njrat | ddebf2f47bcc673d1981784382b9e590f8347f2b4d2d16ac5ed5863038010334 | Triage

Sharing

General

Target

JaffaCakes118_2104a7a18b60863b1d73b3bb082ab620
Size

296KB
Sample

250106-nmd1wsxnhn
MD5

2104a7a18b60863b1d73b3bb082ab620
SHA1

45c746cc708635f239a9b8cf01aec6b186192bc4
SHA256

ddebf2f47bcc673d1981784382b9e590f8347f2b4d2d16ac5ed5863038010334
SHA512

17008f2006a7176a38df0e482b2131aac4c4b39ca6b56ae88c2d2a3c4d21fb27df4fe0c107447885d40635921e343eb47d319a9e7164a512f215cee9cd1a627e
SSDEEP

768:+h6X/EWNG6+DG9PG1INeBU09m4ukw6nbi/bUibwp4JDeDYISywilKFtf5vLAY1Rs:+hoEWHNeBU09kHsi/X7N6aRM

Score

10^/10

njrat scammer discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

scammer

C2

oxy01.linkpc.net:1177

Mutex

08f4dc96bbb7af09d1a37fe35c75a42f

Attributes

reg_key
08f4dc96bbb7af09d1a37fe35c75a42f
splitter
|'|'|

Targets

- Target
  
  JaffaCakes118_2104a7a18b60863b1d73b3bb082ab620
- Size
  
  296KB
- MD5
  
  2104a7a18b60863b1d73b3bb082ab620
- SHA1
  
  45c746cc708635f239a9b8cf01aec6b186192bc4
- SHA256
  
  ddebf2f47bcc673d1981784382b9e590f8347f2b4d2d16ac5ed5863038010334
- SHA512
  
  17008f2006a7176a38df0e482b2131aac4c4b39ca6b56ae88c2d2a3c4d21fb27df4fe0c107447885d40635921e343eb47d319a9e7164a512f215cee9cd1a627e
- SSDEEP
  
  768:+h6X/EWNG6+DG9PG1INeBU09m4ukw6nbi/bUibwp4JDeDYISywilKFtf5vLAY1Rs:+hoEWHNeBU09kHsi/X7N6aRM
Score

10^/10

njrat scammer discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratscammerdiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratscammerdiscoveryevasionpersistenceprivilege_escalationtrojan