njrat | f34c57376a27fec5fe0c3ddacd9a1c697afba6f99e829b0a66b2e030b60221d5 | Triage

Sharing

General

Target

9b1997e5e05ed0d1674baf0e1859230b_JaffaCakes118
Size

297KB
Sample

241125-m8zztatnas
MD5

9b1997e5e05ed0d1674baf0e1859230b
SHA1

90d2852c7c09b52dd06e07491c7cf421775beca9
SHA256

f34c57376a27fec5fe0c3ddacd9a1c697afba6f99e829b0a66b2e030b60221d5
SHA512

ae1e64928eba0157e73637fce89b47051999ca4ef9885ab953018d0ed9226629e0f724b016e01e882c32ee3782386558dba10425e908b54ad9826e5392594a5e
SSDEEP

3072:8nj9jtfU+INndIc0JC5iJTHpdN3w1XtDzmTSRK4O9AKibsjUiNNAkImk9nK1yF+1:8jbeiZJrApJEUANpSkoKc2A7+S9y

Score

10^/10

njrat nl discovery evasion persistence privilege_escalation trojan upx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

nl

C2

45.32.244.221:5552

Mutex

90118d86d7ea3bfd271b06bbeb742f49

Attributes

reg_key
90118d86d7ea3bfd271b06bbeb742f49
splitter
|'|'|

Targets

- Target
  
  9b1997e5e05ed0d1674baf0e1859230b_JaffaCakes118
- Size
  
  297KB
- MD5
  
  9b1997e5e05ed0d1674baf0e1859230b
- SHA1
  
  90d2852c7c09b52dd06e07491c7cf421775beca9
- SHA256
  
  f34c57376a27fec5fe0c3ddacd9a1c697afba6f99e829b0a66b2e030b60221d5
- SHA512
  
  ae1e64928eba0157e73637fce89b47051999ca4ef9885ab953018d0ed9226629e0f724b016e01e882c32ee3782386558dba10425e908b54ad9826e5392594a5e
- SSDEEP
  
  3072:8nj9jtfU+INndIc0JC5iJTHpdN3w1XtDzmTSRK4O9AKibsjUiNNAkImk9nK1yF+1:8jbeiZJrApJEUANpSkoKc2A7+S9y
Score

10^/10

njrat nl discovery evasion persistence privilege_escalation trojan upx
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratnldiscoveryevasionpersistenceprivilege_escalationtrojanupx

behavioral2

njratnldiscoveryevasionpersistenceprivilege_escalationtrojanupx