General

  • Target

    a4d4a18a45c3d581cb8bbacc66bcdfb0_JaffaCakes118

  • Size

    23KB

  • Sample

    240818-bp6sgaxdrc

  • MD5

    a4d4a18a45c3d581cb8bbacc66bcdfb0

  • SHA1

    30a452bcf3ef40c920874fbcbdb9245e7b348cb6

  • SHA256

    b63b2715421eb98e1fc8292db7386c779b8a2ab8fe28a621c2750b2d27815e15

  • SHA512

    fd44673397302472478c34c110876bd5d6a8809832ad53b6eeb152f6ac5ba98bd464ce039f67e122ad6d2869b750d083c8f14dbaf469560b2baa2215d4932ddf

  • SSDEEP

    384:QL+n2650N3qZbATcjRGC5Eo9D46BgnqUhay1ZmRvR6JZlbw8hqIusZzZXHl:QEm+71d5XRpcnuO

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Google.com

C2

hackedmohand.ddns.net:1177

Mutex

2e2a715a2f39930cd7d4b249f4afa8b8

Attributes
  • reg_key

    2e2a715a2f39930cd7d4b249f4afa8b8

  • splitter

    |'|'|

Targets

    • Target

      a4d4a18a45c3d581cb8bbacc66bcdfb0_JaffaCakes118

    • Size

      23KB

    • MD5

      a4d4a18a45c3d581cb8bbacc66bcdfb0

    • SHA1

      30a452bcf3ef40c920874fbcbdb9245e7b348cb6

    • SHA256

      b63b2715421eb98e1fc8292db7386c779b8a2ab8fe28a621c2750b2d27815e15

    • SHA512

      fd44673397302472478c34c110876bd5d6a8809832ad53b6eeb152f6ac5ba98bd464ce039f67e122ad6d2869b750d083c8f14dbaf469560b2baa2215d4932ddf

    • SSDEEP

      384:QL+n2650N3qZbATcjRGC5Eo9D46BgnqUhay1ZmRvR6JZlbw8hqIusZzZXHl:QEm+71d5XRpcnuO

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks