njrat | b3980e29888786493c8cad1243df744f4edf730e911d6a8725df1ab73d0a3d0f

General

Target

fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe
Size

677KB
MD5

fbea1348950ebaa7d90f9d51dd0a7a9c
SHA1

9b37e6de95224163cc1378d2be066e1189fbe387
SHA256

b3980e29888786493c8cad1243df744f4edf730e911d6a8725df1ab73d0a3d0f
SHA512

ecf7f1fb093bd9b768e329b1a918484be751fb995fce22fb3fa9deeb21a08080020bd607415f1aaec5fa3087a11202c1479508dc0fa574a2a558df72d6a4d60b
SSDEEP

12288:55VfzdeGreeF09DPa5b9h7ukziWy9EUKFTZdXTZdHXTZdXTZdVfzdeGreeF09DP0:5bdm2x9ESiWy9EFFTZdXTZdHXTZdXTZ5

Score

10^/10

njrat persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exetest.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	test.exe

Executes dropped EXE 3 IoCs

Processes:

test.exeserver.exeWservices.exe

pid process

4548 test.exe
2180 server.exe
3944 Wservices.exe

pid	process
4548	test.exe
2180	server.exe
3944	Wservices.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wservices.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Wservices.exe"	fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

test.exe

pid process

4548 test.exe

pid	process
4548	test.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exetest.exe

description	pid	process	target process
PID 3488 wrote to memory of 4548	3488	fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe	test.exe
PID 3488 wrote to memory of 4548	3488	fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe	test.exe
PID 3488 wrote to memory of 4548	3488	fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe	test.exe
PID 4548 wrote to memory of 2180	4548	test.exe	server.exe
PID 4548 wrote to memory of 2180	4548	test.exe	server.exe
PID 4548 wrote to memory of 2180	4548	test.exe	server.exe
PID 3488 wrote to memory of 3944	3488	fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe	Wservices.exe
PID 3488 wrote to memory of 3944	3488	fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe	Wservices.exe
PID 3488 wrote to memory of 3944	3488	fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe	Wservices.exe

C:\Users\Admin\AppData\Local\Temp\fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbea1348950ebaa7d90f9d51dd0a7a9c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3488

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4548

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
3⤵
- Executes dropped EXE
PID:2180

C:\Users\Admin\AppData\Roaming\Wservices.exe
"C:\Users\Admin\AppData\Roaming\Wservices.exe"
2⤵
- Executes dropped EXE
PID:3944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2232 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:1044

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.exe
Filesize
93KB

MD5
5b5cecffd6d09aa17c582173815afd50

SHA1
20bfb5c4e4edf0900148ea309f9daf56301a8ddc

SHA256
ee19384a3d3599ab5f20eba3becd707dba301a94e383daf1248c08b4709aa230

SHA512
fe61e23dcd2acf8da0b25d206425ac5a3eab503726056605ca66a46b8ab933cd2741f7bf8353049c807284b7a146c53f27fdd78b52485573e3ef8c7f96e3d5bf

Download Submit
C:\Users\Admin\AppData\Roaming\Wservices.exe
Filesize
677KB

MD5
fbea1348950ebaa7d90f9d51dd0a7a9c

SHA1
9b37e6de95224163cc1378d2be066e1189fbe387

SHA256
b3980e29888786493c8cad1243df744f4edf730e911d6a8725df1ab73d0a3d0f

SHA512
ecf7f1fb093bd9b768e329b1a918484be751fb995fce22fb3fa9deeb21a08080020bd607415f1aaec5fa3087a11202c1479508dc0fa574a2a558df72d6a4d60b

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
5B

MD5
53ce6d1ae8885b5d12e654469f456c83

SHA1
9d8b30c523ddef4d24134072b27716bec7d94d6f

SHA256
d7ebf92ad6e3bc44fbc3cfbb234ef4afafd7ea339f712229641a2849b6f87ce2

SHA512
c15df9281e9ccbb8d30e24e751b77a030e734f8cda4bd9482d3ca02f6b23e463a8e90ddd78a582ca059e57b8d0492c22583d792bc7368094ffc06e12cd145d9d

Download Submit
memory/2180-29-0x00000000709E0000-0x0000000070F91000-memory.dmp

Filesize
5.7MB

Download
memory/2180-34-0x00000000709E0000-0x0000000070F91000-memory.dmp

Filesize
5.7MB

Download
memory/2180-28-0x0000000000A30000-0x0000000000A40000-memory.dmp

Filesize
64KB

Download
memory/2180-27-0x00000000709E0000-0x0000000070F91000-memory.dmp

Filesize
5.7MB

Download
memory/3488-4-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/3488-50-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/3488-36-0x00000000053F0000-0x0000000005994000-memory.dmp

Filesize
5.6MB

Download
memory/3488-0-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/3488-2-0x00000000049B0000-0x0000000004A4C000-memory.dmp

Filesize
624KB

Download
memory/3488-1-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3944-48-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/3944-51-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/4548-12-0x00000000709E0000-0x0000000070F91000-memory.dmp

Filesize
5.7MB

Download
memory/4548-35-0x00000000709E0000-0x0000000070F91000-memory.dmp

Filesize
5.7MB

Download
memory/4548-17-0x0000000001180000-0x0000000001190000-memory.dmp

Filesize
64KB

Download
memory/4548-16-0x00000000709E0000-0x0000000070F91000-memory.dmp

Filesize
5.7MB

Download
memory/4548-15-0x00000000709E0000-0x0000000070F91000-memory.dmp

Filesize
5.7MB

Download
memory/4548-14-0x0000000001180000-0x0000000001190000-memory.dmp

Filesize
64KB

Download
memory/4548-13-0x00000000709E0000-0x0000000070F91000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads