njrat | 6821de637a9c0a7388c6b9ee34ca8843fd259b9b027e6af27615d122e7e77c11 | Triage

Sharing

General

Target

81c9eff3fbe72b983ab2c52dd7183fe6_JaffaCakes118
Size

1.4MB
Sample

240801-1bs2wswhkr
MD5

81c9eff3fbe72b983ab2c52dd7183fe6
SHA1

7e518445497609960ff3ce0c79cd01682295acfc
SHA256

6821de637a9c0a7388c6b9ee34ca8843fd259b9b027e6af27615d122e7e77c11
SHA512

758e0f7a6d8ffe354a4af33cc7b05194a39d448ab9786cd2b7fb6ef8921a9d77e471c5662b43d4b60d60843389f8e55ac55f0e9d3ba754a511507d45aefc46ef
SSDEEP

24576:x74qXU1nEcmn2YlaIbg03q7mRawAiiX8H3E21zKbt51:x77k+n2Y8Ib27mRaLVqEqGt5

Score

10^/10

njrat moo salah discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

MOO SALAH

C2

milla.publicvm.com:1177

Mutex

b9abd535ae166ceac71e91d5d5dc48be

Attributes

reg_key
b9abd535ae166ceac71e91d5d5dc48be
splitter
|'|'|

Targets

- Target
  
  81c9eff3fbe72b983ab2c52dd7183fe6_JaffaCakes118
- Size
  
  1.4MB
- MD5
  
  81c9eff3fbe72b983ab2c52dd7183fe6
- SHA1
  
  7e518445497609960ff3ce0c79cd01682295acfc
- SHA256
  
  6821de637a9c0a7388c6b9ee34ca8843fd259b9b027e6af27615d122e7e77c11
- SHA512
  
  758e0f7a6d8ffe354a4af33cc7b05194a39d448ab9786cd2b7fb6ef8921a9d77e471c5662b43d4b60d60843389f8e55ac55f0e9d3ba754a511507d45aefc46ef
- SSDEEP
  
  24576:x74qXU1nEcmn2YlaIbg03q7mRawAiiX8H3E21zKbt51:x77k+n2Y8Ib27mRaLVqEqGt5
Score

10^/10

njrat moo salah discovery evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratmoo salahdiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratmoo salahdiscoveryevasionpersistenceprivilege_escalationtrojan