General
-
Target
dc30bf9e8cb09779d323ee38d22b1899_JaffaCakes118
-
Size
37KB
-
Sample
240912-l7npqa1grn
-
MD5
dc30bf9e8cb09779d323ee38d22b1899
-
SHA1
f71fcca1a7261ab6976d584b9cac2bcacef78634
-
SHA256
e981ef67974d92e71149c2d4a15deae7459df117b7619c7ea4d9b581da0b42d0
-
SHA512
c3df01f37a4e82c528a8b7ecf9cc20796af92a18b2cd8c684e7700b9df8069fc159c6a37a3717aa71568a4ff2911d5a0866b7eea490cca75e8909121a3210673
-
SSDEEP
768:SJoDQmUbCv/cP1mztvWZVrM+rMRa8Nu8tt:S6DAbW0NOtOZO+gRJNr
Malware Config
Extracted
njrat
im523
HacKed
192.168.0.14:5552
1f944304fc89b1ac93b5268ff3ea2fff
-
reg_key
1f944304fc89b1ac93b5268ff3ea2fff
-
splitter
|'|'|
Targets
-
-
Target
dc30bf9e8cb09779d323ee38d22b1899_JaffaCakes118
-
Size
37KB
-
MD5
dc30bf9e8cb09779d323ee38d22b1899
-
SHA1
f71fcca1a7261ab6976d584b9cac2bcacef78634
-
SHA256
e981ef67974d92e71149c2d4a15deae7459df117b7619c7ea4d9b581da0b42d0
-
SHA512
c3df01f37a4e82c528a8b7ecf9cc20796af92a18b2cd8c684e7700b9df8069fc159c6a37a3717aa71568a4ff2911d5a0866b7eea490cca75e8909121a3210673
-
SSDEEP
768:SJoDQmUbCv/cP1mztvWZVrM+rMRa8Nu8tt:S6DAbW0NOtOZO+gRJNr
Score10/10-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1