njrat | ead475ea69db31e2c9c4414308c7f691c7c25db6e5b1ead1cb956595ec5a2fdd | Triage

Sharing

General

Target

JaffaCakes118_614ebd5bb8bfd44dc712e5fe1acc2040
Size

353KB
Sample

250101-3jvlsssqel
MD5

614ebd5bb8bfd44dc712e5fe1acc2040
SHA1

b4ff3a54e5a1279d3971da387c659262e9ecff61
SHA256

ead475ea69db31e2c9c4414308c7f691c7c25db6e5b1ead1cb956595ec5a2fdd
SHA512

850307e73d30447ccac18c5c61c4d8557a818496058e2f11dbf3564b418520cbed67a926e871866d8be9c519e6e44dc88ea4516b6cdcd2cf74de9f5bb3de9841
SSDEEP

6144:n5r5dnrCSGHAHA6XjrLJhzbaohD5qURuRdIvI7zU3VrHN2:n5ddrCBH2A6XjrzV3qcuRqQzU3VrHN

Score

10^/10

njrat hacked evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

MGNONK010.NO-IP.info:1177

Mutex

859d0c0b5a8bc0dad9eedff5250f92f9

Attributes

reg_key
859d0c0b5a8bc0dad9eedff5250f92f9
splitter
|'|'|

Targets

- Target
  
  JaffaCakes118_614ebd5bb8bfd44dc712e5fe1acc2040
- Size
  
  353KB
- MD5
  
  614ebd5bb8bfd44dc712e5fe1acc2040
- SHA1
  
  b4ff3a54e5a1279d3971da387c659262e9ecff61
- SHA256
  
  ead475ea69db31e2c9c4414308c7f691c7c25db6e5b1ead1cb956595ec5a2fdd
- SHA512
  
  850307e73d30447ccac18c5c61c4d8557a818496058e2f11dbf3564b418520cbed67a926e871866d8be9c519e6e44dc88ea4516b6cdcd2cf74de9f5bb3de9841
- SSDEEP
  
  6144:n5r5dnrCSGHAHA6XjrLJhzbaohD5qURuRdIvI7zU3VrHN2:n5ddrCBH2A6XjrzV3qcuRqQzU3VrHN
Score

10^/10

njrat hacked evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackedevasionpersistenceprivilege_escalationtrojan

behavioral2

njrathackedevasionpersistenceprivilege_escalationtrojan