General

  • Target

    81edcd946e3156ee49f7c24b7100b110_JaffaCakes118

  • Size

    3.7MB

  • Sample

    240529-zy23msaf67

  • MD5

    81edcd946e3156ee49f7c24b7100b110

  • SHA1

    438562088c52dcf14ccb9a81fb76e5b42b9f87f0

  • SHA256

    53e6818c438ceb53a4213a0cd961359043fff77bc2bb0674992e54c83705c852

  • SHA512

    8d8959a98fd40c58677edcebcf42ad3fb9ab36411e84526e34a30d90ddab938e7d2d22aa5295c86bf794798c1892bac6d1e6b442126fa7eca1cdd899b5a9ca83

  • SSDEEP

    98304:abXsyiWeIqEsMISXg0V8Mw118EdMUDAM:abXfLQtL3LL

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

GENRAM MOTO

C2

milla.publicvm.com:1177

Mutex

c1e444094e4e1836ba8400b3d476c9ef

Attributes
  • reg_key

    c1e444094e4e1836ba8400b3d476c9ef

  • splitter

    |'|'|

Targets

    • Target

      81edcd946e3156ee49f7c24b7100b110_JaffaCakes118

    • Size

      3.7MB

    • MD5

      81edcd946e3156ee49f7c24b7100b110

    • SHA1

      438562088c52dcf14ccb9a81fb76e5b42b9f87f0

    • SHA256

      53e6818c438ceb53a4213a0cd961359043fff77bc2bb0674992e54c83705c852

    • SHA512

      8d8959a98fd40c58677edcebcf42ad3fb9ab36411e84526e34a30d90ddab938e7d2d22aa5295c86bf794798c1892bac6d1e6b442126fa7eca1cdd899b5a9ca83

    • SSDEEP

      98304:abXsyiWeIqEsMISXg0V8Mw118EdMUDAM:abXfLQtL3LL

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks