njrat | 04e97dbc7db19b374dafa082b33ccc15634a03efc983df464b31a9361dd0381b | Triage

Sharing

General

Target

JaffaCakes118_5d713df844e9a2aa11c1a067404e9b30
Size

449KB
Sample

250101-vn28fawqfn
MD5

5d713df844e9a2aa11c1a067404e9b30
SHA1

123cff1e694e59dd00101d90d8c00e9a75f6fca5
SHA256

04e97dbc7db19b374dafa082b33ccc15634a03efc983df464b31a9361dd0381b
SHA512

262dee3779c2dc3ddaba881803838a1923559bd0158796e953e94bce5348f93f4305b582edec449feca51996dd951206d5bf3a91e0633f0827469160ceb54ccb
SSDEEP

12288:7WG3O3PAEN98mJkum4JwCXGEoTThG7UTi1Jks3sPXg:7WG3OfAENC4dWdzsMQ

Score

10^/10

njrat سيرفر هكر من شبح discovery evasion persistence privilege_escalation trojan vmprotect

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

سيرفر هكر من شبح

C2

networkishacj.ddnsking.com:1177

Mutex

2f4a36e5ad189c706256137bb03a7d93

Attributes

reg_key
2f4a36e5ad189c706256137bb03a7d93
splitter
|'|'|

Targets

- Target
  
  PRo.exe
- Size
  
  549KB
- MD5
  
  d9b36da4c6f7bfab1273c40a4bbe1bfd
- SHA1
  
  1165f3771e2ea625998bcf9f6ebbc8d613dee7e4
- SHA256
  
  28b04371a3ff0a336d17dcf8f5d5a3db75f99bc0d3ed580c5f8081946f17a441
- SHA512
  
  709c8a6ea279b335713a2e64480fd30590d9f3cc67c6379ac46c72ffa7b8308437c3a4edef579a535d70e07686ff691b6037e81850d4eeac1e1173b3a67e3a24
- SSDEEP
  
  12288:J0nyfXuIBDtfurD6DmzHPoxhJeFRvGOozGATzQiwml41q:Gny/f9ur+DkUeFRvGpFTciwml+q
Score

10^/10

njrat سيرفر هكر من شبح discovery evasion persistence privilege_escalation trojan vmprotect
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratسيرفر هكر من شبحdiscoveryevasionpersistenceprivilege_escalationtrojanvmprotect

behavioral2

njratسيرفر هكر من شبحdiscoveryevasionpersistenceprivilege_escalationtrojanvmprotect