njrat | 0939566b6e6999d7b1ec2061cccd35be75c25efbd1e4093aae3f6b0ef7d72d33 | Triage

Sharing

General

Target

e8f760b4f78ef5d36cf4082bb46cc3d6_JaffaCakes118
Size

23KB
Sample

240918-m3agzaxgrm
MD5

e8f760b4f78ef5d36cf4082bb46cc3d6
SHA1

aa15e7b47946938df2bffe288f2e86b820547dbd
SHA256

0939566b6e6999d7b1ec2061cccd35be75c25efbd1e4093aae3f6b0ef7d72d33
SHA512

9f8013ba1a86afe26ee26093b54749aea4a816fa71df82768c949e2bd6f1787ced3a221bd92ce36a3b02ade307629adb8052b8bbdc6dfcc2ddda12c2cb92badf
SSDEEP

384:GFQeCo2zmZbQHkJeCdUwBvQ61gjuQBnB9mRvR6JZlbw8hqIusZzZj1+:GK5yBVd7RpcnuD

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

zerip.ddns.net:1177

Mutex

59176411e6976993f96dcc65b04bc11d

Attributes

reg_key
59176411e6976993f96dcc65b04bc11d
splitter
|'|'|

Targets

- Target
  
  e8f760b4f78ef5d36cf4082bb46cc3d6_JaffaCakes118
- Size
  
  23KB
- MD5
  
  e8f760b4f78ef5d36cf4082bb46cc3d6
- SHA1
  
  aa15e7b47946938df2bffe288f2e86b820547dbd
- SHA256
  
  0939566b6e6999d7b1ec2061cccd35be75c25efbd1e4093aae3f6b0ef7d72d33
- SHA512
  
  9f8013ba1a86afe26ee26093b54749aea4a816fa71df82768c949e2bd6f1787ced3a221bd92ce36a3b02ade307629adb8052b8bbdc6dfcc2ddda12c2cb92badf
- SSDEEP
  
  384:GFQeCo2zmZbQHkJeCdUwBvQ61gjuQBnB9mRvR6JZlbw8hqIusZzZj1+:GK5yBVd7RpcnuD
Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratdiscoveryevasionpersistenceprivilege_escalationtrojan