njrat | 2f01bed1f064d819090c4ae7f390d7ec9d63e2859c5553d1e96c16d627048f36 | Triage

Sharing

General

Target

JaffaCakes118_64eb3998e26459e4c3077ad4024a1a80
Size

29KB
Sample

250102-n4n77atncm
MD5

64eb3998e26459e4c3077ad4024a1a80
SHA1

1c3e26247f971fb777d9ba220e65a21d3c4e1323
SHA256

2f01bed1f064d819090c4ae7f390d7ec9d63e2859c5553d1e96c16d627048f36
SHA512

55c7388ccc7bb0abc63ac169a5d158faaf826899d7c3261c62a9c4238bf9c002b9ea3204c00589b62ab2015a6dcd481b6003dd28d2ab9fba69434456dcbb6856
SSDEEP

384:1+jNl7fFhYUEWnPx5rNCYmWmqDUhHevaGBsbh0w4wlAokw9OhgOL1vYRGOZz3ZYY:m77YUEk5HCYIqsHe9BKh0p29SgRxn

Score

10^/10

njrat victoriah discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

victoriah

C2

zacinemzabi.bounceme.net:91

Mutex

78eb78fcdfbb68ba8d69fee34d0c86a7

Attributes

reg_key
78eb78fcdfbb68ba8d69fee34d0c86a7
splitter
|'|'|

Targets

- Target
  
  JaffaCakes118_64eb3998e26459e4c3077ad4024a1a80
- Size
  
  29KB
- MD5
  
  64eb3998e26459e4c3077ad4024a1a80
- SHA1
  
  1c3e26247f971fb777d9ba220e65a21d3c4e1323
- SHA256
  
  2f01bed1f064d819090c4ae7f390d7ec9d63e2859c5553d1e96c16d627048f36
- SHA512
  
  55c7388ccc7bb0abc63ac169a5d158faaf826899d7c3261c62a9c4238bf9c002b9ea3204c00589b62ab2015a6dcd481b6003dd28d2ab9fba69434456dcbb6856
- SSDEEP
  
  384:1+jNl7fFhYUEWnPx5rNCYmWmqDUhHevaGBsbh0w4wlAokw9OhgOL1vYRGOZz3ZYY:m77YUEk5HCYIqsHe9BKh0p29SgRxn
Score

10^/10

njrat victoriah discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratvictoriahdiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

discoveryevasionpersistenceprivilege_escalation