Overview

overview

10

Static

static

10

JaySoy.exe

windows7_x64

10

JaySoy.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    06-07-2022 05:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaySoy.exe

  • Size

    93KB

  • MD5

    e1bb8ea28a8d53fd209d1262e239397a

  • SHA1

    b4dd3322073f8d51ea1d8cb0f7a2768b388f1fbc

  • SHA256

    ecb9c4919b6503f72bebaa118d23bcc09ce8430dae03b98b2b8e2eed206850ab

  • SHA512

    3f0221d33d78324f6aa7091a20afd1c6d210bf00462c0468d7ea952c7b60ec7dcddb743257cc1d3b5b407de93bf18c2d36ae964cd83cf3c5c09863db5648c77d

Score
10/10
njratjaysoevasiontrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

JaySo

C2

NC50Y3AuZXUubmdyb2suaW8Strik:MTI5MDg=

Mutex

429c4d90923139137515b87f729f47b8

Attributes
  • reg_key

    429c4d90923139137515b87f729f47b8

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Drops startup file 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaySoy.exe
    "C:\Users\Admin\AppData\Local\Temp\JaySoy.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:892
    • C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1048
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:1452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\server.exe
    Filesize

    93KB

    MD5

    e1bb8ea28a8d53fd209d1262e239397a

    SHA1

    b4dd3322073f8d51ea1d8cb0f7a2768b388f1fbc

    SHA256

    ecb9c4919b6503f72bebaa118d23bcc09ce8430dae03b98b2b8e2eed206850ab

    SHA512

    3f0221d33d78324f6aa7091a20afd1c6d210bf00462c0468d7ea952c7b60ec7dcddb743257cc1d3b5b407de93bf18c2d36ae964cd83cf3c5c09863db5648c77d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\server.exe
    Filesize

    93KB

    MD5

    e1bb8ea28a8d53fd209d1262e239397a

    SHA1

    b4dd3322073f8d51ea1d8cb0f7a2768b388f1fbc

    SHA256

    ecb9c4919b6503f72bebaa118d23bcc09ce8430dae03b98b2b8e2eed206850ab

    SHA512

    3f0221d33d78324f6aa7091a20afd1c6d210bf00462c0468d7ea952c7b60ec7dcddb743257cc1d3b5b407de93bf18c2d36ae964cd83cf3c5c09863db5648c77d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\app
    Filesize

    4B

    MD5

    3eb8a6afa534fadc147aa70dea76e863

    SHA1

    03b827d99098f69c9f126679598f7166c99d1624

    SHA256

    d3d1d98df443947ab0b52378acbb5f5c21593677b45f0403b3831c93d8be7fca

    SHA512

    b9d20e1f18dd2dc9a71e436e5c27854196f1f8f0adfbf59aed9d70ab83b88c2c39958720508e87d98f8cb23dcb7bbaa81825406439edcc07b6d2ee310acd4327

    Download Submit
  • \Users\Admin\AppData\Local\Temp\server.exe
    Filesize

    93KB

    MD5

    e1bb8ea28a8d53fd209d1262e239397a

    SHA1

    b4dd3322073f8d51ea1d8cb0f7a2768b388f1fbc

    SHA256

    ecb9c4919b6503f72bebaa118d23bcc09ce8430dae03b98b2b8e2eed206850ab

    SHA512

    3f0221d33d78324f6aa7091a20afd1c6d210bf00462c0468d7ea952c7b60ec7dcddb743257cc1d3b5b407de93bf18c2d36ae964cd83cf3c5c09863db5648c77d

    Download Submit
  • \Users\Admin\AppData\Local\Temp\server.exe
    Filesize

    93KB

    MD5

    e1bb8ea28a8d53fd209d1262e239397a

    SHA1

    b4dd3322073f8d51ea1d8cb0f7a2768b388f1fbc

    SHA256

    ecb9c4919b6503f72bebaa118d23bcc09ce8430dae03b98b2b8e2eed206850ab

    SHA512

    3f0221d33d78324f6aa7091a20afd1c6d210bf00462c0468d7ea952c7b60ec7dcddb743257cc1d3b5b407de93bf18c2d36ae964cd83cf3c5c09863db5648c77d

    Download Submit
  • memory/892-54-0x0000000076561000-0x0000000076563000-memory.dmp
    Filesize

    8KB

    Download
  • memory/892-55-0x0000000074BD0000-0x000000007517B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/892-62-0x0000000074BD0000-0x000000007517B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1048-58-0x0000000000000000-mapping.dmp
    Download
  • memory/1048-64-0x0000000074BD0000-0x000000007517B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1048-67-0x0000000074BD0000-0x000000007517B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1452-65-0x0000000000000000-mapping.dmp
    Download