General

  • Target

    JaffaCakes118_46811c1d5ee6760733f363749071f92e

  • Size

    127KB

  • Sample

    250101-em99natphx

  • MD5

    46811c1d5ee6760733f363749071f92e

  • SHA1

    2c10273e7f7b5be5b8b07c9188f07b44a450166c

  • SHA256

    15d12789262a679cbefc1b5c4df5432e0592e0b5013c484c82b3a61f524a1365

  • SHA512

    c278092003c4092ea8a5fd8037869a3c6b1ea284862e3da4389d94d2af28251e83be1946114b5d29220f6c27a115d1ff454f8b3fa13c095493a512fdfbee8c20

  • SSDEEP

    3072:vTjUek9zjP62dkHEgitptSt+X9JvGdA0U3IZ0U+bZ0tm:vejPVkEgijt4OV+U3sJm

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

Update

C2

194.34.132.153:1604

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Targets

    • Target

      JaffaCakes118_46811c1d5ee6760733f363749071f92e

    • Size

      127KB

    • MD5

      46811c1d5ee6760733f363749071f92e

    • SHA1

      2c10273e7f7b5be5b8b07c9188f07b44a450166c

    • SHA256

      15d12789262a679cbefc1b5c4df5432e0592e0b5013c484c82b3a61f524a1365

    • SHA512

      c278092003c4092ea8a5fd8037869a3c6b1ea284862e3da4389d94d2af28251e83be1946114b5d29220f6c27a115d1ff454f8b3fa13c095493a512fdfbee8c20

    • SSDEEP

      3072:vTjUek9zjP62dkHEgitptSt+X9JvGdA0U3IZ0U+bZ0tm:vejPVkEgijt4OV+U3sJm

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks