Malware Analysis Report

2025-04-13 23:22

Sample ID 240428-erdfgsgb4x
Target 04580a561b54c6ec13284c6ed27dddb8_JaffaCakes118
SHA256 8336b8ec7a8049c1f669cad6cd5e2c86a46b35c5dc787ec7a0f5ff6d784191de
Tags
njrat hackedviseo persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8336b8ec7a8049c1f669cad6cd5e2c86a46b35c5dc787ec7a0f5ff6d784191de

Threat Level: Known bad

The file 04580a561b54c6ec13284c6ed27dddb8_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

njrat hackedviseo persistence trojan

njRAT/Bladabindi

Checks computer location settings

Drops startup file

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-28 04:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-28 04:10

Reported

2024-04-28 04:12

Platform

win7-20240220-en

Max time kernel

149s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04580a561b54c6ec13284c6ed27dddb8_JaffaCakes118.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe C:\ProgramData\jusched.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe C:\ProgramData\jusched.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\jusched.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java update = "\"C:\\ProgramData\\jusched.exe\" .." C:\ProgramData\jusched.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java update = "\"C:\\ProgramData\\jusched.exe\" .." C:\ProgramData\jusched.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\04580a561b54c6ec13284c6ed27dddb8_JaffaCakes118.exe N/A
N/A N/A C:\ProgramData\jusched.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\jusched.exe N/A
Token: 33 N/A C:\ProgramData\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\jusched.exe N/A
Token: 33 N/A C:\ProgramData\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\jusched.exe N/A
Token: 33 N/A C:\ProgramData\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\jusched.exe N/A
Token: 33 N/A C:\ProgramData\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\jusched.exe N/A
Token: 33 N/A C:\ProgramData\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\jusched.exe N/A
Token: 33 N/A C:\ProgramData\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\jusched.exe N/A
Token: 33 N/A C:\ProgramData\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\jusched.exe N/A
Token: 33 N/A C:\ProgramData\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\jusched.exe N/A
Token: 33 N/A C:\ProgramData\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\jusched.exe N/A
Token: 33 N/A C:\ProgramData\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\jusched.exe N/A
Token: 33 N/A C:\ProgramData\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\jusched.exe N/A
Token: 33 N/A C:\ProgramData\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\jusched.exe N/A
Token: 33 N/A C:\ProgramData\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\jusched.exe N/A
Token: 33 N/A C:\ProgramData\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\jusched.exe N/A
Token: 33 N/A C:\ProgramData\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\jusched.exe N/A
Token: 33 N/A C:\ProgramData\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\jusched.exe N/A
Token: 33 N/A C:\ProgramData\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\jusched.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\04580a561b54c6ec13284c6ed27dddb8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\04580a561b54c6ec13284c6ed27dddb8_JaffaCakes118.exe"

C:\ProgramData\jusched.exe

"C:\ProgramData\jusched.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 supporknowledgebase.ddns.net udp
US 184.105.237.195:7412 supporknowledgebase.ddns.net tcp
US 184.105.237.195:7412 supporknowledgebase.ddns.net tcp
US 184.105.237.195:7412 supporknowledgebase.ddns.net tcp
US 184.105.237.195:7412 supporknowledgebase.ddns.net tcp
US 184.105.237.195:7412 supporknowledgebase.ddns.net tcp
US 184.105.237.195:7412 supporknowledgebase.ddns.net tcp

Files

memory/2172-0-0x0000000000BC0000-0x0000000000BE8000-memory.dmp

memory/2172-1-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp

memory/2172-2-0x000000001B290000-0x000000001B310000-memory.dmp

memory/2172-3-0x00000000003C0000-0x00000000003D2000-memory.dmp

C:\ProgramData\jusched.exe

MD5 04580a561b54c6ec13284c6ed27dddb8
SHA1 a4fc2aa9b21114c3bcd167541bf96865d93f67a6
SHA256 8336b8ec7a8049c1f669cad6cd5e2c86a46b35c5dc787ec7a0f5ff6d784191de
SHA512 0060b8f33bda143e07c2b8d68720b900e0667bcf70b152e352bc32cf58e532188cad450eab38da1f0baead4f58249e997efa69559f32058e3e3cabc558a716bb

memory/2596-10-0x00000000003C0000-0x00000000003D2000-memory.dmp

memory/2172-13-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp

memory/2596-12-0x000000001B320000-0x000000001B3A0000-memory.dmp

memory/2596-11-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp

memory/2596-9-0x0000000000A40000-0x0000000000A68000-memory.dmp

memory/2596-15-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp

memory/2596-16-0x000000001B320000-0x000000001B3A0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-28 04:10

