Analysis Overview
SHA256
54f0b6b1c309caccd02bab4a0013277e9f1ffde051fd2e45a59d784d1f425563
Threat Level: Known bad
The file 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Modifies Windows Firewall
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
NTFS ADS
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-28 02:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-28 02:19
Reported
2024-04-28 02:22
Platform
win7-20240419-en
Max time kernel
147s
Max time network
144s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\tmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2440 set thread context of 2632 | N/A | C:\Users\Admin\AppData\Local\Temp\0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\svhost.exe |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Temp\chorme\chormee.exe:Zone.Identifier | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\chorme\chormee.exe.lnk" /f
C:\Users\Admin\AppData\Roaming\tmp.exe
"C:\Users\Admin\AppData\Roaming\tmp.exe"
C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\chorme\chormee.exe.bat
C:\Windows\SysWOW64\timeout.exe
timeout /t 300
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\tmp.exe" "tmp.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cihan05.duckdns.org | udp |
| US | 8.8.8.8:53 | cihan05.duckdns.org | udp |
| US | 8.8.8.8:53 | cihan05.duckdns.org | udp |
| US | 8.8.8.8:53 | cihan05.duckdns.org | udp |
| US | 8.8.8.8:53 | cihan05.duckdns.org | udp |
| US | 8.8.8.8:53 | cihan05.duckdns.org | udp |
| US | 8.8.8.8:53 | cihan05.duckdns.org | udp |
| US | 8.8.8.8:53 | cihan05.duckdns.org | udp |
| US | 8.8.8.8:53 | cihan05.duckdns.org | udp |
| US | 8.8.8.8:53 | cihan05.duckdns.org | udp |
Files
memory/2440-0-0x0000000074F80000-0x000000007552B000-memory.dmp
memory/2440-2-0x0000000000260000-0x00000000002A0000-memory.dmp
memory/2440-1-0x0000000074F80000-0x000000007552B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\chorme\chormee.exe.jpg
| MD5 | 0428ff225e18a0e79774b8f1b0c30b80 |
| SHA1 | 806413191e59a704f26287aa5b0136d64dd2f30b |
| SHA256 | 54f0b6b1c309caccd02bab4a0013277e9f1ffde051fd2e45a59d784d1f425563 |
| SHA512 | 66e69515691834cb8e143e65addfbd5e1368a173da697614adb8c4b15f046aadabb15e93c0809708a0a82f7f59781ca74169756cd7012199e5c753ef502b2b86 |
\Users\Admin\AppData\Roaming\tmp.exe
| MD5 | 2177a5b2d4432d38ff059f9feb9b560f |
| SHA1 | e7c62227fa5fc416cd6d0bb4fec2dc34057130f9 |
| SHA256 | 76e3aa841279c976da1f37a675960dd7fcf119ef65bbe36764af1e4437c05bbf |
| SHA512 | 5c6adffad74eaa7d7ba418d1b7e2ee64d57036c0b25227746799e65e3f76817393f3416e382e13c3e179c9a9015530e5d0a791c42e83e8618398ee42d03fbfe3 |
memory/2896-22-0x0000000074F80000-0x000000007552B000-memory.dmp
\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | 2e5f1cf69f92392f8829fc9c9263ae9b |
| SHA1 | 97b9ca766bbbdaa8c9ec960dc41b598f7fad82a5 |
| SHA256 | 51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b |
| SHA512 | f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883 |
memory/2896-37-0x0000000074F80000-0x000000007552B000-memory.dmp
memory/2632-35-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2632-34-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2632-32-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2632-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2632-29-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2632-27-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2632-25-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2632-23-0x0000000000400000-0x000000000040C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\chorme\chormee.exe.bat
| MD5 | 609f21988eae322f33f775df1cee0481 |
| SHA1 | 30b3f2bdab680ffd92ac2cd248a6af3cdfcddd01 |
| SHA256 | 4891ae96168de7eb45ea4d17bdbd31ea8b29124163e3d982f4f6f120ff07e487 |
