Overview

overview

10

Static

static

10

7a5304e464...18.exe

windows7-x64

10

7a5304e464...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7a5304e464f29292e92597fbc49fa957_JaffaCakes118

  • Size

    183KB

  • Sample

    240527-ymhzyshb77

  • MD5

    7a5304e464f29292e92597fbc49fa957

  • SHA1

    6aac79050f83135826a67d78b1eb7a0622868ab9

  • SHA256

    6399aaa0089894ebfeab0d021997ee534fe8def4d398940c14e42ee18998f6ce

  • SHA512

    19048f6263876771f9a22c4167f98f1df6218839b1de9b3275be301ed3bbae557cbca5432e8370d355c38f3ec2ed92d60b87a6002e65cc0b002f0b15c3906a1d

  • SSDEEP

    1536:JxqjQ+P04wsmJCLSwjOAbDLy+y8FqAxh41a//PCczhrR1Culo/D:sr85CLXCAbDO+fi4iczhrRYulo7

Score
10/10
neshtanjratpcevasionpersistencespywarestealertrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

PC

C2

waynegriffin.linkpc.net:4867

Mutex

b5cc29546a1aa0eeedcb4b72f8d650c8

Attributes
  • reg_key

    b5cc29546a1aa0eeedcb4b72f8d650c8

  • splitter

    |'|'|

Targets

    • Target

      7a5304e464f29292e92597fbc49fa957_JaffaCakes118

    • Size

      183KB

    • MD5

      7a5304e464f29292e92597fbc49fa957

    • SHA1

      6aac79050f83135826a67d78b1eb7a0622868ab9

    • SHA256

      6399aaa0089894ebfeab0d021997ee534fe8def4d398940c14e42ee18998f6ce

    • SHA512

      19048f6263876771f9a22c4167f98f1df6218839b1de9b3275be301ed3bbae557cbca5432e8370d355c38f3ec2ed92d60b87a6002e65cc0b002f0b15c3906a1d

    • SSDEEP

      1536:JxqjQ+P04wsmJCLSwjOAbDLy+y8FqAxh41a//PCczhrR1Culo/D:sr85CLXCAbDO+fi4iczhrRYulo7

    Score
    10/10
    neshtanjratpcevasionpersistencespywarestealertrojan

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks