General

  • Target

    3b293d74827ff906a5ca3a4e4439e98f_JaffaCakes118

  • Size

    188KB

  • Sample

    241012-vn6wma1fka

  • MD5

    3b293d74827ff906a5ca3a4e4439e98f

  • SHA1

    76d14a79e2be1543ab79873e7b87f0deee8aad17

  • SHA256

    3f330d95bd8bf7c71809189a1aa5285fea9d63fc7d193cda4b827e04bfa16bb3

  • SHA512

    255295a70314398b0b96d4408f0606d385773accd0d5811cb697ff4f80b58c15f600ef9f18e17b09edfab9879541e6104fc759343cd36e1ed609899598a62d8a

  • SSDEEP

    3072:GJOgUyL6Msee8JZo34CTmlXbvMnSIRLMH8eOtWejCOGXeAYgFwnHBKLg209BY:GFXO8JZi4CTmlXbUn3FuODCRXeUwKG6

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

|Erica|

C2

drpc.duckdns.org:1414

Mutex

48d74fcafbfa01ee33743b0d0ea39495

Attributes
  • reg_key

    48d74fcafbfa01ee33743b0d0ea39495

  • splitter

    TOP

Targets

    • Target

      3b293d74827ff906a5ca3a4e4439e98f_JaffaCakes118

    • Size

      188KB

    • MD5

      3b293d74827ff906a5ca3a4e4439e98f

    • SHA1

      76d14a79e2be1543ab79873e7b87f0deee8aad17

    • SHA256

      3f330d95bd8bf7c71809189a1aa5285fea9d63fc7d193cda4b827e04bfa16bb3

    • SHA512

      255295a70314398b0b96d4408f0606d385773accd0d5811cb697ff4f80b58c15f600ef9f18e17b09edfab9879541e6104fc759343cd36e1ed609899598a62d8a

    • SSDEEP

      3072:GJOgUyL6Msee8JZo34CTmlXbvMnSIRLMH8eOtWejCOGXeAYgFwnHBKLg209BY:GFXO8JZi4CTmlXbUn3FuODCRXeUwKG6

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks