General

  • Target

    bcecb86f681fe916b0c9a696587527ab_JaffaCakes118

  • Size

    139KB

  • Sample

    240618-t5ja8awbjp

  • MD5

    bcecb86f681fe916b0c9a696587527ab

  • SHA1

    e3574e0e7ce71e9d1663e645c00307e297ae20b2

  • SHA256

    7fe9c131e1c0617024f7cac68ff22e40df16a4a1791e9d62688fcfb10a69342e

  • SHA512

    5602f91e6c24662f2c386047886003da9857e7ad86ea38445be448fbdd1104fc594bea961e7fe3a368e10c2d384087f54b354fe18fcfc053c5ad8b65784aebe8

  • SSDEEP

    3072:K2+x+QMgSXupDSbLiAEqFKGC9fMJZ9pEv8cHMjoHIWj:FaTSeRSXKqwG3jEv3HXHI

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed-hh

C2

roro60600.ddns.net:5552

Mutex

5d1c0015a497a83c7f6cb9874dd5fa25

Attributes
  • reg_key

    5d1c0015a497a83c7f6cb9874dd5fa25

  • splitter

    |'|'|

Targets

    • Target

      bcecb86f681fe916b0c9a696587527ab_JaffaCakes118

    • Size

      139KB

    • MD5

      bcecb86f681fe916b0c9a696587527ab

    • SHA1

      e3574e0e7ce71e9d1663e645c00307e297ae20b2

    • SHA256

      7fe9c131e1c0617024f7cac68ff22e40df16a4a1791e9d62688fcfb10a69342e

    • SHA512

      5602f91e6c24662f2c386047886003da9857e7ad86ea38445be448fbdd1104fc594bea961e7fe3a368e10c2d384087f54b354fe18fcfc053c5ad8b65784aebe8

    • SSDEEP

      3072:K2+x+QMgSXupDSbLiAEqFKGC9fMJZ9pEv8cHMjoHIWj:FaTSeRSXKqwG3jEv3HXHI

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Drops startup file

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Tasks