Reported

2024-04-28 04:12

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04580a561b54c6ec13284c6ed27dddb8_JaffaCakes118.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\04580a561b54c6ec13284c6ed27dddb8_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe C:\ProgramData\jusched.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe C:\ProgramData\jusched.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\jusched.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java update = "\"C:\\ProgramData\\jusched.exe\" .." C:\ProgramData\jusched.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java update = "\"C:\\ProgramData\\jusched.exe\" .." C:\ProgramData\jusched.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\04580a561b54c6ec13284c6ed27dddb8_JaffaCakes118.exe N/A
N/A N/A C:\ProgramData\jusched.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\jusched.exe N/A
Token: 33 N/A C:\ProgramData\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\jusched.exe N/A
Token: 33 N/A C:\ProgramData\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\jusched.exe N/A
Token: 33 N/A C:\ProgramData\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\jusched.exe N/A
Token: 33 N/A C:\ProgramData\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\jusched.exe N/A
Token: 33 N/A C:\ProgramData\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\jusched.exe N/A
Token: 33 N/A C:\ProgramData\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\jusched.exe N/A
Token: 33 N/A C:\ProgramData\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\jusched.exe N/A
Token: 33 N/A C:\ProgramData\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\jusched.exe N/A
Token: 33 N/A C:\ProgramData\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\jusched.exe N/A
Token: 33 N/A C:\ProgramData\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\jusched.exe N/A
Token: 33 N/A C:\ProgramData\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\jusched.exe N/A
Token: 33 N/A C:\ProgramData\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\jusched.exe N/A
Token: 33 N/A C:\ProgramData\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\jusched.exe N/A
Token: 33 N/A C:\ProgramData\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\jusched.exe N/A
Token: 33 N/A C:\ProgramData\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\jusched.exe N/A
Token: 33 N/A C:\ProgramData\jusched.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\jusched.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\04580a561b54c6ec13284c6ed27dddb8_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\04580a561b54c6ec13284c6ed27dddb8_JaffaCakes118.exe"

C:\ProgramData\jusched.exe

"C:\ProgramData\jusched.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4236 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 supporknowledgebase.ddns.net udp
US 184.105.237.195:7412 supporknowledgebase.ddns.net tcp
US 8.8.8.8:53 195.237.105.184.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 184.105.237.195:7412 supporknowledgebase.ddns.net tcp
US 8.8.8.8:53 225.238.32.23.in-addr.arpa udp
US 184.105.237.195:7412 supporknowledgebase.ddns.net tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 184.105.237.195:7412 supporknowledgebase.ddns.net tcp
US 184.105.237.195:7412 supporknowledgebase.ddns.net tcp
US 184.105.237.195:7412 supporknowledgebase.ddns.net tcp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

memory/4840-0-0x00007FF971180000-0x00007FF971C41000-memory.dmp

memory/4840-1-0x000001FBC0F20000-0x000001FBC0F48000-memory.dmp

memory/4840-2-0x000001FBC2BE0000-0x000001FBC2BF0000-memory.dmp

memory/4840-3-0x000001FBC12F0000-0x000001FBC1302000-memory.dmp

C:\ProgramData\jusched.exe

MD5 04580a561b54c6ec13284c6ed27dddb8
SHA1 a4fc2aa9b21114c3bcd167541bf96865d93f67a6
SHA256 8336b8ec7a8049c1f669cad6cd5e2c86a46b35c5dc787ec7a0f5ff6d784191de
SHA512 0060b8f33bda143e07c2b8d68720b900e0667bcf70b152e352bc32cf58e532188cad450eab38da1f0baead4f58249e997efa69559f32058e3e3cabc558a716bb

memory/3592-17-0x00007FF971180000-0x00007FF971C41000-memory.dmp

memory/4840-16-0x00007FF971180000-0x00007FF971C41000-memory.dmp

memory/3592-18-0x00000236F8FF0000-0x00000236F9002000-memory.dmp

memory/3592-19-0x00000236F8FE0000-0x00000236F8FF0000-memory.dmp

memory/3592-21-0x00007FF971180000-0x00007FF971C41000-memory.dmp

memory/3592-22-0x00000236F8FE0000-0x00000236F8FF0000-memory.dmp