Overview

overview

10

Static

static

3

maria.exe

windows7-x64

10

maria.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_644b407e700469c2591dfa3224595940

  • Size

    100KB

  • Sample

    250102-l3tp6swrhy

  • MD5

    644b407e700469c2591dfa3224595940

  • SHA1

    f6d22e6264a2f0053e388dca1f657c0932616c4a

  • SHA256

    d5fb76293655ab1fbc2f9cfb03b286adc2e428117a4f596e23548316746cb04b

  • SHA512

    8e5a63788e9af7fe4b2f77a7e690882876f165b4c14df7ec98197a006de44c9d861b0a99153a0a306c63351f3f969a6434474fc04e2f1bfbd1e25398be4e1178

  • SSDEEP

    1536:wJsxuB3JTwJdpkINVufttKe6y+EIC7920dMWSzLFs/u50Q+9vQbshkUq5g45yiB:wJQ4NwJ3kKVThs7g0djSW19vh9q39B

Score
10/10
njratdiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Targets

    • Target

      maria.exe

    • Size

      164KB

    • MD5

      1636678632f7d7f3bd1965bfe1a51c08

    • SHA1

      e57f920beaec6462178c0ec5e577d8a12b9251b6

    • SHA256

      56cf1856341fb63bffc8571f5044e8ef535ea8cb3710003e1006962ed9c5202b

    • SHA512

      3dbf54e12616ff750daaade42ba7af6ba86101d5280d052a73343f6d391bcd30cc0ebc56f99c065881b9886201073450d59fbcc211d2d323d1b0a126d4e2965e

    • SSDEEP

      3072:JvNPKxdSvpuWtYjSO6Q6WLISwVkTpl653UhXidG0G:xNPKxduuGYjVd6WsSwVKW3UhyE0

    Score
    10/10
    njratdiscoveryevasionpersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks