Overview

overview

10

Static

static

3

f4ef4c394d...18.exe

windows7-x64

10

f4ef4c394d...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f4ef4c394d0ca5d493b584b0d6f7a08d_JaffaCakes118

  • Size

    120KB

  • Sample

    240417-dzywqacd94

  • MD5

    f4ef4c394d0ca5d493b584b0d6f7a08d

  • SHA1

    3ec040c1ac1a4c72430e70505746d69c1379c7f4

  • SHA256

    f82488b7580088ef97f7eb9112a860ebd7c67489b40e23971e37acdfc6bbf0a3

  • SHA512

    a44460b7edbc0761a12457fc27627dc7bc28820fd8b48412e12e1d13aabac1f146cba147d61afbe43c0a39cfc90367aa49667ee6717cda5b57757353d7a7cd06

  • SSDEEP

    1536:9qNkaWgQKUFftuITp1+8+CthPXstugIaFVIFEKFR59vEcqrmqwfzy9KJsz:o/WXPD+8TXM9F+EO595qrb9y

Score
10/10
njrathackedevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

107.152.99.41:54893

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Targets

    • Target

      f4ef4c394d0ca5d493b584b0d6f7a08d_JaffaCakes118

    • Size

      120KB

    • MD5

      f4ef4c394d0ca5d493b584b0d6f7a08d

    • SHA1

      3ec040c1ac1a4c72430e70505746d69c1379c7f4

    • SHA256

      f82488b7580088ef97f7eb9112a860ebd7c67489b40e23971e37acdfc6bbf0a3

    • SHA512

      a44460b7edbc0761a12457fc27627dc7bc28820fd8b48412e12e1d13aabac1f146cba147d61afbe43c0a39cfc90367aa49667ee6717cda5b57757353d7a7cd06

    • SSDEEP

      1536:9qNkaWgQKUFftuITp1+8+CthPXstugIaFVIFEKFR59vEcqrmqwfzy9KJsz:o/WXPD+8TXM9F+EO595qrb9y

    Score
    10/10
    njrathackedevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks