njrat | 5ff9c41518353b1c970d4f3b349081265ae8a944dd51255ef60edcfd726c20f1 | Triage

Sharing

General

Target

5ff9c41518353b1c970d4f3b349081265ae8a944dd51255ef60edcfd726c20f1
Size

93KB
Sample

240910-13jmjayhna
MD5

c6d44b4f274fb0b1a0c1b3c5d2ca7f56
SHA1

74d08d1b9ffc4d590ce3da49bb7733bc56bf2e47
SHA256

5ff9c41518353b1c970d4f3b349081265ae8a944dd51255ef60edcfd726c20f1
SHA512

79b669667be9fe824e14d566133d46a016e2bb0ed202be75a9c10b0a808d20a6fb91cf649f1324936447f82cd314b6e564726265dac0f102a62177afc75971e1
SSDEEP

1536:++zSyh6zaoFjuF0VR5jEwzGi1dDzDHgS:++AzaujucRWi1dDA

Score

10^/10

njrat victim discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Victim

C2

hakim32.ddns.net:2000

who-premier.gl.at.ply.gg:41489

Mutex

81a450f9bb0676b239d695d97260d385

Attributes

reg_key
81a450f9bb0676b239d695d97260d385
splitter
|'|'|

Targets

- Target
  
  5ff9c41518353b1c970d4f3b349081265ae8a944dd51255ef60edcfd726c20f1
- Size
  
  93KB
- MD5
  
  c6d44b4f274fb0b1a0c1b3c5d2ca7f56
- SHA1
  
  74d08d1b9ffc4d590ce3da49bb7733bc56bf2e47
- SHA256
  
  5ff9c41518353b1c970d4f3b349081265ae8a944dd51255ef60edcfd726c20f1
- SHA512
  
  79b669667be9fe824e14d566133d46a016e2bb0ed202be75a9c10b0a808d20a6fb91cf649f1324936447f82cd314b6e564726265dac0f102a62177afc75971e1
- SSDEEP
  
  1536:++zSyh6zaoFjuF0VR5jEwzGi1dDzDHgS:++AzaujucRWi1dDA
Score

10^/10

njrat victim discovery evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Disables Task Manager via registry modification
  evasion
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratvictimdiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

discoveryevasionpersistenceprivilege_escalation