Overview

overview

10

Static

static

10

c00f7d8215...18.exe

windows7-x64

10

c00f7d8215...18.exe

windows10-2004-x64

10

Derruba wify 2.9.exe

windows7-x64

10

Derruba wify 2.9.exe

windows10-2004-x64

10

Pinger.bat

windows7-x64

3

Pinger.bat

windows10-2004-x64

3

Sharing

Copy URL Twitter E-mail

General

  • Target

    c00f7d82150775e2d68de0dc67284845_JaffaCakes118

  • Size

    193KB

  • Sample

    240825-ga7n4sxdng

  • MD5

    c00f7d82150775e2d68de0dc67284845

  • SHA1

    c7ad35c74851748a32389e66589a43a73a02208e

  • SHA256

    ce5838a57e1f130de9f51b076c129e1d98b0451202715f74f023d43dac0c8fd5

  • SHA512

    c8f71a8cbcbd66abc38318b71185820c0eba99dbe2e6d8fc0450127b7c73c0958f7f93eeb59df97d8b8cac881191db5fde7cd3b9f870e237c231263eff19f013

  • SSDEEP

    3072:YqRaMrUwmuvDWLcxjsNmVD7j6VDuatFd/uB15Jjj2YTZ+QuBvto0z4GEKzfRP3JV:Ynx1Wj3njsZf/ubPtuvto0zIKbRPOXQ

Score
10/10
njratderruba wify 2.9discoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Derruba wify 2.9

C2

amofamilia.duckdns.org:1177

Mutex

e1d27be8778b71bec4f3b3adec764943

Attributes
  • reg_key

    e1d27be8778b71bec4f3b3adec764943

  • splitter

    |'|'|

Targets

    • Target

      c00f7d82150775e2d68de0dc67284845_JaffaCakes118

    • Size

      193KB

    • MD5

      c00f7d82150775e2d68de0dc67284845

    • SHA1

      c7ad35c74851748a32389e66589a43a73a02208e

    • SHA256

      ce5838a57e1f130de9f51b076c129e1d98b0451202715f74f023d43dac0c8fd5

    • SHA512

      c8f71a8cbcbd66abc38318b71185820c0eba99dbe2e6d8fc0450127b7c73c0958f7f93eeb59df97d8b8cac881191db5fde7cd3b9f870e237c231263eff19f013

    • SSDEEP

      3072:YqRaMrUwmuvDWLcxjsNmVD7j6VDuatFd/uB15Jjj2YTZ+QuBvto0z4GEKzfRP3JV:Ynx1Wj3njsZf/ubPtuvto0zIKbRPOXQ

    Score
    10/10
    njratderruba wify 2.9discoveryevasionpersistenceprivilege_escalationtrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

    • Target

      Derruba wify 2.9.exe

    • Size

      23KB

    • MD5

      340aeb18fbdfa12c0609c08ee01ea82a

    • SHA1

      fcb02e86594074a5c549041413dc98d0a25d2931

    • SHA256

      04f596d4cee94417466c18d319398570d1e35a475c92543c64fd2605edee9fcc

    • SHA512

      a8c768c538c0955a36e25a7de2b6dd89b6a755f6ae514d1035a172cd7946330c53ea70cfd739f5787ead218f3cf9d053eab2c7323dd6203f242214f89ba49545

    • SSDEEP

      384:8n8aY1ia0N/IH+WUiWiLcXyUTly2Rc87po6ngB8W+tqlf5mRvR6JZlbw8hqIusZC:8m1Re/E+WUiW6ci6NR7tZRpcnur

    Score
    10/10
    njratderruba wify 2.9discoveryevasionpersistenceprivilege_escalationtrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral3behavioral4

    • Target

      Pinger.bat

    • Size

      3KB

    • MD5

      93e0eb0f20794d18a8885ec2d947ccdf

    • SHA1

      acfc71f2caec70829c59d86a17667c4f9f138fe8

    • SHA256

      6df4a8f23ae3dca463232b8f8b1e8ce83e51deda3e131a173ec16bf2fc9b8683

    • SHA512

      f51db4799e9cd7f3289875792eefc571b6e272f11e2a3d2274b19856d400c76e5ac96c8185122b7a2d0f2a90e9e77ecb298cf9a4a7156b39381c1d18fed2105d

    Score
    3/10
    discovery
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks