Overview

overview

10

Static

static

10

JaffaCakes...9a.exe

windows7-x64

10

JaffaCakes...9a.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_7a63b7a48478b2abc9f3d63f9407699a

  • Size

    831KB

  • Sample

    250104-snar3svkhx

  • MD5

    7a63b7a48478b2abc9f3d63f9407699a

  • SHA1

    e8db095dffc5ef776a5d6135b10b4d88e099ce14

  • SHA256

    ca7e7680b292ae024bf0d061509332f8110521f5dfc47a0a1e873b37458f316d

  • SHA512

    8c13c39a2fb0f5b5dcd90edf5a84849ae89d8d419afb488d17432d9951e3145a36c320b0fdd2852c5502d85fcc3bad9466678e338b8645a3ff850c8b13994bdf

  • SSDEEP

    24576:cOAjjFCq/dd0bacRODmp4Way9tKegdaN65yeRS+:cOAjjFCqVduRMmp4Wan2ek+

Score
10/10
neshtanjrathackeddiscoverypersistencespywarestealertrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

anassovichd12.sytes.net:1177

Mutex

c122be8343d9e54fe75b0878ac42c0c5

Attributes
  • reg_key

    c122be8343d9e54fe75b0878ac42c0c5

  • splitter

    |'|'|

Targets

    • Target

      JaffaCakes118_7a63b7a48478b2abc9f3d63f9407699a

    • Size

      831KB

    • MD5

      7a63b7a48478b2abc9f3d63f9407699a

    • SHA1

      e8db095dffc5ef776a5d6135b10b4d88e099ce14

    • SHA256

      ca7e7680b292ae024bf0d061509332f8110521f5dfc47a0a1e873b37458f316d

    • SHA512

      8c13c39a2fb0f5b5dcd90edf5a84849ae89d8d419afb488d17432d9951e3145a36c320b0fdd2852c5502d85fcc3bad9466678e338b8645a3ff850c8b13994bdf

    • SSDEEP

      24576:cOAjjFCq/dd0bacRODmp4Way9tKegdaN65yeRS+:cOAjjFCqVduRMmp4Wan2ek+

    Score
    10/10
    neshtadiscoverypersistencespywarestealernjrathackedtrojan

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Neshta family

      neshta

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks