General

  • Target

    ca99c6bc2600639da284aaf6867b02bc_JaffaCakes118

  • Size

    37KB

  • Sample

    240830-ltws6syhmn

  • MD5

    ca99c6bc2600639da284aaf6867b02bc

  • SHA1

    99b005a7be80749c39f4d14de54239a836c5fc4b

  • SHA256

    faf6498888eb30824545549d8475ab5462d8d9d0fed08400f89b1c9cec32c677

  • SHA512

    3818a12dd71fab82adbae5f8aab1da7bdb5df397675c8f0ccd6f71fce19f125eeb33da32200d745a655b90eade5f4a8612572f1907181bc76008dd3d894f252f

  • SSDEEP

    384:YM2S3hUidkQXR21cGMy8PUwxvToFly4JSrAF+rMRTyN/0L+EcoinblneHQM3epzy:d2S3vLGv8PUwxUi4QrM+rMRa8Nueft

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

192.168.0.104:5552

Mutex

d57579892b0fbc9af3f1880b66f33674

Attributes
  • reg_key

    d57579892b0fbc9af3f1880b66f33674

  • splitter

    |'|'|

Targets

    • Target

      ca99c6bc2600639da284aaf6867b02bc_JaffaCakes118

    • Size

      37KB

    • MD5

      ca99c6bc2600639da284aaf6867b02bc

    • SHA1

      99b005a7be80749c39f4d14de54239a836c5fc4b

    • SHA256

      faf6498888eb30824545549d8475ab5462d8d9d0fed08400f89b1c9cec32c677

    • SHA512

      3818a12dd71fab82adbae5f8aab1da7bdb5df397675c8f0ccd6f71fce19f125eeb33da32200d745a655b90eade5f4a8612572f1907181bc76008dd3d894f252f

    • SSDEEP

      384:YM2S3hUidkQXR21cGMy8PUwxvToFly4JSrAF+rMRTyN/0L+EcoinblneHQM3epzy:d2S3vLGv8PUwxUi4QrM+rMRa8Nueft

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

MITRE ATT&CK Enterprise v15

Tasks