njrat | 6dd1214944c59f14b169821e77f312c22f08d292f4fc6de29280a884ad753b4b | Triage

Sharing

General

Target

JaffaCakes118_77efd9421dd7faf39488107714d8f030
Size

104KB
Sample

250104-gaznhavlew
MD5

77efd9421dd7faf39488107714d8f030
SHA1

cb363e8c037e7f1b759383539f4314836648b368
SHA256

6dd1214944c59f14b169821e77f312c22f08d292f4fc6de29280a884ad753b4b
SHA512

9c378c330732e9cb0af433e9ea4afff4618cf4005952d7a8727a8f306d4730b703efc8af087ef752b38e273966a35faca2b34a6d541eb4b452343752879714e4
SSDEEP

1536:8uUgTct6IASo6M9ZwYjiBqbaInnGfIshKRWubSl:9dTfSo6MkWbaInqIs80h

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

medohack.no-ip.biz:1117

Mutex

a03dbd339a1060aec9cf0c61af677399

Attributes

reg_key
a03dbd339a1060aec9cf0c61af677399
splitter
|'|'|

Targets

- Target
  
  JaffaCakes118_77efd9421dd7faf39488107714d8f030
- Size
  
  104KB
- MD5
  
  77efd9421dd7faf39488107714d8f030
- SHA1
  
  cb363e8c037e7f1b759383539f4314836648b368
- SHA256
  
  6dd1214944c59f14b169821e77f312c22f08d292f4fc6de29280a884ad753b4b
- SHA512
  
  9c378c330732e9cb0af433e9ea4afff4618cf4005952d7a8727a8f306d4730b703efc8af087ef752b38e273966a35faca2b34a6d541eb4b452343752879714e4
- SSDEEP
  
  1536:8uUgTct6IASo6M9ZwYjiBqbaInnGfIshKRWubSl:9dTfSo6MkWbaInqIs80h
Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratdiscoveryevasionpersistenceprivilege_escalationtrojan