General
-
Target
f1138f806dfbff34d1cd88b391546f8a_JaffaCakes118
-
Size
541KB
-
Sample
240922-cl1bysxcqd
-
MD5
f1138f806dfbff34d1cd88b391546f8a
-
SHA1
edb4f2ac5f8f9d0541458d2edde92c0aa85ca60d
-
SHA256
4fa081be390756bb8302090c083fa8fd7e11bf5b0982060a231e5748b3ba2cdc
-
SHA512
96c256826b498b1168327963019b23d7bd5ecc127d5a144fe690e6303c01e7cec98c7bfc8d6a05de393da7583923be4b8f678a45a88337706ef2f30ec2941320
-
SSDEEP
12288:42/xz+nkpdWWP9FOoFUHFxlgqfFxmP535i04vYgn1FRAQFtAi6H98lmD:Zx6EFP9JUX+q9IN/Bg1FWBhGUD
Malware Config
Extracted
njrat
0.7d
2CHEAT
alokliu.ddns.net:3389
851c1bb86c6c239085c8747c4b02db04
-
reg_key
851c1bb86c6c239085c8747c4b02db04
-
splitter
|'|'|
Targets
-
-
Target
2Cheat Loader.exe
-
Size
754KB
-
MD5
6f5d3bff7d5d614175bfdde78cbf88ee
-
SHA1
ace1d0db2171b3498888a128bcb2f7c02c39e7b4
-
SHA256
efd666d0509a8f5a3c480af0348c59a2a9079b89d3ca3f991239648fcdac6d26
-
SHA512
9babe57e2a6f53329e1084079d682ebe3800bc27c7a9fbaca4d6c1b8b95824cb0bdc01aa113f7f096785d60b183c5fdee4231fc442e08b711911fda0518f1d35
-
SSDEEP
12288:5hxp3lZnT9bDN2cF3jGZprjKh2VyYpriiCxppEnqYW8qJ6fgRat2KEtfMK:5Jlh9bDN2cF+uhojprYGnO8qJygRhKcF
Score10/10-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2