General

  • Target

    566cbbea4da936e0b4012181dde49ced_JaffaCakes118

  • Size

    83KB

  • Sample

    240718-jk4rbasdpb

  • MD5

    566cbbea4da936e0b4012181dde49ced

  • SHA1

    529f3e4666813410abcec4b5f0f790e431983f38

  • SHA256

    c67c18e006d0acf3c0188f842c929bd9e445e7e891db0830dc50afda835b17e5

  • SHA512

    fc96e5cff59e30737a1cddb503a91f385446e3e721d5f800e4c6674d3045b17236b9f20dca198cfe06f4057152fae983b057e177cdc0132b20eef228ddfb3343

  • SSDEEP

    1536:QTE+keE7LK+wM3xt2lgG8ucVakxk7Y/c7PFv0v5/fjWljj:QaTcM3S87wF7P10v5/fjWRj

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

DDD

C2

frankooxyz2.ddns.net:48443

Mutex

581153482cb6003050ef63cae0773a6e

Attributes
  • reg_key

    581153482cb6003050ef63cae0773a6e

  • splitter

    |'|'|

Targets

    • Target

      566cbbea4da936e0b4012181dde49ced_JaffaCakes118

    • Size

      83KB

    • MD5

      566cbbea4da936e0b4012181dde49ced

    • SHA1

      529f3e4666813410abcec4b5f0f790e431983f38

    • SHA256

      c67c18e006d0acf3c0188f842c929bd9e445e7e891db0830dc50afda835b17e5

    • SHA512

      fc96e5cff59e30737a1cddb503a91f385446e3e721d5f800e4c6674d3045b17236b9f20dca198cfe06f4057152fae983b057e177cdc0132b20eef228ddfb3343

    • SSDEEP

      1536:QTE+keE7LK+wM3xt2lgG8ucVakxk7Y/c7PFv0v5/fjWljj:QaTcM3S87wF7P10v5/fjWRj

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks