General

  • Target

    7d10d67d9f7590e5eff4c9818c6db8e2_JaffaCakes118

  • Size

    174KB

  • Sample

    240528-qd8v1sef3w

  • MD5

    7d10d67d9f7590e5eff4c9818c6db8e2

  • SHA1

    21051468dfffc8065b12f82e53aa83c9edfe9049

  • SHA256

    7ed6db0961936f9c11762d1b06ae4918719c38906cb556ad9005383ffcb6b715

  • SHA512

    b0e0f077dbb464c738044b379f337e3e5ffcfc7a5237a4195fe37b7a2504484cd876c96ead916dc027a9360acd16c61dd56ee9548b3053fcd564c45ee81f2c2c

  • SSDEEP

    3072:OLz++++++++q6cQbsn+ylA3JxMS9xTmEx5VzRl:O/c/nRAPLaEx5d

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

TORRENT

C2

www.fb.linkpc.net:1070

Mutex

ecbfc751e50996e8c53d87b0a26dc0af

Attributes
  • reg_key

    ecbfc751e50996e8c53d87b0a26dc0af

  • splitter

    |'|'|

Targets

    • Target

      7d10d67d9f7590e5eff4c9818c6db8e2_JaffaCakes118

    • Size

      174KB

    • MD5

      7d10d67d9f7590e5eff4c9818c6db8e2

    • SHA1

      21051468dfffc8065b12f82e53aa83c9edfe9049

    • SHA256

      7ed6db0961936f9c11762d1b06ae4918719c38906cb556ad9005383ffcb6b715

    • SHA512

      b0e0f077dbb464c738044b379f337e3e5ffcfc7a5237a4195fe37b7a2504484cd876c96ead916dc027a9360acd16c61dd56ee9548b3053fcd564c45ee81f2c2c

    • SSDEEP

      3072:OLz++++++++q6cQbsn+ylA3JxMS9xTmEx5VzRl:O/c/nRAPLaEx5d

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks