General

  • Target

    921f017a81f6d5b9ef1f7c02456ae2ed_JaffaCakes118

  • Size

    647KB

  • Sample

    241124-daerjswpfk

  • MD5

    921f017a81f6d5b9ef1f7c02456ae2ed

  • SHA1

    0150383f1d396e3d8ae6cba10931c40631074a18

  • SHA256

    0eb998e122d7da2a5b25e06334a67011cada36a0e9f8faf7459aaa410501fab2

  • SHA512

    3d70d51524e45579db11a32148338767310df164828a3b7bfdd8e20cc6a41ca4136b33cc1646d12f902d4d031e29e344b414b863be1f0e7d746374ff4d1cc8e1

  • SSDEEP

    12288:IWAtyUBBIZ+T4nX03dvxlO6n/LJaJGHoAu/5G4CZUqejc+:FzyT3dvbO6nzJaJyoAMQ4CZUF

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Miki

C2

miki228.no-ip.biz:3333

Mutex

cd89814ed610dfb76df931218aa9422a

Attributes
  • reg_key

    cd89814ed610dfb76df931218aa9422a

  • splitter

    |'|'|

Targets

    • Target

      921f017a81f6d5b9ef1f7c02456ae2ed_JaffaCakes118

    • Size

      647KB

    • MD5

      921f017a81f6d5b9ef1f7c02456ae2ed

    • SHA1

      0150383f1d396e3d8ae6cba10931c40631074a18

    • SHA256

      0eb998e122d7da2a5b25e06334a67011cada36a0e9f8faf7459aaa410501fab2

    • SHA512

      3d70d51524e45579db11a32148338767310df164828a3b7bfdd8e20cc6a41ca4136b33cc1646d12f902d4d031e29e344b414b863be1f0e7d746374ff4d1cc8e1

    • SSDEEP

      12288:IWAtyUBBIZ+T4nX03dvxlO6n/LJaJGHoAu/5G4CZUqejc+:FzyT3dvbO6nzJaJyoAMQ4CZUF

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks