njrat | 57aa58bfe01964b099dcc5a27416aa4643775ad19763bdaf946189e74093f209 | Triage

Sharing

General

Target

JaffaCakes118_6a1f4e2920e4b22197aebfb451127280
Size

345KB
Sample

250103-enq76synct
MD5

6a1f4e2920e4b22197aebfb451127280
SHA1

a3b8c73e6f561221f68f047043836c9ec31d1778
SHA256

57aa58bfe01964b099dcc5a27416aa4643775ad19763bdaf946189e74093f209
SHA512

b89b850a25a66458703a6235c9e1ae93f69b1e70e75f1c5ad597f67fe19868021d4991abf259eafb88e29a1eba2d8c565273dc446d9d6264ddc8b16321d21df6
SSDEEP

6144:/Y20AljuB28YZgqEPfS1fE1G5e06aRgm4SflxriIh:/Y20AljdZgBPfKf+I7J1

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

legend7mood.no-ip.biz:1177

Mutex

0e0d62bcdd008ea9bb60488901e62013

Attributes

reg_key
0e0d62bcdd008ea9bb60488901e62013
splitter
|'|'|

Targets

- Target
  
  JaffaCakes118_6a1f4e2920e4b22197aebfb451127280
- Size
  
  345KB
- MD5
  
  6a1f4e2920e4b22197aebfb451127280
- SHA1
  
  a3b8c73e6f561221f68f047043836c9ec31d1778
- SHA256
  
  57aa58bfe01964b099dcc5a27416aa4643775ad19763bdaf946189e74093f209
- SHA512
  
  b89b850a25a66458703a6235c9e1ae93f69b1e70e75f1c5ad597f67fe19868021d4991abf259eafb88e29a1eba2d8c565273dc446d9d6264ddc8b16321d21df6
- SSDEEP
  
  6144:/Y20AljuB28YZgqEPfS1fE1G5e06aRgm4SflxriIh:/Y20AljdZgBPfKf+I7J1
Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan