General

  • Target

    15498158598632df42dd416de292d24e_JaffaCakes118

  • Size

    1.1MB

  • Sample

    241004-3cel1awfnf

  • MD5

    15498158598632df42dd416de292d24e

  • SHA1

    3c82c22b8910963da6aaed0a7f4449b222cd2dbc

  • SHA256

    28a1e5b98c9b890026a9712ceabf90bc227750f5616d9d4b19f5c404d864db1f

  • SHA512

    1303c1b586d60a0a55ece624f9eeef94c48f19a8f941f85d8f530fd7a538435586c40442e10531e5a99f1e31ee30ee39e58e0e03dc84f9ae115d6725c999741c

  • SSDEEP

    24576:iYYKN5HuJM5g8Y1BpzS9ZX2Is/GTUsak+M2dnH3trXmp1bG2:iR+HDFYJS9AI0GwmWUp1L

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

TheWarz-Crack-1

C2

103.22.181.199:1177

Mutex

4ff3a911dbfff7e34d508efdb7eca614

Attributes
  • reg_key

    4ff3a911dbfff7e34d508efdb7eca614

  • splitter

    |'|'|

Targets

    • Target

      TheWarz-Crack.exe

    • Size

      1.2MB

    • MD5

      6b035800be70ccbedd9154a9ae57d03b

    • SHA1

      c7de2eba384c891723b4a17753ee00129f5fe973

    • SHA256

      e621a036413f70d0a00dbe48de5773dceea1429dc1864aebe90cb277583690de

    • SHA512

      1b41dc9bf8c040ca33d26da8986f346ff6be02bf2197b78c96b2c6dbb45ba19bf4b31d8eeb4e715c78507b78ea6d2b05d039fb28e11ec8750fc5080a42c318d7

    • SSDEEP

      24576:yzjh/FIFRPOUS01XpN4wEpv7I+CqSfhvuwGHEqPb2LxBxf3y:CKFNSEpN4NpvcAyBudHTCFq

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • ModiLoader Second Stage

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks