General

  • Target

    8082dc64e072c3c1c816fb10d54c5b46_JaffaCakes118

  • Size

    491KB

  • Sample

    240529-m3kmyacc51

  • MD5

    8082dc64e072c3c1c816fb10d54c5b46

  • SHA1

    6bc3ae1761044e8ebb7c036de98ca016a7371181

  • SHA256

    e5dd0b5a738b20ca30fd528b3d73561bb04c4cf1f4df523b896c3b6757c28336

  • SHA512

    d49ca18f0bab5125bffff85c43e7387f0441f59bd54a499049d34ef6e29a459dccb24d92d8ed0f60c1bfd13938a68ad41ea28b83430e2d38c0cf7ed82d072456

  • SSDEEP

    6144:JdSIHx/C9akzPAJUoofUXunIn6SY7XnETQRWaE4I8Kavb:WDraveOY7eQRWaM8dvb

Malware Config

Extracted

Family

njrat

Version

0.7 MultiHost

Botnet

nova

C2

shell.blackunix.com:1723

shell.blackunix.net:1723

nodio.blackunix.com:1723

nodio.blackunix.net:1723

kano.blackunix.com:1723

kill.blackunix.com:1723

kurtm.blackunix.com:1723

Mutex

1a9c91f6e0310d4f55b7ee7f22c2c9df

Attributes
  • reg_key

    1a9c91f6e0310d4f55b7ee7f22c2c9df

  • splitter

    |'|'|

Targets

    • Target

      8082dc64e072c3c1c816fb10d54c5b46_JaffaCakes118

    • Size

      491KB

    • MD5

      8082dc64e072c3c1c816fb10d54c5b46

    • SHA1

      6bc3ae1761044e8ebb7c036de98ca016a7371181

    • SHA256

      e5dd0b5a738b20ca30fd528b3d73561bb04c4cf1f4df523b896c3b6757c28336

    • SHA512

      d49ca18f0bab5125bffff85c43e7387f0441f59bd54a499049d34ef6e29a459dccb24d92d8ed0f60c1bfd13938a68ad41ea28b83430e2d38c0cf7ed82d072456

    • SSDEEP

      6144:JdSIHx/C9akzPAJUoofUXunIn6SY7XnETQRWaE4I8Kavb:WDraveOY7eQRWaM8dvb

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks