General

  • Target

    80496ed45fd4d93eb47080a991bd5f7b_JaffaCakes118

  • Size

    23KB

  • Sample

    240529-llff8aac7v

  • MD5

    80496ed45fd4d93eb47080a991bd5f7b

  • SHA1

    aa599254505a2815f01bd1ef934798507d0360d6

  • SHA256

    01b836a07d7ca886f4124815d2e26a7c6e4b710e2e2297a43d30a61521b36cea

  • SHA512

    77ee2a39a2c0b6d46e0a2ac43319d45383ac2494a83a226f434425118bb76d6c3331606f5183ec6144d180914800131368f5b26783e3dbeaf3fa66ec2bf1427b

  • SSDEEP

    384:m9LGxbWRa4Loa1MplQSmucW+EQ6Sg8KtTfyrqmRvR6JZlbw8hqIusZzZlrGz:3xbZailz7YRpcnusrG

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

الــــقـــــوات المــــــــــصـــــريـــــة

C2

ronymahmoudn.ddns.net:6666

Mutex

dcb969badc3b461494cd40fa378bcfe5

Attributes
  • reg_key

    dcb969badc3b461494cd40fa378bcfe5

  • splitter

    |'|'|

Targets

    • Target

      80496ed45fd4d93eb47080a991bd5f7b_JaffaCakes118

    • Size

      23KB

    • MD5

      80496ed45fd4d93eb47080a991bd5f7b

    • SHA1

      aa599254505a2815f01bd1ef934798507d0360d6

    • SHA256

      01b836a07d7ca886f4124815d2e26a7c6e4b710e2e2297a43d30a61521b36cea

    • SHA512

      77ee2a39a2c0b6d46e0a2ac43319d45383ac2494a83a226f434425118bb76d6c3331606f5183ec6144d180914800131368f5b26783e3dbeaf3fa66ec2bf1427b

    • SSDEEP

      384:m9LGxbWRa4Loa1MplQSmucW+EQ6Sg8KtTfyrqmRvR6JZlbw8hqIusZzZlrGz:3xbZailz7YRpcnusrG

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks