njrat | 180c1593184328ae276173554183e068d0f8379f1aaec63c7ad705042fbc7d73 | Triage

Sharing

General

Target

ef88013105357db2be870d0557f41e7c_JaffaCakes118
Size

14KB
Sample

240921-lsmh4swckf
MD5

ef88013105357db2be870d0557f41e7c
SHA1

906864394a1715f283ba1a724b521b6e36827195
SHA256

180c1593184328ae276173554183e068d0f8379f1aaec63c7ad705042fbc7d73
SHA512

adfa4b061310545573b4da835b0c52f39b6986daf6e775cb1c0d263a21e99e04a7653f7ad2a17f0341c184e7e6df48d17d74d0aa2bda3b3b54612ec0a63b3856
SSDEEP

384:QfQQHn64PSWRgaJ3qeG3Rxos7d3o+4SGazpDJPX+cAS3:2QQa4qW643qRos72VSGop1WK

Score

10^/10

njrat hacked by hidden person discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Hacked By HiDDen PerSOn

C2

l1x.ddns.net:5552

Mutex

452d007e0e891c3400f56e8d13041c1e

Attributes

reg_key
452d007e0e891c3400f56e8d13041c1e
splitter
|'|'|

Targets

- Target
  
  L1xware.exe
- Size
  
  32KB
- MD5
  
  b369b171954015e188eb2646dbd4c817
- SHA1
  
  41b79bd407b8c6a6edc87c66e6692bf203ce749b
- SHA256
  
  6aeada94389e3c6c001857ce2e22139e63a4ece256faf3dcde568adadfdc1bf5
- SHA512
  
  0acc701ff7a30dbc665847fd06094737ae863b228459661dfbb0e42fcfc92585c09e391876787ca6fd99002e3c997390f40bcf07d2a87ff7d6bc69416ee03efc
- SSDEEP
  
  384:WF5kg0KQUvUpsi+daDpyFva9dFPIQL1fJfiTK2glD4odg9TduS/EIGsJjwE7UMcY:Oo0Ldae8/FmouDuCEIGfRt+f
Score

10^/10

njrat hacked by hidden person discovery evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

hacked by hidden personnjrat

behavioral1

njrathacked by hidden persondiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratdiscoveryevasionpersistenceprivilege_escalationtrojan