njrat | 7cfef8383547624d13f707e8e2c8c14bd245c2c94d7c88056a275c172e69e622 | Triage

Sharing

General

Target

fe0c20fddcd97e561780c05bcd701714_JaffaCakes118
Size

284KB
Sample

240929-h7zkfavarm
MD5

fe0c20fddcd97e561780c05bcd701714
SHA1

551e0118edc1ca35e74e600e6778ef05693032d0
SHA256

7cfef8383547624d13f707e8e2c8c14bd245c2c94d7c88056a275c172e69e622
SHA512

44c77ad1d05adbcd3dad73fd590589ad4898dc8a05a5fbe2c914e48cfb1b252625253987cd44db80e24aa794b8f5622a41bd5b2db28de415a389ee27902d096e
SSDEEP

3072:/P25UIr0WJBlMA+9L+7wSmbO7NiPjxJPx2U2sqUBk4J8ZxdEEIOn6M74oA0:H17ivMA+9LSwuNMVhx2U2sTSHNNR4n

Score

10^/10

njrat تفرج يا عراق evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

تفرج يا عراق

C2

yahoo.dynns.com:180

Mutex

931ab9d1728b00028b347e4835a6fd55

Attributes

reg_key
931ab9d1728b00028b347e4835a6fd55
splitter
|'|'|

Targets

- Target
  
  fe0c20fddcd97e561780c05bcd701714_JaffaCakes118
- Size
  
  284KB
- MD5
  
  fe0c20fddcd97e561780c05bcd701714
- SHA1
  
  551e0118edc1ca35e74e600e6778ef05693032d0
- SHA256
  
  7cfef8383547624d13f707e8e2c8c14bd245c2c94d7c88056a275c172e69e622
- SHA512
  
  44c77ad1d05adbcd3dad73fd590589ad4898dc8a05a5fbe2c914e48cfb1b252625253987cd44db80e24aa794b8f5622a41bd5b2db28de415a389ee27902d096e
- SSDEEP
  
  3072:/P25UIr0WJBlMA+9L+7wSmbO7NiPjxJPx2U2sqUBk4J8ZxdEEIOn6M74oA0:H17ivMA+9LSwuNMVhx2U2sTSHNNR4n
Score

10^/10

njrat تفرج يا عراق evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratتفرج يا عراق evasionpersistenceprivilege_escalationtrojan

behavioral2

njratتفرج يا عراق evasionpersistenceprivilege_escalationtrojan