General

  • Target

    7d1e1abb5a01c42324eebd6087cb8393_JaffaCakes118

  • Size

    554KB

  • Sample

    240731-tw78zsxeka

  • MD5

    7d1e1abb5a01c42324eebd6087cb8393

  • SHA1

    8a031657708f2a085de0153eb8d2c4a61288bf9b

  • SHA256

    626dc4e54d8e594a2d6a809117601e7f6614a7484f5dc229da7da9bd39a62a0c

  • SHA512

    18e93b949be16de67205e0cc56ffe38b37ffcf4ff8570a5b9654488492919f8edb207e9501b97cf9798385343f5e565536691fc856767c08af321157b563fbcb

  • SSDEEP

    12288:1awl6z3KWA/c6O+9FNQDlCnpDo8RkTn1ooQEbBYeCnOKXZA918MwtOHAqaN:P43ocd+9FNGsN90nWEN

Malware Config

Extracted

Family

njrat

Version

0.7.3

Botnet

SUECIA

C2

suecia12.duckdns.org:1990

Mutex

Client.exe

Attributes
  • reg_key

    Client.exe

  • splitter

    1990

Targets

    • Target

      7d1e1abb5a01c42324eebd6087cb8393_JaffaCakes118

    • Size

      554KB

    • MD5

      7d1e1abb5a01c42324eebd6087cb8393

    • SHA1

      8a031657708f2a085de0153eb8d2c4a61288bf9b

    • SHA256

      626dc4e54d8e594a2d6a809117601e7f6614a7484f5dc229da7da9bd39a62a0c

    • SHA512

      18e93b949be16de67205e0cc56ffe38b37ffcf4ff8570a5b9654488492919f8edb207e9501b97cf9798385343f5e565536691fc856767c08af321157b563fbcb

    • SSDEEP

      12288:1awl6z3KWA/c6O+9FNQDlCnpDo8RkTn1ooQEbBYeCnOKXZA918MwtOHAqaN:P43ocd+9FNGsN90nWEN

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks