njrat | 104858a06e493bca79d02488ca5f0f481a032aaa207859a686b1ec098299601b | Triage

Sharing

General

Target

104858a06e493bca79d02488ca5f0f481a032aaa207859a686b1ec098299601bN
Size

23KB
Sample

241018-sct2ksvgpn
MD5

af673b5a220e320f2bb89b89bdfa0de0
SHA1

3b6897f41558996f24c6a9bc55185c0db7d7b36d
SHA256

104858a06e493bca79d02488ca5f0f481a032aaa207859a686b1ec098299601b
SHA512

d2e529cf2dad2fc628d1b0c3e46c4d4d019e6232f3be83ae10952f9c396338fb008939ae8fdd1035e9157e4b257f043f9e45525f5b8bce1cf15b061159ccfa6a
SSDEEP

384:HslUlEvOEJ8xWwYJOMiOBZEdj1567gtwi5HhbQmRvR6JZlbw8hqIusZzZKM+:4eEvwIlLMRpcnunT

Score

10^/10

njrat 2012 discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

2012

C2

10.10.10.10:5555

Mutex

398be2ccd5142b1e151174bf3e1b17dd

Attributes

reg_key
398be2ccd5142b1e151174bf3e1b17dd
splitter
|'|'|

Targets

- Target
  
  104858a06e493bca79d02488ca5f0f481a032aaa207859a686b1ec098299601bN
- Size
  
  23KB
- MD5
  
  af673b5a220e320f2bb89b89bdfa0de0
- SHA1
  
  3b6897f41558996f24c6a9bc55185c0db7d7b36d
- SHA256
  
  104858a06e493bca79d02488ca5f0f481a032aaa207859a686b1ec098299601b
- SHA512
  
  d2e529cf2dad2fc628d1b0c3e46c4d4d019e6232f3be83ae10952f9c396338fb008939ae8fdd1035e9157e4b257f043f9e45525f5b8bce1cf15b061159ccfa6a
- SSDEEP
  
  384:HslUlEvOEJ8xWwYJOMiOBZEdj1567gtwi5HhbQmRvR6JZlbw8hqIusZzZKM+:4eEvwIlLMRpcnunT
Score

10^/10

njrat 2012 discovery evasion persistence privilege_escalation trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrat2012discoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratdiscoveryevasionpersistenceprivilege_escalationtrojan