Overview

overview

10

Static

static

3

Daxon.exe

windows10-2004-x64

10

Daxon.exe

windows7-x64

10

Daxon.exe

windows10-2004-x64

10

Daxon.exe

windows10-ltsc 2021-x64

10

Daxon.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Daxon.exe

  • Size

    228KB

  • Sample

    250112-x6lphswjcy

  • MD5

    770e16a5bfc519bbeb406858ad8416be

  • SHA1

    6adcfd39d8c6d7446597a2e1ea0fd6a549187fe8

  • SHA256

    6f133792af0d3db042dcefea44d4976c3132791c86f2d84db4545fd56f17893e

  • SHA512

    fdf0bae050c9a655e67e0e013e30ffe095dae3ead9cad9ac2f545b8f17c2441e68b02008e102b41f4ce281d4ef77445b896325d823ce3b2403c04c9d641deb0e

  • SSDEEP

    3072:XtSUpBVpd2JE7Y8E/UJAP8rxLLnEHBAnpK37nXM8b0e+Q7RKPsR74tyJTN+KXB2E:4cVAE7YH/UJkmLD8B5KPC9BI9xAa

Score
10/10
njrathacked by daxonevasionexecutionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed by Daxon

C2

daxon.giize.com:1111

Mutex

07e96873111575b2cf8735ed61a4fb46

Attributes
  • reg_key

    07e96873111575b2cf8735ed61a4fb46

  • splitter

    |'|'|

Targets

    • Target

      Daxon.exe

    • Size

      228KB

    • MD5

      770e16a5bfc519bbeb406858ad8416be

    • SHA1

      6adcfd39d8c6d7446597a2e1ea0fd6a549187fe8

    • SHA256

      6f133792af0d3db042dcefea44d4976c3132791c86f2d84db4545fd56f17893e

    • SHA512

      fdf0bae050c9a655e67e0e013e30ffe095dae3ead9cad9ac2f545b8f17c2441e68b02008e102b41f4ce281d4ef77445b896325d823ce3b2403c04c9d641deb0e

    • SSDEEP

      3072:XtSUpBVpd2JE7Y8E/UJAP8rxLLnEHBAnpK37nXM8b0e+Q7RKPsR74tyJTN+KXB2E:4cVAE7YH/UJkmLD8B5KPC9BI9xAa

    Score
    10/10
    njrathacked by daxonevasionexecutionpersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral1behavioral2behavioral3behavioral4behavioral5

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Tasks