njrat | 5a42fb8cd6463b23d1b5d56e123429f7e38b2abab1a0baa7b74e8ee128054651 | Triage

Sharing

General

Target

JaffaCakes118_67e68317591942846cb44884a0d5f380
Size

43KB
Sample

250102-ynp5natmhz
MD5

67e68317591942846cb44884a0d5f380
SHA1

e39aeb33f43ec1f72fae8b2aa132bc804c311b06
SHA256

5a42fb8cd6463b23d1b5d56e123429f7e38b2abab1a0baa7b74e8ee128054651
SHA512

c6fbe7020499f65e0f175b3e96d37966b7f88a44879912745af06c2b53aa1894f50eceb4a5470546dbb0030e7307af6d384695902fb2bd30d1b8b79b737cb905
SSDEEP

768:hg1cK3SMcDA9lRQO8BMUBkJBMBb6Rk9WeYxTXkiHj0g/l3t:hguG4OlRQDBBBkfM9myYxT02jTd

Score

10^/10

njrat hacked evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

attia.no-ip.biz:1177

Mutex

a8a98371e314c9de13f333a4ac27e8f6

Attributes

reg_key
a8a98371e314c9de13f333a4ac27e8f6
splitter
|'|'|

Targets

- Target
  
  JaffaCakes118_67e68317591942846cb44884a0d5f380
- Size
  
  43KB
- MD5
  
  67e68317591942846cb44884a0d5f380
- SHA1
  
  e39aeb33f43ec1f72fae8b2aa132bc804c311b06
- SHA256
  
  5a42fb8cd6463b23d1b5d56e123429f7e38b2abab1a0baa7b74e8ee128054651
- SHA512
  
  c6fbe7020499f65e0f175b3e96d37966b7f88a44879912745af06c2b53aa1894f50eceb4a5470546dbb0030e7307af6d384695902fb2bd30d1b8b79b737cb905
- SSDEEP
  
  768:hg1cK3SMcDA9lRQO8BMUBkJBMBb6Rk9WeYxTXkiHj0g/l3t:hguG4OlRQDBBBkfM9myYxT02jTd
Score

10^/10

njrat hacked evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackedevasionpersistenceprivilege_escalationtrojan

behavioral2

njrathackedevasionpersistenceprivilege_escalationtrojan