General

  • Target

    7b777263642cd694415accdb45b19de6_JaffaCakes118

  • Size

    223KB

  • Sample

    240528-dkgc5ade66

  • MD5

    7b777263642cd694415accdb45b19de6

  • SHA1

    157c6b950a34e59a575c943955d4a6347f484b2b

  • SHA256

    23ce7d714e8ccd6fe40a1b10803b587e2cf4dbb61e8ee4624654d7fd2c38bdf7

  • SHA512

    525a71dd76441cb2f25706594217ddff2300fb1c177f821334993c46e041a8ac3416031183f013083397ec270a15e0b98cb28579ed891a003a58321c52e55e6a

  • SSDEEP

    1536:SoqdjhPaj/r8YOQLFCdZt5W8SOMIOGZ+qqeydYNAX5Jo/FRKP6ecRiTn:Od0jjNfgZt5Wpkee/C

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

cb4cb4

C2

cb4cb4.ddns.net:1604

Mutex

2b4311709f49c1773d2dd641126cf3dd

Attributes
  • reg_key

    2b4311709f49c1773d2dd641126cf3dd

  • splitter

    |'|'|

Targets

    • Target

      7b777263642cd694415accdb45b19de6_JaffaCakes118

    • Size

      223KB

    • MD5

      7b777263642cd694415accdb45b19de6

    • SHA1

      157c6b950a34e59a575c943955d4a6347f484b2b

    • SHA256

      23ce7d714e8ccd6fe40a1b10803b587e2cf4dbb61e8ee4624654d7fd2c38bdf7

    • SHA512

      525a71dd76441cb2f25706594217ddff2300fb1c177f821334993c46e041a8ac3416031183f013083397ec270a15e0b98cb28579ed891a003a58321c52e55e6a

    • SSDEEP

      1536:SoqdjhPaj/r8YOQLFCdZt5W8SOMIOGZ+qqeydYNAX5Jo/FRKP6ecRiTn:Od0jjNfgZt5Wpkee/C

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks