Overview

overview

10

Static

static

3

f91897d648...18.exe

windows7-x64

10

f91897d648...18.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f91897d648d7d27ff036f2e9ec906eee_JaffaCakes118

  • Size

    459KB

  • Sample

    240419-art11sbb78

  • MD5

    f91897d648d7d27ff036f2e9ec906eee

  • SHA1

    fec52c77723162f9f2fda5942c4fd53400722af9

  • SHA256

    b67e79fb5d9a3201a803470889916325c265f4994eda26ddfde9ec9febdad233

  • SHA512

    c9d1d1c5879c0d3f8dc5cc353e1776080a6afe651a37def90c17e22a7caf123e486d001e4cb0c0a87b8ba0fc5a3194aa3cbc04d76384deeb67fb048131bd2c33

  • SSDEEP

    6144:ec0h522p3l04ZMSmIp3Uy28uhyFM0s8QWPhOQ2sF3NB1O2FgeizSGnX3UjZFcrLu:4hxp3lZnT9bDxF3P4DfSRdI0N

Score
10/10
njrathackedpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

185.82.217.154:5703

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Targets

    • Target

      f91897d648d7d27ff036f2e9ec906eee_JaffaCakes118

    • Size

      459KB

    • MD5

      f91897d648d7d27ff036f2e9ec906eee

    • SHA1

      fec52c77723162f9f2fda5942c4fd53400722af9

    • SHA256

      b67e79fb5d9a3201a803470889916325c265f4994eda26ddfde9ec9febdad233

    • SHA512

      c9d1d1c5879c0d3f8dc5cc353e1776080a6afe651a37def90c17e22a7caf123e486d001e4cb0c0a87b8ba0fc5a3194aa3cbc04d76384deeb67fb048131bd2c33

    • SSDEEP

      6144:ec0h522p3l04ZMSmIp3Uy28uhyFM0s8QWPhOQ2sF3NB1O2FgeizSGnX3UjZFcrLu:4hxp3lZnT9bDxF3P4DfSRdI0N

    Score
    10/10
    njrathackedpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks