Overview

overview

10

Static

static

10

Server.exe

windows7-x64

8

Server.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Server.exe

  • Size

    93KB

  • Sample

    250123-xdq4jayqav

  • MD5

    96ce0bd41a130c362b1166c770960287

  • SHA1

    01bfe9caf709cb3ab3366fd7cd28a5dd95ea4b30

  • SHA256

    4fd30f330a4150ba28848121c9c0e99c98b198b6abeeceba5c08024c0ab9a851

  • SHA512

    933e6af32e68822eef6bfd941a7f027eb8aeceb745b0fb091a79aa8e327ca955e8af20e4032debbee43233b03287321abab3ca95ffc2da127ac299fada9c78c1

  • SSDEEP

    1536:ZajFQWqkqqoLc2mLiIjEwzGi1dDyDMgS:ZajmkqqoA28i5i1dkl

Score
10/10
njrathackeddefense_evasiondiscoverypersistenceprivilege_escalation

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

193.123.88.61:4444
Mutex

9026faf0d7bc26a38f2e53c5ac0d583b

Attributes
  • reg_key

    9026faf0d7bc26a38f2e53c5ac0d583b

  • splitter

    |'|'|

Targets

    • Target

      Server.exe

    • Size

      93KB

    • MD5

      96ce0bd41a130c362b1166c770960287

    • SHA1

      01bfe9caf709cb3ab3366fd7cd28a5dd95ea4b30

    • SHA256

      4fd30f330a4150ba28848121c9c0e99c98b198b6abeeceba5c08024c0ab9a851

    • SHA512

      933e6af32e68822eef6bfd941a7f027eb8aeceb745b0fb091a79aa8e327ca955e8af20e4032debbee43233b03287321abab3ca95ffc2da127ac299fada9c78c1

    • SSDEEP

      1536:ZajFQWqkqqoLc2mLiIjEwzGi1dDyDMgS:ZajmkqqoA28i5i1dkl

    Score
    8/10
    defense_evasiondiscoverypersistenceprivilege_escalation

    • Disables Task Manager via registry modification

      defense_evasion

    • Modifies Windows Firewall

      defense_evasion

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Credential Access

Discovery

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Tasks