njrat | 8fd02983022b9f09835b9cda8b137bf9888b41dbb60bc535b7fc714840b4acbc | Triage

Sharing

General

Target

8fd02983022b9f09835b9cda8b137bf9888b41dbb60bc535b7fc714840b4acbcN
Size

93KB
Sample

240930-f1tphazbmj
MD5

2a48072cf35f77e231543cff655449b0
SHA1

de6a10cc189f9d8bff617c8cab750558ad761bb7
SHA256

8fd02983022b9f09835b9cda8b137bf9888b41dbb60bc535b7fc714840b4acbc
SHA512

55175819ae7ba6e2b89d4f9ed1b0d0aa0e976237f44a4a38136c50942e37432c8b7f69efc43aa2814780fe3bfe2fb276f4f13c2a14a5a6916198813e70eae342
SSDEEP

768:VY3WCnD9O/pBcxYsbae6GIXb9pDX2t98PL0OXLeuXxrjEtCdnl2pi1Rz4Rk3SsG6:ZCxOx6baIa9RZj00ljEwzGi1dDuDsgS

Score

10^/10

njrat lips discovery evasion persistence privilege_escalation

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

lips

C2

hakim32.ddns.net:2000

127.0.0.1:3914

Mutex

4da57d41dfd99d8577619c79d0e4470a

Attributes

reg_key
4da57d41dfd99d8577619c79d0e4470a
splitter
|'|'|

Targets

- Target
  
  8fd02983022b9f09835b9cda8b137bf9888b41dbb60bc535b7fc714840b4acbcN
- Size
  
  93KB
- MD5
  
  2a48072cf35f77e231543cff655449b0
- SHA1
  
  de6a10cc189f9d8bff617c8cab750558ad761bb7
- SHA256
  
  8fd02983022b9f09835b9cda8b137bf9888b41dbb60bc535b7fc714840b4acbc
- SHA512
  
  55175819ae7ba6e2b89d4f9ed1b0d0aa0e976237f44a4a38136c50942e37432c8b7f69efc43aa2814780fe3bfe2fb276f4f13c2a14a5a6916198813e70eae342
- SSDEEP
  
  768:VY3WCnD9O/pBcxYsbae6GIXb9pDX2t98PL0OXLeuXxrjEtCdnl2pi1Rz4Rk3SsG6:ZCxOx6baIa9RZj00ljEwzGi1dDuDsgS
Score

8^/10

discovery evasion persistence privilege_escalation
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryevasionpersistenceprivilege_escalation

behavioral2

discoveryevasionpersistenceprivilege_escalation