General

  • Target

    2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118

  • Size

    375KB

  • Sample

    241009-e4akcs1djh

  • MD5

    2ad561e9bb9f780f56d5e7a280574432

  • SHA1

    e6bc833d62ef0ec1e08674a0a8707e3ce2f09007

  • SHA256

    54f33fa555874b30e6045c4bfd467779b0683e1bcafb69d0987c59019203c9d3

  • SHA512

    8b74c1f6df444ce101102e3b036e2f77c9e0b1ebb085db2de8e45905ab10b47c845040548901632c130c4db6b4403a5905d864c461cb9bed6cd5fe49fc0ce064

  • SSDEEP

    6144:dOm2B8bwepKH3435zfwJyJLcE0NBY5yoFdJraQqZC6P1ylyiec3fE:dOm2BgpKHo3lUyh0azJCZdylZjfE

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

212.192.241.42:5552

Mutex

34adf4afddd35097c6bf7951c5baad3a

Attributes
  • reg_key

    34adf4afddd35097c6bf7951c5baad3a

  • splitter

    |'|'|

Targets

    • Target

      2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118

    • Size

      375KB

    • MD5

      2ad561e9bb9f780f56d5e7a280574432

    • SHA1

      e6bc833d62ef0ec1e08674a0a8707e3ce2f09007

    • SHA256

      54f33fa555874b30e6045c4bfd467779b0683e1bcafb69d0987c59019203c9d3

    • SHA512

      8b74c1f6df444ce101102e3b036e2f77c9e0b1ebb085db2de8e45905ab10b47c845040548901632c130c4db6b4403a5905d864c461cb9bed6cd5fe49fc0ce064

    • SSDEEP

      6144:dOm2B8bwepKH3435zfwJyJLcE0NBY5yoFdJraQqZC6P1ylyiec3fE:dOm2BgpKHo3lUyh0azJCZdylZjfE

    • Modifies WinLogon for persistence

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks