njrat | f30fa5c016d193a853c0e8e8b7bb783599e4d3b02d2c0926ac06775dbbfe2aa4 | Triage

Sharing

General

Target

f497ff08280a9f540baaa4866addc7ec_JaffaCakes118
Size

23KB
Sample

240924-11fg4a1ekg
MD5

f497ff08280a9f540baaa4866addc7ec
SHA1

3922255be0ee4e809ac0bd8210dc1ad08116d00a
SHA256

f30fa5c016d193a853c0e8e8b7bb783599e4d3b02d2c0926ac06775dbbfe2aa4
SHA512

ce4e605bd8946fd5593549da45a2f0fa9c0fd9ce3beee8556a057132779d84eab9bcfde28d6c47ecb0bb10824f46094de60d9bec1b8923cf2b36946ed47062c7
SSDEEP

384:yMqYmCsg/yJrQ7hucGSl7UJx4g6JgfCcosjdomRvR6JZlbw8hqIusZzZpI:yErG0Btl7cRpcnud

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

127.0.0.1:5552

Mutex

0932343ebc836c39c857a65dc20ea0fb

Attributes

reg_key
0932343ebc836c39c857a65dc20ea0fb
splitter
|'|'|

Targets

- Target
  
  f497ff08280a9f540baaa4866addc7ec_JaffaCakes118
- Size
  
  23KB
- MD5
  
  f497ff08280a9f540baaa4866addc7ec
- SHA1
  
  3922255be0ee4e809ac0bd8210dc1ad08116d00a
- SHA256
  
  f30fa5c016d193a853c0e8e8b7bb783599e4d3b02d2c0926ac06775dbbfe2aa4
- SHA512
  
  ce4e605bd8946fd5593549da45a2f0fa9c0fd9ce3beee8556a057132779d84eab9bcfde28d6c47ecb0bb10824f46094de60d9bec1b8923cf2b36946ed47062c7
- SSDEEP
  
  384:yMqYmCsg/yJrQ7hucGSl7UJx4g6JgfCcosjdomRvR6JZlbw8hqIusZzZpI:yErG0Btl7cRpcnud
Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratdiscoveryevasionpersistenceprivilege_escalationtrojan