Overview

overview

10

Static

static

3

4a656e6468...18.exe

windows7-x64

10

4a656e6468...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4a656e64683cd0504d1a877af1b6920c_JaffaCakes118

  • Size

    324KB

  • Sample

    240516-lc7jcadh31

  • MD5

    4a656e64683cd0504d1a877af1b6920c

  • SHA1

    dd6be219ff7911d77b999764cb720501367f46f8

  • SHA256

    a2e0dbf8088acc60a555f90a7547bff543e8f88e76945841d2f3e44c495c2c7e

  • SHA512

    7243cf65ffb88e971f873d2be12d58cdce0534964d19ba80fd8a127fa47c4962a6da5be79538ae21a6b124581b55d9a15a60252c499951d219fdc65a01d8ef98

  • SSDEEP

    6144:LPdh3AM4t6oIIf3obSx4ak/lWLAQ3nFZc0Xm2icHOgga:h5BWwIPOSxPk/0cQ3nFZfXm2io

Score
10/10
njratlimeevasiontrojan

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

Lime

C2

ploxtermaster.duckdns.org:6699

Mutex

Client.exe

Attributes
  • reg_key

    Client.exe

  • splitter

    luffy

Targets

    • Target

      4a656e64683cd0504d1a877af1b6920c_JaffaCakes118

    • Size

      324KB

    • MD5

      4a656e64683cd0504d1a877af1b6920c

    • SHA1

      dd6be219ff7911d77b999764cb720501367f46f8

    • SHA256

      a2e0dbf8088acc60a555f90a7547bff543e8f88e76945841d2f3e44c495c2c7e

    • SHA512

      7243cf65ffb88e971f873d2be12d58cdce0534964d19ba80fd8a127fa47c4962a6da5be79538ae21a6b124581b55d9a15a60252c499951d219fdc65a01d8ef98

    • SSDEEP

      6144:LPdh3AM4t6oIIf3obSx4ak/lWLAQ3nFZc0Xm2icHOgga:h5BWwIPOSxPk/0cQ3nFZfXm2io

    Score
    10/10
    njratlimeevasiontrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks