njrat | 3314999529183eb9c48b506a9af61a8dd1b8c3e7bae6f7676af5a22ea4630d93

General

Target

fe61764d62229ed7e0d5b5624905f1fd_JaffaCakes118
Size

1.6MB
Sample

241219-ermzxsykfp
MD5

fe61764d62229ed7e0d5b5624905f1fd
SHA1

3bfbf450929aa644d1cc8a9303839d3d86aca66f
SHA256

3314999529183eb9c48b506a9af61a8dd1b8c3e7bae6f7676af5a22ea4630d93
SHA512

b414c51822139bc712611a3d70424b96026993a3d96c959ce614403f66989598556e009f88093e2c3f729fd74b6aaf857c2eb352e8175ccd8b07d33f4c602dc3
SSDEEP

49152:jH06gyK7ex8Rvr7XS7vrbtH06gyK7ex8Rvr7XS7vrb8:Qf28R3i7Dif28R3i7Do

Score

10^/10

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

JIoLLIaPa

C2

193.218.141.160:1100

Mutex

25b7ccb5b0dc716d27e2168346698c0b

Attributes

reg_key
25b7ccb5b0dc716d27e2168346698c0b
splitter
|'|'|

Targets

- Target
  
  BackSide.scr
- Size
  
  1.2MB
- MD5
  
  fc0eda848858a83000947398e4fc5988
- SHA1
  
  6a1ef4d79282cf7415e031a1f9597f2f527fb351
- SHA256
  
  b3d5d4f086b549051ef58260a81a2b4a8a53423ba17fae0ebc1d5be5fa800d12
- SHA512
  
  ffd6eff982feb4848d4b8cd54ce8527eaef415e0dcc780ba2d768be9c5143396e4e9fd7e3ba608a15d24f7d0aa9f11d267d330910c8b314f6eae88c173dddc15
- SSDEEP
  
  24576:hs2m37uALHllEhLl9jEfoE+q4B0McK4KrD35N7dfGs:hs2m37uAzAhLlVEfvCCuLAs
Score

10^/10

njrat jiolliapa defense_evasion discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
behavioral1 behavioral2
- Target
  
  PlaySide.scr
- Size
  
  1.2MB
- MD5
  
  fc0eda848858a83000947398e4fc5988
- SHA1
  
  6a1ef4d79282cf7415e031a1f9597f2f527fb351
- SHA256
  
  b3d5d4f086b549051ef58260a81a2b4a8a53423ba17fae0ebc1d5be5fa800d12
- SHA512
  
  ffd6eff982feb4848d4b8cd54ce8527eaef415e0dcc780ba2d768be9c5143396e4e9fd7e3ba608a15d24f7d0aa9f11d267d330910c8b314f6eae88c173dddc15
- SSDEEP
  
  24576:hs2m37uALHllEhLl9jEfoE+q4B0McK4KrD35N7dfGs:hs2m37uAzAhLlVEfvCCuLAs
Score

10^/10

njrat jiolliapa defense_evasion discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
behavioral3 behavioral4