njrat | 824d982dd022bedc4aef004d0efafd38517d88b4db3bd70a0df5ba1e001c925f | Triage

Sharing

General

Target

JaffaCakes118_788a7179737a9a07f5c7841a3d997a30
Size

29KB
Sample

250104-jqzpjszpds
MD5

788a7179737a9a07f5c7841a3d997a30
SHA1

9c8e1fc8e46b8782c5f772985b072d0dced49f42
SHA256

824d982dd022bedc4aef004d0efafd38517d88b4db3bd70a0df5ba1e001c925f
SHA512

0d0e8986be6fbd2b8833ceac8c6abb2289f696c2b86d639c4abb190f313b35f4008f7fe016756d8bcd15c551dd164102fffb3a78084a120e46208b413898b261
SSDEEP

384:d2nLNl73t5otQMOdePp5TdNZmGmUD8ZneQqGBsbh0w4wlAokw9OhgOL1vYRGOZzs:+7jo2MzBvb4UcneQBKh0p29SgRjyn

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

hardysalah.no-ip.biz:1177

Mutex

cd9e051ed80df1a0c0b000059793bab8

Attributes

reg_key
cd9e051ed80df1a0c0b000059793bab8
splitter
|'|'|

Targets

- Target
  
  JaffaCakes118_788a7179737a9a07f5c7841a3d997a30
- Size
  
  29KB
- MD5
  
  788a7179737a9a07f5c7841a3d997a30
- SHA1
  
  9c8e1fc8e46b8782c5f772985b072d0dced49f42
- SHA256
  
  824d982dd022bedc4aef004d0efafd38517d88b4db3bd70a0df5ba1e001c925f
- SHA512
  
  0d0e8986be6fbd2b8833ceac8c6abb2289f696c2b86d639c4abb190f313b35f4008f7fe016756d8bcd15c551dd164102fffb3a78084a120e46208b413898b261
- SSDEEP
  
  384:d2nLNl73t5otQMOdePp5TdNZmGmUD8ZneQqGBsbh0w4wlAokw9OhgOL1vYRGOZzs:+7jo2MzBvb4UcneQBKh0p29SgRjyn
Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njrathackeddiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

discoveryevasionpersistenceprivilege_escalation