General

  • Target

    ja.exe

  • Size

    93KB

  • Sample

    220704-vhy9lacdc2

  • MD5

    f2321adc190e7db9b1f3b85e88f7ae54

  • SHA1

    0b6126aaab291e1dbe0006411eff27789994aa78

  • SHA256

    dfe4b6b4f1bda60e6870666e6e4809a8e3ee4827db737525c9313bfbc87bf5c1

  • SHA512

    e07182b6653cbe64c8c1b9d533adc2a476e9490d8cecf0281f12c0187a2915301337bf3f2d96880706f9369e2adf7cb32538c1852e73ce53e1b236515569b830

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

FRANSESCOTI3LjAuFRANSESCOC4x:NTU1Mg==

Mutex

fb116b75140ecc0173c4ba46bdb8d155

Attributes
  • reg_key

    fb116b75140ecc0173c4ba46bdb8d155

  • splitter

    |'|'|

Targets

    • Target

      ja.exe

    • Size

      93KB

    • MD5

      f2321adc190e7db9b1f3b85e88f7ae54

    • SHA1

      0b6126aaab291e1dbe0006411eff27789994aa78

    • SHA256

      dfe4b6b4f1bda60e6870666e6e4809a8e3ee4827db737525c9313bfbc87bf5c1

    • SHA512

      e07182b6653cbe64c8c1b9d533adc2a476e9490d8cecf0281f12c0187a2915301337bf3f2d96880706f9369e2adf7cb32538c1852e73ce53e1b236515569b830

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Disables Task Manager via registry modification

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1
T1091

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Tasks