General

  • Target

    d9508a6739d129c598756d3cc13911fe_JaffaCakes118

  • Size

    455KB

  • Sample

    241209-m8jb3avqhz

  • MD5

    d9508a6739d129c598756d3cc13911fe

  • SHA1

    ece3eae0e5c29c42b25aa765b71f087aee24f8bd

  • SHA256

    8eb73615f94599f30d8978dee514e1a622ad20dc8230eb2e9c89c9f9dc736d89

  • SHA512

    d4ef69fa7b79413ad4d4413247291d50e6d8452622370709810806e7b4288a69e92b31525592169cb1fb71435f5493e00db677cf2e92544e2f10c3079d9216f4

  • SSDEEP

    6144:qjbeiIng03OLVp2KAS0aEyBB+CMwQ8XCM66iO/PCWpBEaOltxH1cWRSfzbrwL/:qudgWS5AsEVC6qEJO/PdB2i4azbrwz

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

1bld

C2

moneyplayboy88.ddns.net:1604

Mutex

5cba3755d9669704d2e4b04d63e79642

5cba3755d9669704d2e4b04d63e79642

Attributes
  • reg_key

    5cba3755d9669704d2e4b04d63e79642

  • splitter

    |'|'|

Targets

    • Target

      d9508a6739d129c598756d3cc13911fe_JaffaCakes118

    • Size

      455KB

    • MD5

      d9508a6739d129c598756d3cc13911fe

    • SHA1

      ece3eae0e5c29c42b25aa765b71f087aee24f8bd

    • SHA256

      8eb73615f94599f30d8978dee514e1a622ad20dc8230eb2e9c89c9f9dc736d89

    • SHA512

      d4ef69fa7b79413ad4d4413247291d50e6d8452622370709810806e7b4288a69e92b31525592169cb1fb71435f5493e00db677cf2e92544e2f10c3079d9216f4

    • SSDEEP

      6144:qjbeiIng03OLVp2KAS0aEyBB+CMwQ8XCM66iO/PCWpBEaOltxH1cWRSfzbrwL/:qudgWS5AsEVC6qEJO/PdB2i4azbrwz

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks