njrat | 3ef90c48e7cbc9caa234d8d8a3149ce72a9f3e471e2f24e3dba09264c09c3ec3 | Triage

Sharing

General

Target

JaffaCakes118_4676c5fb478e0e5af4227433d41198d0
Size

16KB
Sample

250101-emc9xswpgm
MD5

4676c5fb478e0e5af4227433d41198d0
SHA1

9de63d09f6fc0a044ebb425dd4d3dc08c3b6da80
SHA256

3ef90c48e7cbc9caa234d8d8a3149ce72a9f3e471e2f24e3dba09264c09c3ec3
SHA512

7cd13be3a0badf6179015378fc23d19c36d565c1671d3832389ac1168d8b4693f9b486258fde50c565f7e13f9ef6c1c91d03c8ae80abf20cf5d67b8abb7ce97f
SSDEEP

384:Y3jrED137xiGg77do2LJvKeNMZzg5cks:3D5xiRZrLJvK2ls

Score

10^/10

njrat hacked evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

mohamedmaher27.ddns.net:5552

Mutex

6c8a21897849848faa01ead3475dd69b

Attributes

reg_key
6c8a21897849848faa01ead3475dd69b
splitter
|'|'|

Targets

- Target
  
  JaffaCakes118_4676c5fb478e0e5af4227433d41198d0
- Size
  
  16KB
- MD5
  
  4676c5fb478e0e5af4227433d41198d0
- SHA1
  
  9de63d09f6fc0a044ebb425dd4d3dc08c3b6da80
- SHA256
  
  3ef90c48e7cbc9caa234d8d8a3149ce72a9f3e471e2f24e3dba09264c09c3ec3
- SHA512
  
  7cd13be3a0badf6179015378fc23d19c36d565c1671d3832389ac1168d8b4693f9b486258fde50c565f7e13f9ef6c1c91d03c8ae80abf20cf5d67b8abb7ce97f
- SSDEEP
  
  384:Y3jrED137xiGg77do2LJvKeNMZzg5cks:3D5xiRZrLJvK2ls
Score

10^/10

njrat hacked evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackedevasionpersistenceprivilege_escalationtrojan

behavioral2

njrathackedevasionpersistenceprivilege_escalationtrojan