General

  • Target

    3047a47ecd3436128b20f16c29d63550_JaffaCakes118

  • Size

    649KB

  • Sample

    241010-rhwlxszbjf

  • MD5

    3047a47ecd3436128b20f16c29d63550

  • SHA1

    a3b51245612735a44dc4b5ccb81829d05c9daf4f

  • SHA256

    b684e8c6223d2ece39800ed26431e8bfc0b8198c515327de3270200a60aec07d

  • SHA512

    e8c51d052454d42e339531fafdf39366b850125a4710c234ea820ed891bd1b24700929706258e3fc966b5de781fc8b2e07a2f8655565469518d67cc39c34534f

  • SSDEEP

    12288:sO29h7ukziWy9EUKFTZdXTZdHXTZdXTZkCG644FFxHPvtS8ULd+mQb+mQwWhhhhx:sO29ESiWy9EFFTZdXTZdHXTZdXTZkL6U

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

62.227.124.106:5552

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Targets

    • Target

      3047a47ecd3436128b20f16c29d63550_JaffaCakes118

    • Size

      649KB

    • MD5

      3047a47ecd3436128b20f16c29d63550

    • SHA1

      a3b51245612735a44dc4b5ccb81829d05c9daf4f

    • SHA256

      b684e8c6223d2ece39800ed26431e8bfc0b8198c515327de3270200a60aec07d

    • SHA512

      e8c51d052454d42e339531fafdf39366b850125a4710c234ea820ed891bd1b24700929706258e3fc966b5de781fc8b2e07a2f8655565469518d67cc39c34534f

    • SSDEEP

      12288:sO29h7ukziWy9EUKFTZdXTZdHXTZdXTZkCG644FFxHPvtS8ULd+mQb+mQwWhhhhx:sO29ESiWy9EFFTZdXTZdHXTZdXTZkL6U

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks