njrat | 76354e50aa55b4a1efd83ea4f5bca558ce8a2b9c341c680c58f0b1a9b5760985 | Triage

Sharing

General

Target

JaffaCakes118_5538d02f060edbf52fcf38cd20a1c460
Size

86KB
Sample

250101-pqgfvsxlgm
MD5

5538d02f060edbf52fcf38cd20a1c460
SHA1

f166ef7130760e02a62d19fba8e347324606354c
SHA256

76354e50aa55b4a1efd83ea4f5bca558ce8a2b9c341c680c58f0b1a9b5760985
SHA512

9fd315f1ce077993b6960decf6160a24f25a5805daaf550ed1ab2799bf73fe00945ffd03140088ad7e073e3893b5f45852e69f164bdf8b270c3d48936b803cfd
SSDEEP

1536:fgWyZQ/8z8F5PdH4CHvju769//4WDpQDDQFgUr1BY0gQLXCCuDqw3Mi69gNRcXTW:xyZQUz8F5VfrrVQPQFgUxO0xXCCumw3d

Score

10^/10

njrat flux evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Flux

C2

bnl-hacker.no-ip.biz:1177

Mutex

8b72dd1e0d0456eb0f83fda44e259b5e

Attributes

reg_key
8b72dd1e0d0456eb0f83fda44e259b5e
splitter
|'|'|

Targets

- Target
  
  JaffaCakes118_5538d02f060edbf52fcf38cd20a1c460
- Size
  
  86KB
- MD5
  
  5538d02f060edbf52fcf38cd20a1c460
- SHA1
  
  f166ef7130760e02a62d19fba8e347324606354c
- SHA256
  
  76354e50aa55b4a1efd83ea4f5bca558ce8a2b9c341c680c58f0b1a9b5760985
- SHA512
  
  9fd315f1ce077993b6960decf6160a24f25a5805daaf550ed1ab2799bf73fe00945ffd03140088ad7e073e3893b5f45852e69f164bdf8b270c3d48936b803cfd
- SSDEEP
  
  1536:fgWyZQ/8z8F5PdH4CHvju769//4WDpQDDQFgUr1BY0gQLXCCuDqw3Mi69gNRcXTW:xyZQUz8F5VfrrVQPQFgUxO0xXCCumw3d
Score

10^/10

njrat flux evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratfluxevasionpersistenceprivilege_escalationtrojan

behavioral2

njratfluxevasionpersistenceprivilege_escalationtrojan