General

  • Target

    850badaf86c5e5e61ae8c60159c7ed16_JaffaCakes118

  • Size

    273KB

  • Sample

    240530-1w57yscb62

  • MD5

    850badaf86c5e5e61ae8c60159c7ed16

  • SHA1

    bc9f449d7cd85a20b2b98765346dc13e2afd85b9

  • SHA256

    193e404af3023501e5ce9e9cf93021a7d0004d2b7491719f93958da61ecd524d

  • SHA512

    dc981ecae9670033bdafd46441c7158493ec5e7548dee080d0744f9497d30be0265c283b8a3d10c4a94c348c6a083c9df28f35a91a2cbe87ea056c93651cae40

  • SSDEEP

    6144:lQpWOBQ2AW+MUz8MdBcXyQYCV8dLkreqG24JaQu:ut1UAaBcXyQLV8FcuaR

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

svchost

C2

kvinx.ddns.net:5252

Mutex

744c963c9a34d433917ba02967b1684e

Attributes
  • reg_key

    744c963c9a34d433917ba02967b1684e

  • splitter

    |'|'|

Targets

    • Target

      850badaf86c5e5e61ae8c60159c7ed16_JaffaCakes118

    • Size

      273KB

    • MD5

      850badaf86c5e5e61ae8c60159c7ed16

    • SHA1

      bc9f449d7cd85a20b2b98765346dc13e2afd85b9

    • SHA256

      193e404af3023501e5ce9e9cf93021a7d0004d2b7491719f93958da61ecd524d

    • SHA512

      dc981ecae9670033bdafd46441c7158493ec5e7548dee080d0744f9497d30be0265c283b8a3d10c4a94c348c6a083c9df28f35a91a2cbe87ea056c93651cae40

    • SSDEEP

      6144:lQpWOBQ2AW+MUz8MdBcXyQYCV8dLkreqG24JaQu:ut1UAaBcXyQLV8FcuaR

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks