njrat | 5f98850c93410730ab6562feef04fefe3855e3ff81dc6ea30ee9283b3b0615cb | Triage

Sharing

General

Target

e7332feab4157604fcfba589b0c1ac10_JaffaCakes118
Size

78KB
Sample

240917-tkv5aasbkj
MD5

e7332feab4157604fcfba589b0c1ac10
SHA1

a0c3de942da595cc952408098b3c086b62efdc1a
SHA256

5f98850c93410730ab6562feef04fefe3855e3ff81dc6ea30ee9283b3b0615cb
SHA512

5cb26866e15292569c24d0f4b6bc370f577de9a1ea992fec52e4606e704a325ebf7ca46da898a79d373eeb7ebbe3f97f3726784aa6f92b5451d5d7fbce7f77b4
SSDEEP

1536:DQsCupcLXrMYWmUW+pz0usw8JNlBOEYZF+x8:DpbYWmUW+pgusLJNlwEYZIx8

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

107.150.12.44:14532

Mutex

9e12b36449cc78d34159a3c000b6fc6a

Attributes

reg_key
9e12b36449cc78d34159a3c000b6fc6a
splitter
|'|'|

Targets

- Target
  
  e7332feab4157604fcfba589b0c1ac10_JaffaCakes118
- Size
  
  78KB
- MD5
  
  e7332feab4157604fcfba589b0c1ac10
- SHA1
  
  a0c3de942da595cc952408098b3c086b62efdc1a
- SHA256
  
  5f98850c93410730ab6562feef04fefe3855e3ff81dc6ea30ee9283b3b0615cb
- SHA512
  
  5cb26866e15292569c24d0f4b6bc370f577de9a1ea992fec52e4606e704a325ebf7ca46da898a79d373eeb7ebbe3f97f3726784aa6f92b5451d5d7fbce7f77b4
- SSDEEP
  
  1536:DQsCupcLXrMYWmUW+pz0usw8JNlBOEYZF+x8:DpbYWmUW+pgusLJNlwEYZIx8
Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan
- Modifies WinLogon for persistence
  persistence
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratdiscoveryevasionpersistenceprivilege_escalationtrojan