Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    27/04/2024, 05:33

General

  • Target

    0289ca0e6a5378bb01d2fdb5c84aaf07_JaffaCakes118.exe

  • Size

    472KB

  • MD5

    0289ca0e6a5378bb01d2fdb5c84aaf07

  • SHA1

    5f76ce7e0ffe97d949988974fb96f36b8d39cfd6

  • SHA256

    b20b02e40ef6e17882c380a681278f21ccb3699847cb7f618b78f6be6ba63609

  • SHA512

    974d923a74b145a9014e384e8f43812c170b40459055c974a420bc77b7f956c6469c9e01e66ec1ea0c3033c32eaf062c886195c39acbd87edb34dae7e40240e7

  • SSDEEP

    6144:F5/ajfCT5B2VXdy1HsZVzJBTZYyk7i8IIlVR4dBicSka4GctucxFyaqjztgmM9g+:fmJBG/m05z7LeQia51fn698up

Score
10/10

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

adobe

C2

hakim32.ddns.net:2000

178.237.176.97:1604

Mutex

70a2da185a5371de029662fd48a04b9b

Attributes
  • reg_key

    70a2da185a5371de029662fd48a04b9b

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0289ca0e6a5378bb01d2fdb5c84aaf07_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0289ca0e6a5378bb01d2fdb5c84aaf07_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Users\Admin\AppData\Roaming\server.exe
        "C:\Users\Admin\AppData\Roaming\server.exe"
        3⤵
        • Executes dropped EXE
        PID:1208

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\server.exe

    Filesize

    52KB

    MD5

    278edbd499374bf73621f8c1f969d894

    SHA1

    a81170af14747781c5f5f51bb1215893136f0bc0

    SHA256

    c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

    SHA512

    93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

  • memory/2240-0-0x0000000001280000-0x00000000012E2000-memory.dmp

    Filesize

    392KB

  • memory/2240-1-0x0000000074130000-0x000000007481E000-memory.dmp

    Filesize

    6.9MB

  • memory/2240-2-0x00000000002A0000-0x00000000002C8000-memory.dmp

    Filesize

    160KB

  • memory/2240-3-0x00000000002E0000-0x00000000002EC000-memory.dmp

    Filesize

    48KB

  • memory/2240-4-0x0000000000420000-0x000000000043C000-memory.dmp

    Filesize

    112KB

  • memory/2240-16-0x0000000074130000-0x000000007481E000-memory.dmp

    Filesize

    6.9MB

  • memory/2884-6-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

  • memory/2884-7-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

  • memory/2884-5-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

  • memory/2884-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2884-15-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

  • memory/2884-13-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

  • memory/2884-17-0x0000000074130000-0x00000000746DB000-memory.dmp

    Filesize

    5.7MB

  • memory/2884-11-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

  • memory/2884-25-0x0000000074130000-0x00000000746DB000-memory.dmp

    Filesize

    5.7MB