General

  • Target

    39c7890454199e5b02bb27a88a5de133_JaffaCakes118

  • Size

    23KB

  • Sample

    241012-nmwwpssfml

  • MD5

    39c7890454199e5b02bb27a88a5de133

  • SHA1

    5a74f54d3b229ac8d0232ebbbd06d1225e506130

  • SHA256

    d9009371df732bd8b3ccab8b38e9968069503292b112b2b27cb1c3c54814b3ab

  • SHA512

    05ac5c0249a16041117b628ca88fc3ea1c39296fc451064d60ce2e782685cc27055e4721aefa0d7c219f7b5e04765741b690edcaa0e546f64fa448c2db1cb404

  • SSDEEP

    384:hc6CqbFYh3odrVCGiHssDB4b6i6fgpEupNXRmRvR6JZlbw8hqIusZzZJWv:iIU0tw3RpcnuYI

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

ELITE REGEDIT vitima

C2

4.tcp.ngrok.io:15690

Mutex

136b1168824f71e066b31d730796138d

Attributes
  • reg_key

    136b1168824f71e066b31d730796138d

  • splitter

    |'|'|

Targets

    • Target

      39c7890454199e5b02bb27a88a5de133_JaffaCakes118

    • Size

      23KB

    • MD5

      39c7890454199e5b02bb27a88a5de133

    • SHA1

      5a74f54d3b229ac8d0232ebbbd06d1225e506130

    • SHA256

      d9009371df732bd8b3ccab8b38e9968069503292b112b2b27cb1c3c54814b3ab

    • SHA512

      05ac5c0249a16041117b628ca88fc3ea1c39296fc451064d60ce2e782685cc27055e4721aefa0d7c219f7b5e04765741b690edcaa0e546f64fa448c2db1cb404

    • SSDEEP

      384:hc6CqbFYh3odrVCGiHssDB4b6i6fgpEupNXRmRvR6JZlbw8hqIusZzZJWv:iIU0tw3RpcnuYI

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks