Overview

overview

10

Static

static

10

Server.exe

windows10-1703-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Server.exe

  • Size

    93KB

  • Sample

    240630-x3hhpawflk

  • MD5

    cea4f20992cffa364724e8b15c1673cf

  • SHA1

    082e2f92180df46a35e177565158957ed8f3b0bd

  • SHA256

    cb7076dd6a1a709809dec644f95d4b888bc09df369ad0cc767ee13cceb314370

  • SHA512

    5ae2eef817e5cdeade5e0159bf52fbb32c6091e7b5d0d57721ed7605ffaf0efd017c738add55b45b975341e5c1d01a797fa6fec5205e8b5f315fa675408b151c

  • SSDEEP

    768:kY30L4eZw0FBcp4uQwV/JMVBXFbF4qeXuOWN/XxrjEtCdnl2pi1Rz4Rk3AsGdp+3:gL40wmEQwVhMTcJLYjEwzGi1dDYD+gS

Score
10/10
njrathackedevasionpersistenceprivilege_escalation

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

hakim32.ddns.net:2000

https://0bd1-2605-6440-2000-3002-f90b-8a6c-311d-ee13.ngrok-free.app.:8080
Mutex

7e19fde512dbe42326e20391d7e09012

Attributes
  • reg_key

    7e19fde512dbe42326e20391d7e09012

  • splitter

    |'|'|

Targets

    • Target

      Server.exe

    • Size

      93KB

    • MD5

      cea4f20992cffa364724e8b15c1673cf

    • SHA1

      082e2f92180df46a35e177565158957ed8f3b0bd

    • SHA256

      cb7076dd6a1a709809dec644f95d4b888bc09df369ad0cc767ee13cceb314370

    • SHA512

      5ae2eef817e5cdeade5e0159bf52fbb32c6091e7b5d0d57721ed7605ffaf0efd017c738add55b45b975341e5c1d01a797fa6fec5205e8b5f315fa675408b151c

    • SSDEEP

      768:kY30L4eZw0FBcp4uQwV/JMVBXFbF4qeXuOWN/XxrjEtCdnl2pi1Rz4Rk3AsGdp+3:gL40wmEQwVhMTcJLYjEwzGi1dDYD+gS

    Score
    8/10
    evasionpersistenceprivilege_escalation

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1
T1091

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks