njrat | 81a572f1f7feb419b70e9fbe890348dcb3bdda3cb1adad2265ffd527b643b794 | Triage

Sharing

General

Target

c729fc50e20cad4217a371e495c1ad13_JaffaCakes118
Size

282KB
Sample

240828-ta2jbawgqj
MD5

c729fc50e20cad4217a371e495c1ad13
SHA1

81061d277a115841d77b76096967c25c30eb29b9
SHA256

81a572f1f7feb419b70e9fbe890348dcb3bdda3cb1adad2265ffd527b643b794
SHA512

feb82cc70145fccdbf008d5e862e6f1a07a850bdac417cb64f44bfda4b70e8172dca184bf0491e4f55e92eb7d1c3438456b1e779eabcfece9ca4083d85d89afc
SSDEEP

6144:bvnbmeupUYeDsubYWZnI75wITdyOzUcnoU:zi1pHubYWBISydyOz5

Score

10^/10

njrat memu new discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Memu new

C2

lganashadow.servemp3.com:653

Mutex

Intrnetdownloadmanger

Attributes

reg_key
Intrnetdownloadmanger
splitter
Sky

Targets

- Target
  
  c729fc50e20cad4217a371e495c1ad13_JaffaCakes118
- Size
  
  282KB
- MD5
  
  c729fc50e20cad4217a371e495c1ad13
- SHA1
  
  81061d277a115841d77b76096967c25c30eb29b9
- SHA256
  
  81a572f1f7feb419b70e9fbe890348dcb3bdda3cb1adad2265ffd527b643b794
- SHA512
  
  feb82cc70145fccdbf008d5e862e6f1a07a850bdac417cb64f44bfda4b70e8172dca184bf0491e4f55e92eb7d1c3438456b1e779eabcfece9ca4083d85d89afc
- SSDEEP
  
  6144:bvnbmeupUYeDsubYWZnI75wITdyOzUcnoU:zi1pHubYWBISydyOz5
Score

10^/10

njrat memu new discovery evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratmemu newdiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

discoveryevasionpersistenceprivilege_escalation