njrat | 91aeac27a8ca345eaa6926aecaf8868888d5b14e1164b54d3c57fec6aedef22e | Triage

Sharing

General

Target

ff70095137235f6ca0adde65cf76d52b_JaffaCakes118
Size

25KB
Sample

240929-2tta2sthmp
MD5

ff70095137235f6ca0adde65cf76d52b
SHA1

6d58603b98c1e5ff21a65c8db1d9a76363c37b26
SHA256

91aeac27a8ca345eaa6926aecaf8868888d5b14e1164b54d3c57fec6aedef22e
SHA512

4a526b173eb3b78580962be6c11792b8fc84a2d9fcc5d680b9ab92f5c00c65f0ca307f2c878778194e80b30683c3f738ff5e12e8cab5d6aeeacefc3535f626aa
SSDEEP

384:bc6CqbFYh3odrVCGiHssDB4b6i6fgpEupNXRmRvR6JZlbw8hqIusZzZ2KXNek+vD:AIU0tw3RpcnuW

Score

10^/10

njrat microsoft discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

Madest 0.7d

Botnet

Microsoft

C2

kirya.hopto.org:1604

Mutex

3b0993c80a0a836b6ed4d0b2940db392

Attributes

reg_key
3b0993c80a0a836b6ed4d0b2940db392
splitter
|'|'|

Targets

- Target
  
  ff70095137235f6ca0adde65cf76d52b_JaffaCakes118
- Size
  
  25KB
- MD5
  
  ff70095137235f6ca0adde65cf76d52b
- SHA1
  
  6d58603b98c1e5ff21a65c8db1d9a76363c37b26
- SHA256
  
  91aeac27a8ca345eaa6926aecaf8868888d5b14e1164b54d3c57fec6aedef22e
- SHA512
  
  4a526b173eb3b78580962be6c11792b8fc84a2d9fcc5d680b9ab92f5c00c65f0ca307f2c878778194e80b30683c3f738ff5e12e8cab5d6aeeacefc3535f626aa
- SSDEEP
  
  384:bc6CqbFYh3odrVCGiHssDB4b6i6fgpEupNXRmRvR6JZlbw8hqIusZzZ2KXNek+vD:AIU0tw3RpcnuW
Score

10^/10

njrat microsoft discovery evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratmicrosoftdiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratdiscoveryevasionpersistenceprivilege_escalationtrojan