General
-
Target
00982b52825113db51775277e3d7922e_JaffaCakes118
-
Size
408KB
-
Sample
240727-zfkewaxbmk
-
MD5
00982b52825113db51775277e3d7922e
-
SHA1
c6761b4a32d114cc9a7a54af8c62abad6204430a
-
SHA256
c988b5de0620878a133e5113ce1b64c03bae09d6099c00fb6e248473b92ef371
-
SHA512
137b1e63029182e0391ff2cdc38f551862f94db35267178ef4c6418374af45eabde4dfb912ccc2e0dd697996b5e96cc90ed185aef44ee5368f1e200347ef49df
-
SSDEEP
6144:ZBGp+tWAh22uCjU4aAS8cQiqebgFq5Bs01DgeaIpGbJ9vYPCjr1kG:jCe22FjxaASjTPcLJ9vYyxk
Malware Config
Extracted
njrat
0.7d
HacKed
213.208.152.209:5001
a451a130b7eba7ff1ca03e6e20be0670
-
reg_key
a451a130b7eba7ff1ca03e6e20be0670
-
splitter
|'|'|
Targets
-
-
Target
00982b52825113db51775277e3d7922e_JaffaCakes118
-
Size
408KB
-
MD5
00982b52825113db51775277e3d7922e
-
SHA1
c6761b4a32d114cc9a7a54af8c62abad6204430a
-
SHA256
c988b5de0620878a133e5113ce1b64c03bae09d6099c00fb6e248473b92ef371
-
SHA512
137b1e63029182e0391ff2cdc38f551862f94db35267178ef4c6418374af45eabde4dfb912ccc2e0dd697996b5e96cc90ed185aef44ee5368f1e200347ef49df
-
SSDEEP
6144:ZBGp+tWAh22uCjU4aAS8cQiqebgFq5Bs01DgeaIpGbJ9vYPCjr1kG:jCe22FjxaASjTPcLJ9vYyxk
Score10/10-
Modifies WinLogon for persistence
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1