njrat | 8546ca6aed3fa349818ef096c0fc5738a1e875a89329cc1204ce01b8db87e366 | Triage

Sharing

General

Target

JaffaCakes118_63b02e797ff83d6564f8a179a334b450
Size

122KB
Sample

250102-jx6fnssmdx
MD5

63b02e797ff83d6564f8a179a334b450
SHA1

8c385e68245bb3beff75431179efae7749528ec9
SHA256

8546ca6aed3fa349818ef096c0fc5738a1e875a89329cc1204ce01b8db87e366
SHA512

cf2888a6a717f9969f132b6fae1290857a80c0fe7808122a0c461aa01cb74ec056acbb1c941fa3d3fac8aa945d227b042340f6e0e4f2fcc8c2fbb3b321b8891b
SSDEEP

1536:eHWw9O9qCDO3w0rW3cT1lxP3qIVHOqA5ZX6w5qqdkXA9SzcFDOgiXbqruuN8:QO9qCDOFwIZsX6w5HdSA9hFDZW

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

rwan.no-ip.biz:1177

Mutex

5cd8f17f4086744065eb0992a09e05a2

Attributes

reg_key
5cd8f17f4086744065eb0992a09e05a2
splitter
|'|'|

Targets

- Target
  
  JaffaCakes118_63b02e797ff83d6564f8a179a334b450
- Size
  
  122KB
- MD5
  
  63b02e797ff83d6564f8a179a334b450
- SHA1
  
  8c385e68245bb3beff75431179efae7749528ec9
- SHA256
  
  8546ca6aed3fa349818ef096c0fc5738a1e875a89329cc1204ce01b8db87e366
- SHA512
  
  cf2888a6a717f9969f132b6fae1290857a80c0fe7808122a0c461aa01cb74ec056acbb1c941fa3d3fac8aa945d227b042340f6e0e4f2fcc8c2fbb3b321b8891b
- SSDEEP
  
  1536:eHWw9O9qCDO3w0rW3cT1lxP3qIVHOqA5ZX6w5qqdkXA9SzcFDOgiXbqruuN8:QO9qCDOFwIZsX6w5HdSA9hFDZW
Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan