General

  • Target

    New Client.exe

  • Size

    329KB

  • Sample

    230722-jrhgnaaa35

  • MD5

    9202baa178d24e6fa0eb45262ac7e16a

  • SHA1

    e45b9ed7c3ebd6b7994dc5de645b2a248ad3f770

  • SHA256

    6c7c1efa3c4deb1fd07a04620a62183054c99d65918d9fc7858f8005b61e0655

  • SHA512

    0ad8b21d9fefcd42b82c60801c1e65381ec769ffa032496a4648917e2f5fb6ce94fb602776c39d9ecbaa01b48fdfbf2f4fef0135d178a8b5cb7c18d2f6952c5a

  • SSDEEP

    6144:z1g9zWvMmbhoLVOT/FtBkFHS4bnb5Y1C54hP56eya4oPbLZzXHgTbM0Ckc6D+Kl2:z1NXbhoLVOT/FtBkFHSwnb5Y1C54hP5x

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

Slave

C2

127.0.0.1:11883

Mutex

sys.exe

Attributes
  • reg_key

    sys.exe

  • splitter

    |Ghost|

Targets

    • Target

      New Client.exe

    • Size

      329KB

    • MD5

      9202baa178d24e6fa0eb45262ac7e16a

    • SHA1

      e45b9ed7c3ebd6b7994dc5de645b2a248ad3f770

    • SHA256

      6c7c1efa3c4deb1fd07a04620a62183054c99d65918d9fc7858f8005b61e0655

    • SHA512

      0ad8b21d9fefcd42b82c60801c1e65381ec769ffa032496a4648917e2f5fb6ce94fb602776c39d9ecbaa01b48fdfbf2f4fef0135d178a8b5cb7c18d2f6952c5a

    • SSDEEP

      6144:z1g9zWvMmbhoLVOT/FtBkFHS4bnb5Y1C54hP56eya4oPbLZzXHgTbM0Ckc6D+Kl2:z1NXbhoLVOT/FtBkFHSwnb5Y1C54hP5x

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Command and Control

Web Service

1
T1102

Tasks