| SHA512 | 061d3896c955966feae7c4f698d7e313439586c9c300a763769f1f9fa58068a68766824a970df9f3f56ee1bab32685109eed4e928b15be8445d93602be2efadb |
memory/2440-46-0x0000000074F80000-0x000000007552B000-memory.dmp
memory/2896-47-0x0000000074F80000-0x000000007552B000-memory.dmp
memory/2896-48-0x0000000000500000-0x0000000000540000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-28 02:19
Reported
2024-04-28 02:22
Platform
win10v2004-20240419-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\tmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 912 set thread context of 3876 | N/A | C:\Users\Admin\AppData\Local\Temp\0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\svhost.exe |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Temp\chorme\chormee.exe:Zone.Identifier | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\chorme\chormee.exe.lnk" /f
C:\Users\Admin\AppData\Roaming\tmp.exe
"C:\Users\Admin\AppData\Roaming\tmp.exe"
C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\chorme\chormee.exe.bat
C:\Windows\SysWOW64\timeout.exe
timeout /t 300
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\tmp.exe" "tmp.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cihan05.duckdns.org | udp |
| US | 8.8.8.8:53 | cihan05.duckdns.org | udp |
| US | 8.8.8.8:53 | cihan05.duckdns.org | udp |
| US | 8.8.8.8:53 | cihan05.duckdns.org | udp |
| US | 8.8.8.8:53 | cihan05.duckdns.org | udp |
| US | 8.8.8.8:53 | cihan05.duckdns.org | udp |
| US | 8.8.8.8:53 | cihan05.duckdns.org | udp |
| US | 8.8.8.8:53 | cihan05.duckdns.org | udp |
| US | 8.8.8.8:53 | cihan05.duckdns.org | udp |
| US | 8.8.8.8:53 | cihan05.duckdns.org | udp |
Files
memory/912-0-0x0000000074F20000-0x00000000754D1000-memory.dmp
memory/912-1-0x0000000074F20000-0x00000000754D1000-memory.dmp
memory/912-2-0x0000000000BF0000-0x0000000000C00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\chorme\chormee.exe.jpg
| MD5 | 0428ff225e18a0e79774b8f1b0c30b80 |
| SHA1 | 806413191e59a704f26287aa5b0136d64dd2f30b |
| SHA256 | 54f0b6b1c309caccd02bab4a0013277e9f1ffde051fd2e45a59d784d1f425563 |
| SHA512 | 66e69515691834cb8e143e65addfbd5e1368a173da697614adb8c4b15f046aadabb15e93c0809708a0a82f7f59781ca74169756cd7012199e5c753ef502b2b86 |
C:\Users\Admin\AppData\Roaming\tmp.exe
| MD5 | 2177a5b2d4432d38ff059f9feb9b560f |
| SHA1 | e7c62227fa5fc416cd6d0bb4fec2dc34057130f9 |
| SHA256 | 76e3aa841279c976da1f37a675960dd7fcf119ef65bbe36764af1e4437c05bbf |
| SHA512 | 5c6adffad74eaa7d7ba418d1b7e2ee64d57036c0b25227746799e65e3f76817393f3416e382e13c3e179c9a9015530e5d0a791c42e83e8618398ee42d03fbfe3 |
C:\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | 84c42d0f2c1ae761bef884638bc1eacd |
| SHA1 | 4353881e7f4e9c7610f4e0489183b55bb58bb574 |
| SHA256 | 331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3 |
| SHA512 | 43c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87 |
memory/408-24-0x0000000074F20000-0x00000000754D1000-memory.dmp
memory/408-25-0x00000000010A0000-0x00000000010B0000-memory.dmp
memory/3876-27-0x0000000074F20000-0x00000000754D1000-memory.dmp
memory/408-26-0x0000000074F20000-0x00000000754D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\chorme\chormee.exe.bat
| MD5 | 609f21988eae322f33f775df1cee0481 |
| SHA1 | 30b3f2bdab680ffd92ac2cd248a6af3cdfcddd01 |
| SHA256 | 4891ae96168de7eb45ea4d17bdbd31ea8b29124163e3d982f4f6f120ff07e487 |
| SHA512 | 061d3896c955966feae7c4f698d7e313439586c9c300a763769f1f9fa58068a68766824a970df9f3f56ee1bab32685109eed4e928b15be8445d93602be2efadb |
memory/3876-32-0x0000000074F20000-0x00000000754D1000-memory.dmp
memory/912-33-0x0000000074F20000-0x00000000754D1000-memory.dmp
memory/408-34-0x0000000074F20000-0x00000000754D1000-memory.dmp
memory/408-35-0x0000000074F20000-0x00000000754D1000-memory.dmp