General
-
Target
JaffaCakes118_5b30e1abda6519224400a3130ec4a6d9
-
Size
351KB
-
Sample
250107-ljef5sxjhr
-
MD5
5b30e1abda6519224400a3130ec4a6d9
-
SHA1
da3e38bccae55d990367c0fca23168c51d701a5b
-
SHA256
653905714967697a317969fb085044c2ba054fb4f975133ac788ffa1b31fba10
-
SHA512
828ccfd11b91f73f43fc6fcaa325c2bdfe5cfeae7820a3d1717a4342968fc43d0844b01975700a57ba6d048915c48e80c18347c43a1d93844c6d04df3893d921
-
SSDEEP
6144:Lafar3yuIwet2afLtA59zDAyu938Vt4oz1H5svXtko9f6U:LaCb/KVLa5CyuCH4SG/i06U
Malware Config
Extracted
njrat
0.6.4
mohammed
127.0.0.1:1172
e1de216f4ec1f885bb08ae5a1e62495b
-
reg_key
e1de216f4ec1f885bb08ae5a1e62495b
-
splitter
|'|'|
Targets
-
-
Target
JaffaCakes118_5b30e1abda6519224400a3130ec4a6d9
-
Size
351KB
-
MD5
5b30e1abda6519224400a3130ec4a6d9
-
SHA1
da3e38bccae55d990367c0fca23168c51d701a5b
-
SHA256
653905714967697a317969fb085044c2ba054fb4f975133ac788ffa1b31fba10
-
SHA512
828ccfd11b91f73f43fc6fcaa325c2bdfe5cfeae7820a3d1717a4342968fc43d0844b01975700a57ba6d048915c48e80c18347c43a1d93844c6d04df3893d921
-
SSDEEP
6144:Lafar3yuIwet2afLtA59zDAyu938Vt4oz1H5svXtko9f6U:LaCb/KVLa5CyuCH4SG/i06U
Score10/10-
Njrat family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1