njrat | c33fd04b22feb761253055d2674a112d6b527aa3f78e585d1f2d26df3e8512e7 | Triage

Sharing

General

Target

Server.exe
Size

93KB
Sample

240929-ye4xfs1eqa
MD5

fccac9bf6c83173de191751a3cc75688
SHA1

5a5f6db3aa85d921707822af7be0f749c00699f6
SHA256

c33fd04b22feb761253055d2674a112d6b527aa3f78e585d1f2d26df3e8512e7
SHA512

db453c4df92e6c274a6e558ed2a95ab4b22d17887dcebaf4760f9e7f2e0d6fc7e2cbe05f4e52690a54414bb466e39f85550535bede6e0979fe7e3499f19c487b
SSDEEP

1536:xkAY3SUFKnOr70txlZbgoGXejEwzGi1dDQDJgS:xkt7KnOr70txIXni1d+G

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

127.0.0.1:8080

Mutex

c4aa78f645d876115299e9c20edace12

Attributes

reg_key
c4aa78f645d876115299e9c20edace12
splitter
|'|'|

Targets

- Target
  
  Server.exe
- Size
  
  93KB
- MD5
  
  fccac9bf6c83173de191751a3cc75688
- SHA1
  
  5a5f6db3aa85d921707822af7be0f749c00699f6
- SHA256
  
  c33fd04b22feb761253055d2674a112d6b527aa3f78e585d1f2d26df3e8512e7
- SHA512
  
  db453c4df92e6c274a6e558ed2a95ab4b22d17887dcebaf4760f9e7f2e0d6fc7e2cbe05f4e52690a54414bb466e39f85550535bede6e0979fe7e3499f19c487b
- SSDEEP
  
  1536:xkAY3SUFKnOr70txlZbgoGXejEwzGi1dDQDJgS:xkt7KnOr70txIXni1d+G
Score

8^/10

discovery evasion persistence privilege_escalation
- Disables Task Manager via registry modification
  evasion
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryevasionpersistenceprivilege_escalation

behavioral2

discoveryevasionpersistenceprivilege_escalation