njrat | 1dc1a41ffe0e5478df5e628ff818e5abb06fba2b879549ccdb7f810e84d65f18 | Triage

Sharing

General

Target

JaffaCakes118_aa7ecd1b7b97f64c5a426ba411f3eddf
Size

85KB
Sample

250105-rtcceswqgz
MD5

aa7ecd1b7b97f64c5a426ba411f3eddf
SHA1

6615c51b10315d7e457d7149195dbbdc60615bdd
SHA256

1dc1a41ffe0e5478df5e628ff818e5abb06fba2b879549ccdb7f810e84d65f18
SHA512

4aaa6957b3db2b728b7dd7e066db25098a56b8c672b07e23d5215259e8399e69db1093b305c7171268bd6d32211b5971b9c3fd8a36a67b8a527cd3df7a5206ec
SSDEEP

1536:h5KNBcTWo4fH7itHRQqk/PmYFqQ5TD5EnqBrR0WTag6l3FsUgdR:h0NB597ihCqk/P3EQ5TDcqBV0WTx6l30

Score

10^/10

njrat lime discovery persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

Lime

C2

127.0.0.1:1528

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
AZERTY

Targets

- Target
  
  JaffaCakes118_aa7ecd1b7b97f64c5a426ba411f3eddf
- Size
  
  85KB
- MD5
  
  aa7ecd1b7b97f64c5a426ba411f3eddf
- SHA1
  
  6615c51b10315d7e457d7149195dbbdc60615bdd
- SHA256
  
  1dc1a41ffe0e5478df5e628ff818e5abb06fba2b879549ccdb7f810e84d65f18
- SHA512
  
  4aaa6957b3db2b728b7dd7e066db25098a56b8c672b07e23d5215259e8399e69db1093b305c7171268bd6d32211b5971b9c3fd8a36a67b8a527cd3df7a5206ec
- SSDEEP
  
  1536:h5KNBcTWo4fH7itHRQqk/PmYFqQ5TD5EnqBrR0WTag6l3FsUgdR:h0NB597ihCqk/P3EQ5TDcqBV0WTx6l30
Score

10^/10

njrat lime discovery persistence trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratlimediscoverypersistencetrojan

behavioral2

njratlimediscoverypersistencetrojan