General
-
Target
JaffaCakes118_78c618883d4ef11d7967a085bb169a90
-
Size
142KB
-
Sample
250104-krn5watrdp
-
MD5
78c618883d4ef11d7967a085bb169a90
-
SHA1
01eddd4cc1a1103838dd3a2147914c63d79eb43e
-
SHA256
3bf3cd02f196b7eb2596c361a708e8723c31dc1c8637f43cad2485d754b60c8b
-
SHA512
66fbcfbf608c28038c7ab2ef5132d978147a0393ef7b44dddf180cc3cffea94c677b14972ce63a5f580786259bd0f039961e131ec4641c1df6bacf93f660e707
-
SSDEEP
3072:t1EHZVn4swmr7XCgNzzKFVlRHCkV162LOh8bO8ntT8r:tOHZV44C4KFX1C01uyxtT
Malware Config
Extracted
njrat
0.6.4
HacKed
110xxx.zapto.org:1177
e2acc3c4483cfae75255b2af38dd51a3
-
reg_key
e2acc3c4483cfae75255b2af38dd51a3
-
splitter
|'|'|
Targets
-
-
Target
JaffaCakes118_78c618883d4ef11d7967a085bb169a90
-
Size
142KB
-
MD5
78c618883d4ef11d7967a085bb169a90
-
SHA1
01eddd4cc1a1103838dd3a2147914c63d79eb43e
-
SHA256
3bf3cd02f196b7eb2596c361a708e8723c31dc1c8637f43cad2485d754b60c8b
-
SHA512
66fbcfbf608c28038c7ab2ef5132d978147a0393ef7b44dddf180cc3cffea94c677b14972ce63a5f580786259bd0f039961e131ec4641c1df6bacf93f660e707
-
SSDEEP
3072:t1EHZVn4swmr7XCgNzzKFVlRHCkV162LOh8bO8ntT8r:tOHZV44C4KFX1C01uyxtT
Score10/10-
Njrat family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1