njrat | e3628c6c6461b4df628ab0d7c8977d109d5906aec469ec8d1dec8372c956862a | Triage

Sharing

General

Target

JaffaCakes118_e3628c6c6461b4df628ab0d7c8977d109d5906aec469ec8d1dec8372c956862a
Size

93KB
Sample

241229-d5p6rs1pbk
MD5

943ad62c5ce7252307522fba42ac0ad0
SHA1

3ab8fe8d2b082f5009f8e735e6cef24f70c81414
SHA256

e3628c6c6461b4df628ab0d7c8977d109d5906aec469ec8d1dec8372c956862a
SHA512

d831ac60fd9a62122f7021da8b8c9d9f305cfe9a4a0c08b9b0c6ec930bc22a41ce632c3b58cf3238876fb5d2152ad2ec8a272a6e9fb9145adc410a0416100114
SSDEEP

1536:xUIs5p8k2HGjTpL5HoTjEwzGi1dDkDEgS:xUgk2HGjtL5IYi1dK9

Score

10^/10

njrat discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

C2

hakim32.ddns.net:2000

127.0.0.1:58905

Mutex

52b910a105f9b42a0c58d241595617ce

Attributes

reg_key
52b910a105f9b42a0c58d241595617ce
splitter
|'|'|

Targets

- Target
  
  JaffaCakes118_e3628c6c6461b4df628ab0d7c8977d109d5906aec469ec8d1dec8372c956862a
- Size
  
  93KB
- MD5
  
  943ad62c5ce7252307522fba42ac0ad0
- SHA1
  
  3ab8fe8d2b082f5009f8e735e6cef24f70c81414
- SHA256
  
  e3628c6c6461b4df628ab0d7c8977d109d5906aec469ec8d1dec8372c956862a
- SHA512
  
  d831ac60fd9a62122f7021da8b8c9d9f305cfe9a4a0c08b9b0c6ec930bc22a41ce632c3b58cf3238876fb5d2152ad2ec8a272a6e9fb9145adc410a0416100114
- SSDEEP
  
  1536:xUIs5p8k2HGjTpL5HoTjEwzGi1dDkDEgS:xUgk2HGjtL5IYi1dK9
Score

10^/10

njrat discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratdiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

discoveryevasionpersistenceprivilege_escalation