General

  • Target

    bde52e15a948a302b45b683d85bdaa0ec82688decf8f9d00847b616a75fa5cd6

  • Size

    29KB

  • Sample

    220520-p6tq5acfb2

  • MD5

    0b87ba9858876702d052c84f27a2675e

  • SHA1

    a7ce50effb4f59effc0d08d643170bae2456f954

  • SHA256

    bde52e15a948a302b45b683d85bdaa0ec82688decf8f9d00847b616a75fa5cd6

  • SHA512

    55bd5778a0d38f1085ba0ac49b7a3d608876974fd949ed5c452b0ce144a06c65f8fe066743369cf5ff174231bda036ce77cea175e6aee34b7420f13f09f58b36

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

dadijinn.ddns.net:1177

Mutex

d5a38e9b5f206c41f8851bf04a251d26

Attributes
  • reg_key

    d5a38e9b5f206c41f8851bf04a251d26

  • splitter

    |'|'|

Targets

    • Target

      bde52e15a948a302b45b683d85bdaa0ec82688decf8f9d00847b616a75fa5cd6

    • Size

      29KB

    • MD5

      0b87ba9858876702d052c84f27a2675e

    • SHA1

      a7ce50effb4f59effc0d08d643170bae2456f954

    • SHA256

      bde52e15a948a302b45b683d85bdaa0ec82688decf8f9d00847b616a75fa5cd6

    • SHA512

      55bd5778a0d38f1085ba0ac49b7a3d608876974fd949ed5c452b0ce144a06c65f8fe066743369cf5ff174231bda036ce77cea175e6aee34b7420f13f09f58b36

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks