General

  • Target

    7cad953000f8106428a6083b71cdc444_JaffaCakes118

  • Size

    101KB

  • Sample

    240731-q9g26swgqm

  • MD5

    7cad953000f8106428a6083b71cdc444

  • SHA1

    bc9a88a7a46d2ab7fe1b4d380b49b502da6272d8

  • SHA256

    148f7d2376a35f578b4e5e47a92870161f9786bc2be41f47dcab8e1630ed93b6

  • SHA512

    cea68a57d494502df71b7adc80825cefaf4d46c85285aac4de2b52d928eb2dd92cf157b72d0be8ea4feacc2b221d7b253bcabb72aa16e61b64c609e1de98bf33

  • SSDEEP

    3072:SbRjCno+xsGRwAMrKmjJ6b6SCogIrBS8TZ5:Sbd+XRwArb6SCogIVS8T

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Fikra

C2

127.0.0.1:4444

Mutex

34721fcab8ffee9f1ed318fe32292505

Attributes
  • reg_key

    34721fcab8ffee9f1ed318fe32292505

  • splitter

    |'|'|

Targets

    • Target

      7cad953000f8106428a6083b71cdc444_JaffaCakes118

    • Size

      101KB

    • MD5

      7cad953000f8106428a6083b71cdc444

    • SHA1

      bc9a88a7a46d2ab7fe1b4d380b49b502da6272d8

    • SHA256

      148f7d2376a35f578b4e5e47a92870161f9786bc2be41f47dcab8e1630ed93b6

    • SHA512

      cea68a57d494502df71b7adc80825cefaf4d46c85285aac4de2b52d928eb2dd92cf157b72d0be8ea4feacc2b221d7b253bcabb72aa16e61b64c609e1de98bf33

    • SSDEEP

      3072:SbRjCno+xsGRwAMrKmjJ6b6SCogIrBS8TZ5:Sbd+XRwArb6SCogIVS8T

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks