njrat | 68f0121f2062aede8ae8bd52bba3c4c6c8aa19bdf32958b4e305cf716a92cc3d | Triage

Sharing

General

Target

68f0121f2062aede8ae8bd52bba3c4c6c8aa19bdf32958b4e305cf716a92cc3d.exe
Size

93KB
Sample

241217-dpxkxaymcz
MD5

68edafe0a1705d5c7dd1cb14fa1ca8ce
SHA1

7e9d854c90acd7452645506874c4e6f10bfdda31
SHA256

68f0121f2062aede8ae8bd52bba3c4c6c8aa19bdf32958b4e305cf716a92cc3d
SHA512

89a965f783ea7f54b55a542168ff759e851eae77cdfa9e23ba76145614b798f0815f2feb8670c16f26943e83bba2ade0649d6dc83af8d87c51c42f96d015573d
SSDEEP

768:JY37KBD9O/pBcxYsbae6GIXb9pDX2b9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk3WsG3:kKzOx6baIa9RIj00ljEwzGi1dDSD7gS

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

127.0.0.1:5552

Mutex

003fe4ef3220cc6abe0338ba4d8225ca

Attributes

reg_key
003fe4ef3220cc6abe0338ba4d8225ca
splitter
|'|'|

Targets

- Target
  
  68f0121f2062aede8ae8bd52bba3c4c6c8aa19bdf32958b4e305cf716a92cc3d.exe
- Size
  
  93KB
- MD5
  
  68edafe0a1705d5c7dd1cb14fa1ca8ce
- SHA1
  
  7e9d854c90acd7452645506874c4e6f10bfdda31
- SHA256
  
  68f0121f2062aede8ae8bd52bba3c4c6c8aa19bdf32958b4e305cf716a92cc3d
- SHA512
  
  89a965f783ea7f54b55a542168ff759e851eae77cdfa9e23ba76145614b798f0815f2feb8670c16f26943e83bba2ade0649d6dc83af8d87c51c42f96d015573d
- SSDEEP
  
  768:JY37KBD9O/pBcxYsbae6GIXb9pDX2b9zPL0OXLeuXxrjEtCdnl2pi1Rz4Rk3WsG3:kKzOx6baIa9RIj00ljEwzGi1dDSD7gS
Score

8^/10

discovery evasion persistence privilege_escalation
- Disables Task Manager via registry modification
  evasion
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryevasionpersistenceprivilege_escalation

behavioral2

discoveryevasionpersistenceprivilege_escalation