njrat | 38e3d61fa81efc013d30939def97d7592e0dbb16e1057153c5e661843b587503 | Triage

Sharing

General

Target

ae13d7f110850b45a19e2a7d5002a160_JaffaCakes118
Size

96KB
Sample

241129-a27pvswqaw
MD5

ae13d7f110850b45a19e2a7d5002a160
SHA1

5061d81b42d592e44fc763b806b3e28d09613e99
SHA256

38e3d61fa81efc013d30939def97d7592e0dbb16e1057153c5e661843b587503
SHA512

f392e39d037468b8ee55de702ea3596925b96342b7670a182c975a85b99d7e26c8aeb2921a5f3e378881e1fd5f798a1ebf39e1375791857cc664a70233d2a110
SSDEEP

1536:8/LZ8cCVzTK9Ol93Lh5C0tew6cZuL5HTc8Jti8vqjqitwL12:898xTdllPCWb6SuL5Hg8Jti8vWqitwL4

Score

10^/10

njrat p2p작업 evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

P2P작업

C2

jin98816.kro.kr:3

Mutex

809b6ef4fe234529ad0cd3a9dc9c84f6

Attributes

reg_key
809b6ef4fe234529ad0cd3a9dc9c84f6
splitter
|'|'|

Targets

- Target
  
  ae13d7f110850b45a19e2a7d5002a160_JaffaCakes118
- Size
  
  96KB
- MD5
  
  ae13d7f110850b45a19e2a7d5002a160
- SHA1
  
  5061d81b42d592e44fc763b806b3e28d09613e99
- SHA256
  
  38e3d61fa81efc013d30939def97d7592e0dbb16e1057153c5e661843b587503
- SHA512
  
  f392e39d037468b8ee55de702ea3596925b96342b7670a182c975a85b99d7e26c8aeb2921a5f3e378881e1fd5f798a1ebf39e1375791857cc664a70233d2a110
- SSDEEP
  
  1536:8/LZ8cCVzTK9Ol93Lh5C0tew6cZuL5HTc8Jti8vqjqitwL12:898xTdllPCWb6SuL5Hg8Jti8vWqitwL4
Score

10^/10

njrat p2p작업 evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratp2p작업evasionpersistenceprivilege_escalationtrojan

behavioral2

njratp2p작업evasionpersistenceprivilege_escalationtrojan