njrat | f67e18dd6ca300a2169bbe3c018097f43490f7f2270608c892450360cc502a18 | Triage

Sharing

General

Target

JaffaCakes118_cde2dae99f7f1b522889f5aad05db8ca
Size

326KB
Sample

250109-v23q5avrht
MD5

cde2dae99f7f1b522889f5aad05db8ca
SHA1

834371280e7ad513679e1c1517eac5cbb237154c
SHA256

f67e18dd6ca300a2169bbe3c018097f43490f7f2270608c892450360cc502a18
SHA512

03f76ac07caf7e01d0b541b194a8ac791bc606f1a00f69f8dbc125500ef47d16689a864ad70faa8241282366fe91dd711b55576cb499b75c55d9b67856165c80
SSDEEP

6144:WAZYp7LNq+bFtvM6ATJw0dByAbYQ2gso6SUWne8RpyTQb3YhK5DvOLKirxC0ki1K:WAZYp7LNq+bFtvM6ATfbyAbYesXSUriP

Score

10^/10

njrat lammer discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

C2

127.0.0.1:1155

Mutex

8dec69a5f3665f8ce37a100334b5fe39

Attributes

reg_key
8dec69a5f3665f8ce37a100334b5fe39
splitter
|'|'|

Targets

- Target
  
  JaffaCakes118_cde2dae99f7f1b522889f5aad05db8ca
- Size
  
  326KB
- MD5
  
  cde2dae99f7f1b522889f5aad05db8ca
- SHA1
  
  834371280e7ad513679e1c1517eac5cbb237154c
- SHA256
  
  f67e18dd6ca300a2169bbe3c018097f43490f7f2270608c892450360cc502a18
- SHA512
  
  03f76ac07caf7e01d0b541b194a8ac791bc606f1a00f69f8dbc125500ef47d16689a864ad70faa8241282366fe91dd711b55576cb499b75c55d9b67856165c80
- SSDEEP
  
  6144:WAZYp7LNq+bFtvM6ATJw0dByAbYQ2gso6SUWne8RpyTQb3YhK5DvOLKirxC0ki1K:WAZYp7LNq+bFtvM6ATfbyAbYesXSUriP
Score

10^/10

njrat lammer discovery evasion persistence privilege_escalation trojan
- Njrat family
  njrat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

njratlammerdiscoveryevasionpersistenceprivilege_escalationtrojan

behavioral2

njratlammerdiscoveryevasionpersistenceprivilege_escalationtrojan