njrat | ba67f398fb2c5f91c1c227725fec68eba38a9f6c81a425450baf1b94037fe77e | Triage

Sharing

General

Target

New Client.exe
Size

65KB
Sample

241030-rafwhatlas
MD5

1bcb0ce08d34ba620819df0268e04011
SHA1

296765a47aa584a24bf66ddc9e67356e3203fac8
SHA256

ba67f398fb2c5f91c1c227725fec68eba38a9f6c81a425450baf1b94037fe77e
SHA512

f3409246d7cf16d9902d3420f6e5048e87859484e85a25eebc4559ddc6d26e9b40843b78b3a056c24e1bd9efc13d609f1a9ef37387789cb6994b84c7e4bd0145
SSDEEP

1536:MKqK4Tm4BoN36t4QviFw1AjHkBnvAffLteF3nLrB9z3nIaF9bXS9vM:MKqK4C4BoN36t4QviFC8EBnYfWl9zYab

Score

10^/10

njrat hacked bootkit discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

HacKed

C2

127.0.0.1:36811

Mutex

svhost.exe

Attributes

reg_key
svhost.exe
splitter
|Ghost|

Targets

- Target
  
  New Client.exe
- Size
  
  65KB
- MD5
  
  1bcb0ce08d34ba620819df0268e04011
- SHA1
  
  296765a47aa584a24bf66ddc9e67356e3203fac8
- SHA256
  
  ba67f398fb2c5f91c1c227725fec68eba38a9f6c81a425450baf1b94037fe77e
- SHA512
  
  f3409246d7cf16d9902d3420f6e5048e87859484e85a25eebc4559ddc6d26e9b40843b78b3a056c24e1bd9efc13d609f1a9ef37387789cb6994b84c7e4bd0145
- SSDEEP
  
  1536:MKqK4Tm4BoN36t4QviFw1AjHkBnvAffLteF3nLrB9z3nIaF9bXS9vM:MKqK4C4BoN36t4QviFC8EBnYfWl9zYab
Score

10^/10

discovery persistence privilege_escalation njrat hacked trojan bootkit evasion
- Modifies WinLogon for persistence
  persistence
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Event Triggered Execution: AppInit DLLs
  Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
  persistence privilege_escalation
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Event Triggered Execution

AppInit DLLs

Pre-OS Boot

Bootkit

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Event Triggered Execution

AppInit DLLs

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Pre-OS Boot

Bootkit

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistenceprivilege_escalation

behavioral2

njrathackeddiscoverypersistenceprivilege_escalationtrojan

behavioral3

bootkitdiscoveryevasionpersistence

behavioral4

discoverypersistenceprivilege_escalation

behavioral5

discoverypersistence