njrat | ed06232e5df3c0577632fdb2ceec8ced1facee18773d73dd1cc228ff00371442 | Triage

Sharing

General

Target

JaffaCakes118_ed06232e5df3c0577632fdb2ceec8ced1facee18773d73dd1cc228ff00371442
Size

93KB
Sample

241229-jnrk6awrbq
MD5

b411c09b425438604412a414b225c03e
SHA1

22eaa702485c0303ff3bde8b74588f22fc541cd3
SHA256

ed06232e5df3c0577632fdb2ceec8ced1facee18773d73dd1cc228ff00371442
SHA512

adf8c3cd870ee87ef28f4f71b781536240a4493b4ec80da6a5fd2ca06e863e71733142cc6d010c798fb738211f4b3224253d5e00946e251d58dd11367bb9566b
SSDEEP

1536:HCOs5p8k2HGjTpZ5HoTjEwzGi1dD6DegS:HCSk2HGjtZ5IYi1dkD

Score

10^/10

njrat discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

C2

hakim32.ddns.net:2000

127.0.0.1:58905

Mutex

d7fb8d984dc92aaa2b15379ae6735344

Attributes

reg_key
d7fb8d984dc92aaa2b15379ae6735344
splitter
|'|'|

Targets

- Target
  
  JaffaCakes118_ed06232e5df3c0577632fdb2ceec8ced1facee18773d73dd1cc228ff00371442
- Size
  
  93KB
- MD5
  
  b411c09b425438604412a414b225c03e
- SHA1
  
  22eaa702485c0303ff3bde8b74588f22fc541cd3
- SHA256
  
  ed06232e5df3c0577632fdb2ceec8ced1facee18773d73dd1cc228ff00371442
- SHA512
  
  adf8c3cd870ee87ef28f4f71b781536240a4493b4ec80da6a5fd2ca06e863e71733142cc6d010c798fb738211f4b3224253d5e00946e251d58dd11367bb9566b
- SSDEEP
  
  1536:HCOs5p8k2HGjTpZ5HoTjEwzGi1dD6DegS:HCSk2HGjtZ5IYi1dkD
Score

10^/10

njrat discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratdiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

discoveryevasionpersistenceprivilege_escalation