njrat | a4ea9f0ce69ff7164ffc2ddc33f7c00f37c702694e46cb967ca5ef71332d3ec0 | Triage

Sharing

General

Target

JaffaCakes118_68d1c0566b41a435b804e257c9738a10
Size

64KB
Sample

250102-29ms7szkas
MD5

68d1c0566b41a435b804e257c9738a10
SHA1

a9bc509add902b3d5a3f4f146b0d74cc2b71263d
SHA256

a4ea9f0ce69ff7164ffc2ddc33f7c00f37c702694e46cb967ca5ef71332d3ec0
SHA512

52deb5626ca0983251194c692f0e62273a5b73472880dd258895bcd6536d1bef7716fb41d30cef4d99c4343b6221ba118ac99fb858aaf682ffd73e4c0341282a
SSDEEP

1536:cjnVwbOp54C3hcsFCmLsuZqA+XutqV7v59xtDetwG6T98fEdLd:cBw6hNLsuZT+XusVzVtySGG982Ld

Score

10^/10

njrat fifa_vitimas discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

Fifa_Vitimas

C2

duduhackernoob.no-ip.org:1177

Mutex

2e3533e8a21782e85bf5271ce8795feb

Attributes

reg_key
2e3533e8a21782e85bf5271ce8795feb
splitter
|'|'|

Targets

- Target
  
  HackedFifa.exe
- Size
  
  93KB
- MD5
  
  540bc9dde5aac4fcb45e6e4d17a6b0cf
- SHA1
  
  c707857181e10af602bdcfec9cf0c5b411790866
- SHA256
  
  dafc56a5e7e8ea36b8117ad727c59778f1dc0f68e0f9a8266d3b6ae270be9ab2
- SHA512
  
  e6c1d478bf1de18a8beee830b7a2403b0258a11387169e0db7582fc3178889edfe16f2cf4fc7330d951bfc288b02d721862cf81db9478bd73e227521ad2bf204
- SSDEEP
  
  1536:f7nisVm7KhG29jE6v1ggpZJ7WTeXLZXkuwxNa0X2/m/L8wIGcCGzOJHj6:DiAmuA29ztLxWTeKxNhXCpwIrCGzOJHO
Score

10^/10

njrat fifa_vitimas discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

fifa_vitimasnjrat

behavioral1

njratfifa_vitimasdiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

discoveryevasionpersistenceprivilege_escalation