Overview

overview

10

Static

static

10

sample.exe

windows7-x64

10

sample.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_778d851ee285deb89998b5578988f810

  • Size

    16KB

  • Sample

    250104-esqr7stkbr

  • MD5

    778d851ee285deb89998b5578988f810

  • SHA1

    ad6dd4cb0d344a22fc4e88205a9a2d5432c4e7b4

  • SHA256

    d0518ad96b2c42c799f9f0dc50f9043c7881095c5c17c068c44241b808e10988

  • SHA512

    10df7ef0d84fac4e4e5ba39b531afd255af52f4aa8570a3aa1fa643386c0cbcf77934c8bf6f71bacb9314a24a2b285d07946ddf35319a60a7778b529edaf0221

  • SSDEEP

    384:vxg+tkmi2R1PcDwj75UcKYsbm6k7PVFw2K4noN91JJ4jE1:y0kkR1UDq7xKYomH7tFw2K44AE1

Score
10/10
njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

blackmagix.no-ip.org:1177

Mutex

a49931bd13ad32f9534c94e1f51783c7

Attributes
  • reg_key

    a49931bd13ad32f9534c94e1f51783c7

  • splitter

    |'|'|

Targets

    • Target

      sample

    • Size

      29KB

    • MD5

      2a8847ebfe7ab2f15d166640d196b9ab

    • SHA1

      5855abd2d9e15c9a7dfc96b08b737fe664433478

    • SHA256

      19e0a51ad19bda6e5ddd16b4d3954dc959b832b3cd8c23478ee3524015bca350

    • SHA512

      fcfc0077d8a40f1996b7eca425045c9f37ae28bd78b5dbf617fdd8cecd3162b603d968523e30ba04182989049b66dd41fde5f35edc54a12f10f9f82571075f7b

    • SSDEEP

      768:j7RmpgGD1BH9D8qbILeuBKh0p29SgRs2:j7RKIcIrKhG29js2

    Score
    10/10
    njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks