General

  • Target

    061a8d9824446f45d5112cbdd803f173_JaffaCakes118

  • Size

    8.7MB

  • Sample

    240623-p41fws1cpa

  • MD5

    061a8d9824446f45d5112cbdd803f173

  • SHA1

    f9ba93c1f7fa8adc7b7565f222d937ec56b97f75

  • SHA256

    da61cd60682f6d7b95972d59830d9ac6d39690d1de4047f4768b0bfc572b78fa

  • SHA512

    a69702e0dbe35accccba436af507557af5caeff0dba4040e56a22f109977c15147c83bc49b30dde9c94b92d11170659d260ae7d389f6aa871383267d2b2a0524

  • SSDEEP

    196608:SNBr/hpKFNfXtF0lbCR7QrWwrueSpEarKOa1oe8fv:SNxCFVXD0o/wrZiEaVa1ol

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

pwtknew1

C2

pwtk02.ddns.net:5552

Mutex

25181c9f909bd4441f2b53785cd683a2

Attributes
  • reg_key

    25181c9f909bd4441f2b53785cd683a2

  • splitter

    |'|'|

Targets

    • Target

      061a8d9824446f45d5112cbdd803f173_JaffaCakes118

    • Size

      8.7MB

    • MD5

      061a8d9824446f45d5112cbdd803f173

    • SHA1

      f9ba93c1f7fa8adc7b7565f222d937ec56b97f75

    • SHA256

      da61cd60682f6d7b95972d59830d9ac6d39690d1de4047f4768b0bfc572b78fa

    • SHA512

      a69702e0dbe35accccba436af507557af5caeff0dba4040e56a22f109977c15147c83bc49b30dde9c94b92d11170659d260ae7d389f6aa871383267d2b2a0524

    • SSDEEP

      196608:SNBr/hpKFNfXtF0lbCR7QrWwrueSpEarKOa1oe8fv:SNxCFVXD0o/wrZiEaVa1ol

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks