Overview

overview

10

Static

static

10

Server.exe

windows7-x64

8

Server.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Server.exe

  • Size

    93KB

  • Sample

    241117-zcq39axmbs

  • MD5

    77569c49188ab04b3ed8fef0dfbef2cf

  • SHA1

    413db869e07385a42e1f9a1209822fa41ec8cf8a

  • SHA256

    dee23e85d531e80655457b017752bb99378ba91819e5a85ccf9343a1094a1a4c

  • SHA512

    ea2b7c6e94f0559f9d1ac48f797e4fe40849e531088cb4a145247d6ad9da9488f2ce1acf0f7384ecf7df8fb5165470919de75e12cd2bf554d47cde14853ffe2a

  • SSDEEP

    1536:RGbJD/HBZbszKu9AZpd7r1jEwzGi1dD3DEgS:RGqzK4AZ3HCi1dn9

Score
10/10
njrathackeddiscoveryevasionpersistenceprivilege_escalation

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

paper-cancelled.gl.at.ply.gg:51045
Mutex

7771b946967346d29becdca43bc7858a

Attributes
  • reg_key

    7771b946967346d29becdca43bc7858a

  • splitter

    |'|'|

Targets

    • Target

      Server.exe

    • Size

      93KB

    • MD5

      77569c49188ab04b3ed8fef0dfbef2cf

    • SHA1

      413db869e07385a42e1f9a1209822fa41ec8cf8a

    • SHA256

      dee23e85d531e80655457b017752bb99378ba91819e5a85ccf9343a1094a1a4c

    • SHA512

      ea2b7c6e94f0559f9d1ac48f797e4fe40849e531088cb4a145247d6ad9da9488f2ce1acf0f7384ecf7df8fb5165470919de75e12cd2bf554d47cde14853ffe2a

    • SSDEEP

      1536:RGbJD/HBZbszKu9AZpd7r1jEwzGi1dD3DEgS:RGqzK4AZ3HCi1dn9

    Score
    8/10
    discoveryevasionpersistenceprivilege_escalation

    • Disables Task Manager via registry modification

      evasion

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Credential Access

Discovery

Browser Information Discovery

1
T1217

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Tasks