njrat | 52d0aa400d6eb0f89b58f38646ba688d66d43d3242f459ef500ddf7876288335

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

254a81df0a4b19b8d2a9e573009ce1ef_JaffaCakes118.exe
Size

385KB
MD5

254a81df0a4b19b8d2a9e573009ce1ef
SHA1

e8922dd8597e7db5389eca4b6befe6baacbd2fc4
SHA256

52d0aa400d6eb0f89b58f38646ba688d66d43d3242f459ef500ddf7876288335
SHA512

b4b735269c07c4b34fde450469a4ec072904de8c1a71fa466e5d2fa9f1887f7d6935809f4eb342f562456c64fd87c7e804d86e54bd9e4b51393f9391f998f980
SSDEEP

12288:PMMMMMMMMMMMMMMMrMMMMMMMMMMMMMMMMXnTppc6o7MMMMMMMMMMMMMMVGX3jaA2:PMMMMMMMMMMMMMMMrMMMMMMMMMMMMMMq

Score

10^/10

njrat evasion persistence privilege_escalation trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3980 netsh.exe

pid	process
3980	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

254a81df0a4b19b8d2a9e573009ce1ef_JaffaCakes118.exeSoftware.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	254a81df0a4b19b8d2a9e573009ce1ef_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Software.exe

Executes dropped EXE 2 IoCs

Processes:

Software.exeserver.exe

pid process

2716 Software.exe
3592 server.exe

pid	process
2716	Software.exe
3592	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b87bffad2953810075bbb7eb63d0a3f3 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b87bffad2953810075bbb7eb63d0a3f3 = "\"C:\\Users\\Admin\\AppData\\Roaming\\server.exe\" .."	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

server.exe

description	pid	process
Token: SeDebugPrivilege	3592	server.exe
Token: 33	3592	server.exe
Token: SeIncBasePriorityPrivilege	3592	server.exe
Token: 33	3592	server.exe
Token: SeIncBasePriorityPrivilege	3592	server.exe
Token: 33	3592	server.exe
Token: SeIncBasePriorityPrivilege	3592	server.exe
Token: 33	3592	server.exe
Token: SeIncBasePriorityPrivilege	3592	server.exe
Token: 33	3592	server.exe
Token: SeIncBasePriorityPrivilege	3592	server.exe
Token: 33	3592	server.exe
Token: SeIncBasePriorityPrivilege	3592	server.exe
Token: 33	3592	server.exe
Token: SeIncBasePriorityPrivilege	3592	server.exe
Token: 33	3592	server.exe
Token: SeIncBasePriorityPrivilege	3592	server.exe
Token: 33	3592	server.exe
Token: SeIncBasePriorityPrivilege	3592	server.exe
Token: 33	3592	server.exe
Token: SeIncBasePriorityPrivilege	3592	server.exe
Token: 33	3592	server.exe
Token: SeIncBasePriorityPrivilege	3592	server.exe
Token: 33	3592	server.exe
Token: SeIncBasePriorityPrivilege	3592	server.exe
Token: 33	3592	server.exe
Token: SeIncBasePriorityPrivilege	3592	server.exe
Token: 33	3592	server.exe
Token: SeIncBasePriorityPrivilege	3592	server.exe
Token: 33	3592	server.exe
Token: SeIncBasePriorityPrivilege	3592	server.exe
Token: 33	3592	server.exe
Token: SeIncBasePriorityPrivilege	3592	server.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

254a81df0a4b19b8d2a9e573009ce1ef_JaffaCakes118.exeSoftware.exeserver.exe

description	pid	process	target process
PID 5012 wrote to memory of 2716	5012	254a81df0a4b19b8d2a9e573009ce1ef_JaffaCakes118.exe	Software.exe
PID 5012 wrote to memory of 2716	5012	254a81df0a4b19b8d2a9e573009ce1ef_JaffaCakes118.exe	Software.exe
PID 5012 wrote to memory of 2716	5012	254a81df0a4b19b8d2a9e573009ce1ef_JaffaCakes118.exe	Software.exe
PID 2716 wrote to memory of 3592	2716	Software.exe	server.exe
PID 2716 wrote to memory of 3592	2716	Software.exe	server.exe
PID 2716 wrote to memory of 3592	2716	Software.exe	server.exe
PID 3592 wrote to memory of 3980	3592	server.exe	netsh.exe
PID 3592 wrote to memory of 3980	3592	server.exe	netsh.exe
PID 3592 wrote to memory of 3980	3592	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\254a81df0a4b19b8d2a9e573009ce1ef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\254a81df0a4b19b8d2a9e573009ce1ef_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5012

C:\Users\Admin\AppData\Local\Temp\Software.exe
"C:\Users\Admin\AppData\Local\Temp\Software.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3980

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Software.exe
Filesize
23KB

MD5
d8daa94368db99b328de95023b2134dd

SHA1
5c6f5d8a1d4503f54d17d75d01d048f9ef1e40e0

SHA256
38114d680b74f808f0f322f35db7def5047c07c865c599dd024a3f9f1fc3a52d

SHA512
0bf735c17d59993114380b89e3e93b9a0048d16e55112707768b7383186864f01a792c33e2ca0cfc43903bfa5be330f9bac370e9c71ebc7368c9f872495c28f8

Download Submit
memory/2716-30-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/2716-20-0x0000000075590000-0x0000000075B41000-memory.dmp

Filesize
5.7MB

Download
memory/2716-17-0x0000000075592000-0x0000000075593000-memory.dmp

Filesize
4KB

Download
memory/5012-3-0x000000001C880000-0x000000001C91C000-memory.dmp

Filesize
624KB

Download
memory/5012-5-0x0000000001530000-0x0000000001538000-memory.dmp

Filesize
32KB

Download
memory/5012-6-0x00007FFE14D90000-0x00007FFE15731000-memory.dmp

Filesize
9.6MB

Download
memory/5012-7-0x00007FFE14D90000-0x00007FFE15731000-memory.dmp

Filesize
9.6MB

Download
memory/5012-8-0x000000001EC20000-0x000000001ECC6000-memory.dmp

Filesize
664KB

Download
memory/5012-4-0x00007FFE14D90000-0x00007FFE15731000-memory.dmp

Filesize
9.6MB

Download
memory/5012-0-0x00007FFE15045000-0x00007FFE15046000-memory.dmp

Filesize
4KB

Download
memory/5012-19-0x00007FFE14D90000-0x00007FFE15731000-memory.dmp

Filesize
9.6MB

Download
memory/5012-2-0x000000001CE80000-0x000000001D34E000-memory.dmp

Filesize
4.8MB

Download
memory/5012-1-0x00007FFE14D90000-0x00007FFE15731000-memory.dmp

Filesize
9.6MB

Download