01d9468af0b37e405d6d1c33e14f716

  • SSDEEP

    1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMiat6e:P5eznsjsguGDFqGZ2rie

Score
10/10
njratneufevasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Targets

    • Target

      3c1e278589484e8e5d535155b08573e0_NeikiAnalytics.exe

    • Size

      115KB

    • MD5

      3c1e278589484e8e5d535155b08573e0

    • SHA1

      273bddc784418ccaa0822201854276c0c9379d2a

    • SHA256

      972c24bd1d0c675187a1f65fc7c4b4a3fce48b23ec1ed198d49bbe116d4d6192

    • SHA512

      9c02d45412d83df6bb973559627cf5696c2dbc42346cbf15d8be1700a4edc3fbaa027367bba8707beb6d4b7bf69b32f6f01d9468af0b37e405d6d1c33e14f716

    • SSDEEP

      1536:WWp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4XEQhuxzuMiat6e:P5eznsjsguGDFqGZ2rie

    Score
    10/10
    njratneufevasionpersistenceprivilege_escalationtrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks