njrat | 356efbd5427f7b4079a0efaec5b72ce36fea23fdaa22331ae35c7e15323df2ae | Triage

Sharing

General

Target

356efbd5427f7b4079a0efaec5b72ce36fea23fdaa22331ae35c7e15323df2ae
Size

23KB
Sample

241105-z6j7ss1nhp
MD5

a590cf933af43e45adc2bc0490366cb5
SHA1

3d11acef56ca27cfe356ac55444a6197ea064cfa
SHA256

356efbd5427f7b4079a0efaec5b72ce36fea23fdaa22331ae35c7e15323df2ae
SHA512

453774c11a029731bfd749406d076c7987c4a57603e890fd12c8585e59b33ea7b79ab79c330a4a33d4b17ce693a3f74e31a464055268d9ba0b0a76e7bc3efa82
SSDEEP

384:WzmicUDPiJUQrlRGSHCYlbY6ZgvSMBTtxmRvR6JZlbw8hqIusZzZ68:CpD2btHxRpcnuQ

Score

10^/10

njrat by: "cranky-hk" 7awlii discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

By: "CranKy-Hk" 7awlii

C2

chrom384.servegame.com:1177

Mutex

29cb34d147658b14ff9d42936a5ab9ee

Attributes

reg_key
29cb34d147658b14ff9d42936a5ab9ee
splitter
|'|'|

Targets

- Target
  
  356efbd5427f7b4079a0efaec5b72ce36fea23fdaa22331ae35c7e15323df2ae
- Size
  
  23KB
- MD5
  
  a590cf933af43e45adc2bc0490366cb5
- SHA1
  
  3d11acef56ca27cfe356ac55444a6197ea064cfa
- SHA256
  
  356efbd5427f7b4079a0efaec5b72ce36fea23fdaa22331ae35c7e15323df2ae
- SHA512
  
  453774c11a029731bfd749406d076c7987c4a57603e890fd12c8585e59b33ea7b79ab79c330a4a33d4b17ce693a3f74e31a464055268d9ba0b0a76e7bc3efa82
- SSDEEP
  
  384:WzmicUDPiJUQrlRGSHCYlbY6ZgvSMBTtxmRvR6JZlbw8hqIusZzZ68:CpD2btHxRpcnuQ
Score

10^/10

njrat by: "cranky-hk" 7awlii discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

by: "cranky-hk" 7awliinjrat

behavioral1

njratby: "cranky-hk" 7awliidiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratdiscoveryevasionpersistenceprivilege_escalationtrojan