General

  • Target

    c6a3722aa9098d983ebeb9163d366627_JaffaCakes118

  • Size

    582KB

  • Sample

    240828-l4c4tawcll

  • MD5

    c6a3722aa9098d983ebeb9163d366627

  • SHA1

    eba9fae31dc82786ebf4d75489058ac470b23c55

  • SHA256

    e7ab67984c2003f38266126541796ff26be38445a24137887f1aee169c816969

  • SHA512

    9eabcd2838570d4502977cc12e85d92f24c08ee5916965bc940d3416ec17df3bb2c40914baee65a5984065bce1b4c79e771f0bf513525b912be0d01ddf253638

  • SSDEEP

    6144:+/iQb+ckQsH8TDRGKJkSvGUlYG2Ks49gDmt3bN0uh+q8Q6ZJt8MCzJFQepf2klj:9Qnk3GDYKGcblfd9gDmtrN0pq8Qa7Q5

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

eroxsik1241

C2

eroxsik.ddns.net:5552

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Targets

    • Target

      c6a3722aa9098d983ebeb9163d366627_JaffaCakes118

    • Size

      582KB

    • MD5

      c6a3722aa9098d983ebeb9163d366627

    • SHA1

      eba9fae31dc82786ebf4d75489058ac470b23c55

    • SHA256

      e7ab67984c2003f38266126541796ff26be38445a24137887f1aee169c816969

    • SHA512

      9eabcd2838570d4502977cc12e85d92f24c08ee5916965bc940d3416ec17df3bb2c40914baee65a5984065bce1b4c79e771f0bf513525b912be0d01ddf253638

    • SSDEEP

      6144:+/iQb+ckQsH8TDRGKJkSvGUlYG2Ks49gDmt3bN0uh+q8Q6ZJt8MCzJFQepf2klj:9Qnk3GDYKGcblfd9gDmtrN0pq8Qa7Q5

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks