njrat | a2b3a50c599366afe2dad57ab644526a097bec4006c1c5638acfe4ce8f65a072 | Triage

Sharing

General

Target

JaffaCakes118_6092832add7ccc38d961a5c4ef52c650
Size

14KB
Sample

250101-zkqgpawjgm
MD5

6092832add7ccc38d961a5c4ef52c650
SHA1

d893601b197b6bd758cbeb690926e91609a9abe4
SHA256

a2b3a50c599366afe2dad57ab644526a097bec4006c1c5638acfe4ce8f65a072
SHA512

d6a30b35fc963a713a3f3893560dba7b165f35fe0e6cda9099db21e9890c6be67824974cbfb0226746334f45ffc226b0ad431f2bb2d6cdaa1eac8cc30ffc55eb
SSDEEP

192:K2xz2xgVzxOdMAi3TYbnaxTZiEfqZpzdLk0yopEat/cswnRoKV1scljNRSdjCndx:A4AijLT5qPzdgoT/6nRoKV13N3O0

Score

10^/10

njrat google discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Google

C2

zeko20100.no-ip.biz:1177

Mutex

48a6df58cd0d566695640a0527388455

Attributes

reg_key
48a6df58cd0d566695640a0527388455
splitter
|'|'|

Targets

- Target
  
  sample
- Size
  
  23KB
- MD5
  
  96773da9ac7d11e77764abcc20ba9ede
- SHA1
  
  05b228dbeb75265f5fde2e5022b5bab86d52099a
- SHA256
  
  25c9fd4a388d0232468b883a1b4d5a12d27df4ed82946e31982691e4002daa73
- SHA512
  
  3f7c61c79108920e2238bf11754b506724682ec4f82aeb29e483b6b02095ad95a3f7530844e8808c556a74b6767aa945b6e5663009217bc9bb63740ca4950c73
- SSDEEP
  
  384:ppMKFYuEEhERvoBG16Xuy0MHNw6Tg1Y+75JTFmRvR6JZlbw8hqIusZzZ1Z:pCW4V6+yDRpcnuE
Score

10^/10

njrat google discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratgooglediscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratdiscoveryevasionpersistenceprivilege_escalationtrojan