njrat | 23f247cc697ffbc58e0dc59ac0a3d8bae1a1c8521af810519c93cdf185bf6686 | Triage

Sharing

General

Target

JaffaCakes118_254dd5ea0fa1f4a15795971366c38487
Size

152KB
Sample

241231-szvxdswrex
MD5

254dd5ea0fa1f4a15795971366c38487
SHA1

025cb8750b3431d73e00e5f2617cdf94fa66b50d
SHA256

23f247cc697ffbc58e0dc59ac0a3d8bae1a1c8521af810519c93cdf185bf6686
SHA512

08897f7188f2cb43d21403d06dd546f2f0bc9e9c48c8c259e5fbfe2e1e64ab6668a0c250c972236b8e2fd2972f50c10eba4e877394ca39ce09bd39e7daf310fa
SSDEEP

3072:TIOXGze73aSyCt0Ek21R7HL218mdU882vERh6z7PYAOfvvqn0:TIOX4e7Kcf6d+2vERh6OHqn

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

uwk007.zapto.org:1177

Mutex

458ff06394da6bece9a5c4cd8117cf87

Attributes

reg_key
458ff06394da6bece9a5c4cd8117cf87
splitter
|'|'|

Targets

- Target
  
  JaffaCakes118_254dd5ea0fa1f4a15795971366c38487
- Size
  
  152KB
- MD5
  
  254dd5ea0fa1f4a15795971366c38487
- SHA1
  
  025cb8750b3431d73e00e5f2617cdf94fa66b50d
- SHA256
  
  23f247cc697ffbc58e0dc59ac0a3d8bae1a1c8521af810519c93cdf185bf6686
- SHA512
  
  08897f7188f2cb43d21403d06dd546f2f0bc9e9c48c8c259e5fbfe2e1e64ab6668a0c250c972236b8e2fd2972f50c10eba4e877394ca39ce09bd39e7daf310fa
- SSDEEP
  
  3072:TIOXGze73aSyCt0Ek21R7HL218mdU882vERh6z7PYAOfvvqn0:TIOX4e7Kcf6d+2vERh6OHqn
Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan