njrat | 2bd078d40523d44ce6dfc6aed631ada136e2637346d80f200f0730a3c429092b | Triage

Sharing

General

Target

JaffaCakes118_659ff1d14a0557aa3ba2c9029a502500
Size

524KB
Sample

250102-rdh52avjdy
MD5

659ff1d14a0557aa3ba2c9029a502500
SHA1

2dd55da692706ec8f5e82bc2c18f5492ba0085c0
SHA256

2bd078d40523d44ce6dfc6aed631ada136e2637346d80f200f0730a3c429092b
SHA512

cc1b23c8c130b13e45d04bc43b150e77346f857d52d3fb464a84df45931c65abbd7d2a6479be575c16a5d6f783d8bff0c40921b34cd477f97ddf9762b5bdc490
SSDEEP

6144:FzDFkL+jDEbWj+0VjvwsYUVVObfiJCkMVu0ZNOVm8WM53515j585k5MmV5654R6F:pDFkmzrTL+gMVu0ZNOVm8a

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HACKED

C2

amine-gatorsedz.no-ip.biz:1177

Mutex

60f0d0e0d2dd518d7530a18795742b3f

Attributes

reg_key
60f0d0e0d2dd518d7530a18795742b3f
splitter
|'|'|

Targets

- Target
  
  JaffaCakes118_659ff1d14a0557aa3ba2c9029a502500
- Size
  
  524KB
- MD5
  
  659ff1d14a0557aa3ba2c9029a502500
- SHA1
  
  2dd55da692706ec8f5e82bc2c18f5492ba0085c0
- SHA256
  
  2bd078d40523d44ce6dfc6aed631ada136e2637346d80f200f0730a3c429092b
- SHA512
  
  cc1b23c8c130b13e45d04bc43b150e77346f857d52d3fb464a84df45931c65abbd7d2a6479be575c16a5d6f783d8bff0c40921b34cd477f97ddf9762b5bdc490
- SSDEEP
  
  6144:FzDFkL+jDEbWj+0VjvwsYUVVObfiJCkMVu0ZNOVm8WM53515j585k5MmV5654R6F:pDFkmzrTL+gMVu0ZNOVm8a
Score

10^/10

njrat hacked discovery trojan evasion persistence privilege_escalation
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddiscoverytrojan

behavioral2

njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan