njrat | c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317 | Triage

Sharing

General

Target

fe539f5b615a9dbb6c67e91499888daf_JaffaCakes118
Size

37KB
Sample

240929-mfhvtszenm
MD5

fe539f5b615a9dbb6c67e91499888daf
SHA1

267e7b00433be2c8ac5d1c8a4ee1d90065d8094b
SHA256

c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317
SHA512

cdf6a70381022504e3dd967626c4b560d8cadf3357055ceacd615f05f18315caab0b591d0bcb242bb9e3d524d6124eb054826b21c5873035fb72f28e57b0784a
SSDEEP

384:mM6CiMWB63fbw6ZfrZUy8fyyHFegGVbORvIrAF+rMRTyN/0L+EcoinblneHQM3eB:Rq0DwODZX8fyyE9OhIrM+rMRa8NuMit

Score

10^/10

njrat karochedauni discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

karochedauni

C2

194.34.132.152:7576

Mutex

e4cef66ebf3fdf7f22614d89de91686c

Attributes

reg_key
e4cef66ebf3fdf7f22614d89de91686c
splitter
|'|'|

Targets

- Target
  
  fe539f5b615a9dbb6c67e91499888daf_JaffaCakes118
- Size
  
  37KB
- MD5
  
  fe539f5b615a9dbb6c67e91499888daf
- SHA1
  
  267e7b00433be2c8ac5d1c8a4ee1d90065d8094b
- SHA256
  
  c8c743dbb1eae089af4724f547b6a0b0c38e7b25fbc5699e5218dad4cfe1e317
- SHA512
  
  cdf6a70381022504e3dd967626c4b560d8cadf3357055ceacd615f05f18315caab0b591d0bcb242bb9e3d524d6124eb054826b21c5873035fb72f28e57b0784a
- SSDEEP
  
  384:mM6CiMWB63fbw6ZfrZUy8fyyHFegGVbORvIrAF+rMRTyN/0L+EcoinblneHQM3eB:Rq0DwODZX8fyyE9OhIrM+rMRa8NuMit
Score

10^/10

njrat karochedauni discovery evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

karochedauninjrat

behavioral1

njratkarochedaunidiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

discoveryevasionpersistenceprivilege_escalation