njrat | e7ce4c4738ddd3e364b792ae1341e369ed8269a0a59495a525ae54aa7cdd529a | Triage

Sharing

General

Target

JaffaCakes118_69f9b58ce42c2388e7d0ce040ef35720
Size

29KB
Sample

250103-d35hnsxpgs
MD5

69f9b58ce42c2388e7d0ce040ef35720
SHA1

bcd5f93af0d7395de3539e781a2d9466b0396792
SHA256

e7ce4c4738ddd3e364b792ae1341e369ed8269a0a59495a525ae54aa7cdd529a
SHA512

5618a91eef974e852400cebc003c02a2351f5b82a7974319601d37c09017dfc1543286821915a2e7dde6b75e7b52db38b71c533b5d905951e5336e05ea0558a4
SSDEEP

384:uFUHEBl7p3hUw2s7bD55gEKemqDSqre/IDGBsbh0w4wlAokw9OhgOL1vYRGOZzNr:u57bUw2C3kEcqNreHBKh0p29SgR/x

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

klawess1.no-ip.org:1177

Mutex

5cd8f17f4086744065eb0992a09e05a2

Attributes

reg_key
5cd8f17f4086744065eb0992a09e05a2
splitter
|'|'|

Targets

- Target
  
  JaffaCakes118_69f9b58ce42c2388e7d0ce040ef35720
- Size
  
  29KB
- MD5
  
  69f9b58ce42c2388e7d0ce040ef35720
- SHA1
  
  bcd5f93af0d7395de3539e781a2d9466b0396792
- SHA256
  
  e7ce4c4738ddd3e364b792ae1341e369ed8269a0a59495a525ae54aa7cdd529a
- SHA512
  
  5618a91eef974e852400cebc003c02a2351f5b82a7974319601d37c09017dfc1543286821915a2e7dde6b75e7b52db38b71c533b5d905951e5336e05ea0558a4
- SSDEEP
  
  384:uFUHEBl7p3hUw2s7bD55gEKemqDSqre/IDGBsbh0w4wlAokw9OhgOL1vYRGOZzNr:u57bUw2C3kEcqNreHBKh0p29SgR/x
Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

discoveryevasionpersistenceprivilege_escalation