Overview

overview

10

Static

static

3

fb53e8329f...18.exe

windows7-x64

10

fb53e8329f...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fb53e8329f479cdaacbe0ed5b092557a_JaffaCakes118

  • Size

    168KB

  • Sample

    240419-2nfg1ahe23

  • MD5

    fb53e8329f479cdaacbe0ed5b092557a

  • SHA1

    aa520e659dd7af03a6fd6db2fee5db405ce9db98

  • SHA256

    ab561032327d25263d4e395d95659b682825d23e7df71bc979ac1ab8c022d7e3

  • SHA512

    0080712fe87dc5d7c296871cbfb18e758576830b12b8ef26cef0419d1cf114f4ec8a11383d69bce748c68637ede4fc6c466cd445457538560ae91ca06671d2ae

  • SSDEEP

    3072:Zx8tQMBl123mpqmBR/dvRRP8FLPf7GU9yXCRRlVwl9OmGEov:Zx8tPtR/LRP8FOpSRU

Score
10/10
njrat@@@@@@@@@@evasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

@@@@@@@@@@

C2

polatabi.ddns.net:1177

Mutex

69057315a40cac64ff327acf88289ede

Attributes
  • reg_key

    69057315a40cac64ff327acf88289ede

  • splitter

    |'|'|

Targets

    • Target

      fb53e8329f479cdaacbe0ed5b092557a_JaffaCakes118

    • Size

      168KB

    • MD5

      fb53e8329f479cdaacbe0ed5b092557a

    • SHA1

      aa520e659dd7af03a6fd6db2fee5db405ce9db98

    • SHA256

      ab561032327d25263d4e395d95659b682825d23e7df71bc979ac1ab8c022d7e3

    • SHA512

      0080712fe87dc5d7c296871cbfb18e758576830b12b8ef26cef0419d1cf114f4ec8a11383d69bce748c68637ede4fc6c466cd445457538560ae91ca06671d2ae

    • SSDEEP

      3072:Zx8tQMBl123mpqmBR/dvRRP8FLPf7GU9yXCRRlVwl9OmGEov:Zx8tPtR/LRP8FOpSRU

    Score
    10/10
    njrat@@@@@@@@@@evasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks