Overview

overview

10

Static

static

3

ce2a5974ae...18.exe

windows7-x64

10

ce2a5974ae...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ce2a5974ae17e9d7c140f7ea0d4eecce_JaffaCakes118

  • Size

    93KB

  • Sample

    240905-3ngkqsvanm

  • MD5

    ce2a5974ae17e9d7c140f7ea0d4eecce

  • SHA1

    d8782bb7b6440950b691b0d040bf90492abcd651

  • SHA256

    981468e722ee2e24a8021f4acdd110bcfcb4086288acc873f180ec3a98c23524

  • SHA512

    87d4a4f30c5c0f171861f27f503f9a14eae49e81a462043e8aa4af98b07ef03274089afebcbf4f2a1ec262a212a7a5b87d66134b2320caa91f5853016efed382

  • SSDEEP

    1536:CsB6ybjYhYy+vQKZmnL9xoioKR/7yB5R4ShnIUDHjal/wy0Ja1Qp5:F6yfYB+IKuPH/7y2gD0wy0Ja1Qp

Score
10/10
njratnjdiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

nj

C2

199.241.146.179:31922

Mutex

c5dbc4b5114eccb1261dfdb2194089a8

Attributes
  • reg_key

    c5dbc4b5114eccb1261dfdb2194089a8

  • splitter

    |'|'|

Targets

    • Target

      ce2a5974ae17e9d7c140f7ea0d4eecce_JaffaCakes118

    • Size

      93KB

    • MD5

      ce2a5974ae17e9d7c140f7ea0d4eecce

    • SHA1

      d8782bb7b6440950b691b0d040bf90492abcd651

    • SHA256

      981468e722ee2e24a8021f4acdd110bcfcb4086288acc873f180ec3a98c23524

    • SHA512

      87d4a4f30c5c0f171861f27f503f9a14eae49e81a462043e8aa4af98b07ef03274089afebcbf4f2a1ec262a212a7a5b87d66134b2320caa91f5853016efed382

    • SSDEEP

      1536:CsB6ybjYhYy+vQKZmnL9xoioKR/7yB5R4ShnIUDHjal/wy0Ja1Qp5:F6yfYB+IKuPH/7y2gD0wy0Ja1Qp

    Score
    10/10
    njratnjdiscoveryevasionpersistenceprivilege_escalationtrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks