Overview

overview

10

Static

static

10

New Client.exe

windows7-x64

10

New Client.exe

windows7-x64

10

New Client.exe

windows10-2004-x64

New Client.exe

windows10-ltsc 2021-x64

7

New Client.exe

windows11-21h2-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    New Client.exe

  • Size

    65KB

  • Sample

    241030-q9qz3swmem

  • MD5

    1bcb0ce08d34ba620819df0268e04011

  • SHA1

    296765a47aa584a24bf66ddc9e67356e3203fac8

  • SHA256

    ba67f398fb2c5f91c1c227725fec68eba38a9f6c81a425450baf1b94037fe77e

  • SHA512

    f3409246d7cf16d9902d3420f6e5048e87859484e85a25eebc4559ddc6d26e9b40843b78b3a056c24e1bd9efc13d609f1a9ef37387789cb6994b84c7e4bd0145

  • SSDEEP

    1536:MKqK4Tm4BoN36t4QviFw1AjHkBnvAffLteF3nLrB9z3nIaF9bXS9vM:MKqK4C4BoN36t4QviFC8EBnYfWl9zYab

Score
10/10
njrathackedbootkitdiscoverypersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

HacKed

C2

127.0.0.1:36811

Mutex

svhost.exe

Attributes
  • reg_key

    svhost.exe

  • splitter

    |Ghost|

Targets

    • Target

      New Client.exe

    • Size

      65KB

    • MD5

      1bcb0ce08d34ba620819df0268e04011

    • SHA1

      296765a47aa584a24bf66ddc9e67356e3203fac8

    • SHA256

      ba67f398fb2c5f91c1c227725fec68eba38a9f6c81a425450baf1b94037fe77e

    • SHA512

      f3409246d7cf16d9902d3420f6e5048e87859484e85a25eebc4559ddc6d26e9b40843b78b3a056c24e1bd9efc13d609f1a9ef37387789cb6994b84c7e4bd0145

    • SSDEEP

      1536:MKqK4Tm4BoN36t4QviFw1AjHkBnvAffLteF3nLrB9z3nIaF9bXS9vM:MKqK4C4BoN36t4QviFC8EBnYfWl9zYab

    Score
    10/10
    njrathackedbootkitdiscoverypersistencetrojanprivilege_escalation

    • Modifies WinLogon for persistence

      persistence

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Event Triggered Execution: AppInit DLLs

      Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

      persistenceprivilege_escalation

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral1behavioral2behavioral3behavioral4behavioral5

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

AppInit DLLs

1
T1546.010

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

AppInit DLLs

1
T1546.010

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

2
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks