Revisiting HWorm and NjRAT
Tags
| cmtmf-attack-pattern: | Masquerading |
| country: | Algeria |
| attack-pattern: | Data Dynamic Dns - T1311 Dynamic Dns - T1333 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Mshta - T1218.005 Masquerading - T1036 Mshta - T1170 Scripting - T1064 Masquerading Scripting |
Common Information
| Type | Value |
|---|---|
| UUID | 7af5a718-ab63-43dd-a12d-7117adb3a02e |
| Fingerprint | b569b8f36927878d |
| Analysis status | DONE |
| Considered CTI value | 0 |
| Text language | |
| Published | May 12, 2017, 12:02 a.m. |
| Added to db | Jan. 18, 2023, 7:56 p.m. |
| Last updated | Nov. 17, 2024, 10:40 p.m. |
| Headline | Deriving Cyber Threat Intelligence and Driving Threat Hunting |
| Title | Revisiting HWorm and NjRAT |
| Detected Hints/Tags/Attributes | 55/3/18 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | http://malwarenailed.blogspot.com/2017/05/revisiting-hworm-and-njrat.html |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 184 | www.fireeye.com |
|
| Details | Domain | 1 | www.gwmicro.com |
|
| Details | Domain | 1 | ody.no-ip.biz |
|
| Details | Domain | 5 | shellobj.run |
|
| Details | File | 2 | r.vbs |
|
| Details | File | 1 | servieca.vbs |
|
| Details | File | 2 | njw0rm-brother-from-the-same-mother.html |
|
| Details | File | 5 | a.doc |
|
| Details | File | 2126 | cmd.exe |
|
| Details | File | 5 | 2.vbs |
|
| Details | File | 376 | wscript.exe |
|
| Details | File | 155 | cscript.exe |
|
| Details | File | 456 | mshta.exe |
|
| Details | md5 | 1 | b957911d7d5865e91851ab402189ae86 |
|
| Details | md5 | 1 | 0ab40f5c7d9151742ec29d53fb224ad8 |
|
| Details | Url | 1 | https://www.fireeye.com/blog/threat-research/2013/08/njw0rm-brother-from-the-same-mother.html |
|
| Details | Url | 1 | https://www.gwmicro.com/support/knowledge_base/?kbnumber=gwkb2035 |
|
| Details | Windows Registry Key | 1 | HKCU\njq8 |