Overview

overview

10

Static

static

3

fbfc3b70d6...18.exe

windows7-x64

10

fbfc3b70d6...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fbfc3b70d6f2781bbff0d6a47856314a_JaffaCakes118

  • Size

    281KB

  • Sample

    240420-fpf92aaa2y

  • MD5

    fbfc3b70d6f2781bbff0d6a47856314a

  • SHA1

    3ca4524e76b565ca4e4137c75d580532d90b40d0

  • SHA256

    f6894b3c61c194219b9f1f1fd8b9f23081f242d0ce55b88c8e8fb9662f608d84

  • SHA512

    fe0c5cad87a3ce3ab99f14da831f5237fe994c67b1875006633c194bd8a7156008adf0e55b83bf92acc98dca12ef6abd3dab98fdf0e49901e34033ffdfa6e152

  • SSDEEP

    6144:yDKW1Lgbdl0TBBvjc/lq/5R5VLC6J22UU2h+BrDRSM:Uh1Lk70TnvjctE5tWQUUDFx

Score
10/10
njrathacker/rampoevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

Hacker/rampo

C2

127.0.0.1:5552

Mutex

99f1fff43130b52fb4ab8da313b67d7c

Attributes
  • reg_key

    99f1fff43130b52fb4ab8da313b67d7c

  • splitter

    |'|'|

Targets

    • Target

      fbfc3b70d6f2781bbff0d6a47856314a_JaffaCakes118

    • Size

      281KB

    • MD5

      fbfc3b70d6f2781bbff0d6a47856314a

    • SHA1

      3ca4524e76b565ca4e4137c75d580532d90b40d0

    • SHA256

      f6894b3c61c194219b9f1f1fd8b9f23081f242d0ce55b88c8e8fb9662f608d84

    • SHA512

      fe0c5cad87a3ce3ab99f14da831f5237fe994c67b1875006633c194bd8a7156008adf0e55b83bf92acc98dca12ef6abd3dab98fdf0e49901e34033ffdfa6e152

    • SSDEEP

      6144:yDKW1Lgbdl0TBBvjc/lq/5R5VLC6J22UU2h+BrDRSM:Uh1Lk70TnvjctE5tWQUUDFx

    Score
    10/10
    njrathacker/rampoevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks