General

  • Target

    7775ac08d76574bddfb54f8f5c041fa0_JaffaCakes118

  • Size

    31KB

  • Sample

    240527-btwhasbd3w

  • MD5

    7775ac08d76574bddfb54f8f5c041fa0

  • SHA1

    742087f773a29b848ea11af804509a92ccf723e8

  • SHA256

    ac966a6a373973d4863a47c246955791a69d0802487d5cfc8eb795a315074de6

  • SHA512

    bfa1a7eeab2e2414708037bb062cd0d3290a6a6164e2488897454e4e752ec84281cc41d956d904050ca281403779af9f80a5d1802eac4ab4e1adc7e79b805a6d

  • SSDEEP

    768:kDM2eV/pkkIzxTCjgrm/ITZvKRQmIDUu0tiWdj:KOotBuQVk7j

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

MinecraftServerBruteForce

C2

0.tcp.ngrok.io:4040

Mutex

02664edd42dd721349df1513d118dfb5

Attributes
  • reg_key

    02664edd42dd721349df1513d118dfb5

  • splitter

    Y262SUCZ4UJJ

Targets

    • Target

      7775ac08d76574bddfb54f8f5c041fa0_JaffaCakes118

    • Size

      31KB

    • MD5

      7775ac08d76574bddfb54f8f5c041fa0

    • SHA1

      742087f773a29b848ea11af804509a92ccf723e8

    • SHA256

      ac966a6a373973d4863a47c246955791a69d0802487d5cfc8eb795a315074de6

    • SHA512

      bfa1a7eeab2e2414708037bb062cd0d3290a6a6164e2488897454e4e752ec84281cc41d956d904050ca281403779af9f80a5d1802eac4ab4e1adc7e79b805a6d

    • SSDEEP

      768:kDM2eV/pkkIzxTCjgrm/ITZvKRQmIDUu0tiWdj:KOotBuQVk7j

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks