Malware Analysis Report

2025-04-13 23:22

Sample ID 240427-cy3b3shc35
Target 023617c1c011ea1ca68856bf7b290b57_JaffaCakes118
SHA256 8da549ef10749b90b55f2c27c108b3176ab00c34892d0155fca56b86764e7df9
Tags
njrat evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8da549ef10749b90b55f2c27c108b3176ab00c34892d0155fca56b86764e7df9

Threat Level: Known bad

The file 023617c1c011ea1ca68856bf7b290b57_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

njrat evasion trojan

njRAT/Bladabindi

Modifies Windows Firewall

Executes dropped EXE

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-27 02:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-27 02:29

Reported

2024-04-27 02:32

Platform

win7-20240419-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\023617c1c011ea1ca68856bf7b290b57_JaffaCakes118.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\023617c1c011ea1ca68856bf7b290b57_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\023617c1c011ea1ca68856bf7b290b57_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\chrome.exe

"C:\Users\Admin\AppData\Local\Temp\chrome.exe"

C:\Windows\system32\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\chrome.exe" "chrome.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 jokeeer.ns360.info udp
US 8.8.8.8:53 jokeeer.ns360.info udp
US 8.8.8.8:53 jokeeer.ns360.info udp
US 8.8.8.8:53 jokeeer.ns360.info udp
US 8.8.8.8:53 jokeeer.ns360.info udp
US 8.8.8.8:53 jokeeer.ns360.info udp
US 8.8.8.8:53 jokeeer.ns360.info udp
US 8.8.8.8:53 jokeeer.ns360.info udp
US 8.8.8.8:53 jokeeer.ns360.info udp
US 8.8.8.8:53 jokeeer.ns360.info udp

Files

memory/2392-0-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

memory/2392-1-0x0000000002220000-0x00000000022A0000-memory.dmp

memory/2392-2-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

memory/2392-3-0x00000000003D0000-0x00000000003E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome.exe

MD5 023617c1c011ea1ca68856bf7b290b57
SHA1 6cac228d510568b7cd90bf5cb82202b55137b15b
SHA256 8da549ef10749b90b55f2c27c108b3176ab00c34892d0155fca56b86764e7df9
SHA512 e1b44e2441a084dc6adb58abc906c2e518d3cac35e989e8e080eb4dcbb89b3234ff8095d6a0f67822e24f36e48b82cd9cd418ef87ae15ac9c3c6b85be79b938f

memory/1660-10-0x0000000002090000-0x0000000002110000-memory.dmp

memory/1660-9-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

memory/1660-11-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

memory/2392-12-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

memory/1660-13-0x00000000003A0000-0x00000000003B4000-memory.dmp

memory/1660-14-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

memory/1660-15-0x0000000002090000-0x0000000002110000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-27 02:29

Reported

2024-04-27 02:32

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\023617c1c011ea1ca68856bf7b290b57_JaffaCakes118.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\023617c1c011ea1ca68856bf7b290b57_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\023617c1c011ea1ca68856bf7b290b57_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\023617c1c011ea1ca68856bf7b290b57_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\chrome.exe

"C:\Users\Admin\AppData\Local\Temp\chrome.exe"

C:\Windows\SYSTEM32\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\chrome.exe" "chrome.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 jokeeer.ns360.info udp
US 8.8.8.8:53 jokeeer.ns360.info udp
US 8.8.8.8:53 jokeeer.ns360.info udp
US 8.8.8.8:53 jokeeer.ns360.info udp
US 8.8.8.8:53 jokeeer.ns360.info udp
US 8.8.8.8:53 jokeeer.ns360.info udp
US 8.8.8.8:53 jokeeer.ns360.info udp
US 8.8.8.8:53 jokeeer.ns360.info udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 jokeeer.ns360.info udp
US 8.8.8.8:53 jokeeer.ns360.info udp
US 8.8.8.8:53 jokeeer.ns360.info udp
US 8.8.8.8:53 jokeeer.ns360.info udp
US 8.8.8.8:53 jokeeer.ns360.info udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 jokeeer.ns360.info udp
US 8.8.8.8:53 jokeeer.ns360.info udp
US 8.8.8.8:53 jokeeer.ns360.info udp
US 8.8.8.8:53 jokeeer.ns360.info udp
US 8.8.8.8:53 jokeeer.ns360.info udp
US 8.8.8.8:53 jokeeer.ns360.info udp
US 8.8.8.8:53 jokeeer.ns360.info udp
US 8.8.8.8:53 jokeeer.ns360.info udp
US 8.8.8.8:53 jokeeer.ns360.info udp
US 8.8.8.8:53 jokeeer.ns360.info udp

Files

memory/1740-0-0x000000001B580000-0x000000001B626000-memory.dmp

memory/1740-2-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

memory/1740-1-0x00007FFDCDF00000-0x00007FFDCE8A1000-memory.dmp

memory/1740-3-0x00007FFDCDF00000-0x00007FFDCE8A1000-memory.dmp

memory/1740-4-0x0000000000DD0000-0x0000000000DE4000-memory.dmp

memory/1740-5-0x000000001CA40000-0x000000001CF0E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome.exe

MD5 023617c1c011ea1ca68856bf7b290b57
SHA1 6cac228d510568b7cd90bf5cb82202b55137b15b
SHA256 8da549ef10749b90b55f2c27c108b3176ab00c34892d0155fca56b86764e7df9
SHA512 e1b44e2441a084dc6adb58abc906c2e518d3cac35e989e8e080eb4dcbb89b3234ff8095d6a0f67822e24f36e48b82cd9cd418ef87ae15ac9c3c6b85be79b938f

memory/3792-20-0x0000000001940000-0x0000000001950000-memory.dmp

memory/3792-19-0x00007FFDCDF00000-0x00007FFDCE8A1000-memory.dmp

memory/1740-18-0x00007FFDCDF00000-0x00007FFDCE8A1000-memory.dmp

memory/3792-21-0x000000001C410000-0x000000001C4AC000-memory.dmp

memory/3792-22-0x00000000018F0000-0x00000000018F8000-memory.dmp

memory/3792-23-0x00007FFDCDF00000-0x00007FFDCE8A1000-memory.dmp

memory/3792-24-0x0000000001940000-0x0000000001950000-memory.dmp