njrat | bd1ba1379b9641d3e7e2062a746195ab573c1ca253f81e32337ccb42c49ded26 | Triage

Sharing

General

Target

0e5ca24fb347c2a52e0ede701a7d96b0_JaffaCakes118
Size

28KB
Sample

241003-g8j1pssgqh
MD5

0e5ca24fb347c2a52e0ede701a7d96b0
SHA1

50f1376a7243f99e7c79744a9635b8b2702f2f5d
SHA256

bd1ba1379b9641d3e7e2062a746195ab573c1ca253f81e32337ccb42c49ded26
SHA512

99ac4c39a89ab769153aeb822600644c80917c34072b917c76f4c31b17d7ddf7150100b757fd4814cf9264680e783ad757358c23c1801be0aa6d6da525042de3
SSDEEP

384:KmsCXkm2fSDDv+8/2utC3Gq4PL0SFbqGfHrE/51yJgCdnPWCHc9BUW7ORVh4vUon:Km3km2qDPOOXq4PxFPy1yJXAb6aMoZd

Score

10^/10

njrat ked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Ked

C2

176.115.70.97:5552

Mutex

8394478645662510ce916461f336b44a

Attributes

reg_key
8394478645662510ce916461f336b44a
splitter
|'|'|

Targets

- Target
  
  0e5ca24fb347c2a52e0ede701a7d96b0_JaffaCakes118
- Size
  
  28KB
- MD5
  
  0e5ca24fb347c2a52e0ede701a7d96b0
- SHA1
  
  50f1376a7243f99e7c79744a9635b8b2702f2f5d
- SHA256
  
  bd1ba1379b9641d3e7e2062a746195ab573c1ca253f81e32337ccb42c49ded26
- SHA512
  
  99ac4c39a89ab769153aeb822600644c80917c34072b917c76f4c31b17d7ddf7150100b757fd4814cf9264680e783ad757358c23c1801be0aa6d6da525042de3
- SSDEEP
  
  384:KmsCXkm2fSDDv+8/2utC3Gq4PL0SFbqGfHrE/51yJgCdnPWCHc9BUW7ORVh4vUon:Km3km2qDPOOXq4PxFPy1yJXAb6aMoZd
Score

10^/10

njrat ked discovery evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratkeddiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratdiscoveryevasionpersistenceprivilege_escalationtrojan