njrat | e160f4bae8005bb78e9719ab69ce72ba4a9a8d0117498c6e0bafde9963eef460 | Triage

Sharing

General

Target

Server.exe
Size

93KB
Sample

241210-ms17yatlfy
MD5

d43643e01d59c289b551c240242ea5cd
SHA1

aa17e80aac2ca4e14297b0a7cf29c85b116882c6
SHA256

e160f4bae8005bb78e9719ab69ce72ba4a9a8d0117498c6e0bafde9963eef460
SHA512

4143358f507836da62db5f91fccf50d531b79bc5893d7f09d1929f597924a7e2f6b157ea0cec129c9d7c87853e19596714e918204e5ce074a0aa5dec523cbfdd
SSDEEP

768:sY35xByZnDQMMpAZrGSt6udttXymsahkGJiXxrjEtCdnl2pi1Rz4Rk3YRsGdpUgM:NxUZD3rGWNd7DhkhjEwzGi1dD8DUgS

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

japanese-cross.gl.at.ply.gg:16828

Mutex

ac168fa7329a1bbe164c59a113cb4d71

Attributes

reg_key
ac168fa7329a1bbe164c59a113cb4d71
splitter
|'|'|

Targets

- Target
  
  Server.exe
- Size
  
  93KB
- MD5
  
  d43643e01d59c289b551c240242ea5cd
- SHA1
  
  aa17e80aac2ca4e14297b0a7cf29c85b116882c6
- SHA256
  
  e160f4bae8005bb78e9719ab69ce72ba4a9a8d0117498c6e0bafde9963eef460
- SHA512
  
  4143358f507836da62db5f91fccf50d531b79bc5893d7f09d1929f597924a7e2f6b157ea0cec129c9d7c87853e19596714e918204e5ce074a0aa5dec523cbfdd
- SSDEEP
  
  768:sY35xByZnDQMMpAZrGSt6udttXymsahkGJiXxrjEtCdnl2pi1Rz4Rk3YRsGdpUgM:NxUZD3rGWNd7DhkhjEwzGi1dD8DUgS
Score

8^/10

discovery evasion persistence privilege_escalation
- Disables Task Manager via registry modification
  evasion
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryevasionpersistenceprivilege_escalation

behavioral2

discoveryevasionpersistenceprivilege_escalation