njrat | f6d6f2f4c05d54eeda9abbfd15f8241c5836b44b27694136915cfcaf70374bde

General

Target

15745dbac240993bdf41da546f185342_JaffaCakes118.exe
Size

48KB
MD5

15745dbac240993bdf41da546f185342
SHA1

574d985e0e9253f819debcc80ad4bf0423d038bf
SHA256

f6d6f2f4c05d54eeda9abbfd15f8241c5836b44b27694136915cfcaf70374bde
SHA512

bb03514580f68bb1e06db304b4231ac715531867ae956663c53cb571438d2a43dfad12440a48440e3ea5b9c197e694a63354be30a8876190114bd269228d1ae1
SSDEEP

768:4Z9N/UrfI5Yvf1AZkqYqkAD56t4vrQOi/B6G6vtjw8t0BCDR:4ZrMobZkqYedvUOQ8VDR

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2876	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c9b1a2c792d187131cebce9e0db26528.exe	VeilCracked.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c9b1a2c792d187131cebce9e0db26528.exe	VeilCracked.exe

Executes dropped EXE 2 IoCs

pid	Process
2916	taskmgr.exe
2480	VeilCracked.exe

Loads dropped DLL 4 IoCs

pid	Process
2220	15745dbac240993bdf41da546f185342_JaffaCakes118.exe
2220	15745dbac240993bdf41da546f185342_JaffaCakes118.exe
2916	taskmgr.exe
2916	taskmgr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\c9b1a2c792d187131cebce9e0db26528 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\VeilCracked.exe\" .."	VeilCracked.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\c9b1a2c792d187131cebce9e0db26528 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\VeilCracked.exe\" .."	VeilCracked.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	15745dbac240993bdf41da546f185342_JaffaCakes118.exe
Token: SeDebugPrivilege	2916	taskmgr.exe
Token: SeDebugPrivilege	2480	VeilCracked.exe
Token: 33	2480	VeilCracked.exe
Token: SeIncBasePriorityPrivilege	2480	VeilCracked.exe
Token: 33	2480	VeilCracked.exe
Token: SeIncBasePriorityPrivilege	2480	VeilCracked.exe
Token: 33	2480	VeilCracked.exe
Token: SeIncBasePriorityPrivilege	2480	VeilCracked.exe
Token: 33	2480	VeilCracked.exe
Token: SeIncBasePriorityPrivilege	2480	VeilCracked.exe
Token: 33	2480	VeilCracked.exe
Token: SeIncBasePriorityPrivilege	2480	VeilCracked.exe
Token: 33	2480	VeilCracked.exe
Token: SeIncBasePriorityPrivilege	2480	VeilCracked.exe
Token: 33	2480	VeilCracked.exe
Token: SeIncBasePriorityPrivilege	2480	VeilCracked.exe
Token: 33	2480	VeilCracked.exe
Token: SeIncBasePriorityPrivilege	2480	VeilCracked.exe
Token: 33	2480	VeilCracked.exe
Token: SeIncBasePriorityPrivilege	2480	VeilCracked.exe
Token: 33	2480	VeilCracked.exe
Token: SeIncBasePriorityPrivilege	2480	VeilCracked.exe
Token: 33	2480	VeilCracked.exe
Token: SeIncBasePriorityPrivilege	2480	VeilCracked.exe
Token: 33	2480	VeilCracked.exe
Token: SeIncBasePriorityPrivilege	2480	VeilCracked.exe
Token: 33	2480	VeilCracked.exe
Token: SeIncBasePriorityPrivilege	2480	VeilCracked.exe
Token: 33	2480	VeilCracked.exe
Token: SeIncBasePriorityPrivilege	2480	VeilCracked.exe
Token: 33	2480	VeilCracked.exe
Token: SeIncBasePriorityPrivilege	2480	VeilCracked.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2916	2220	15745dbac240993bdf41da546f185342_JaffaCakes118.exe	28
PID 2220 wrote to memory of 2916	2220	15745dbac240993bdf41da546f185342_JaffaCakes118.exe	28
PID 2220 wrote to memory of 2916	2220	15745dbac240993bdf41da546f185342_JaffaCakes118.exe	28
PID 2220 wrote to memory of 2916	2220	15745dbac240993bdf41da546f185342_JaffaCakes118.exe	28
PID 2916 wrote to memory of 2480	2916	taskmgr.exe	29
PID 2916 wrote to memory of 2480	2916	taskmgr.exe	29
PID 2916 wrote to memory of 2480	2916	taskmgr.exe	29
PID 2916 wrote to memory of 2480	2916	taskmgr.exe	29
PID 2480 wrote to memory of 2876	2480	VeilCracked.exe	30
PID 2480 wrote to memory of 2876	2480	VeilCracked.exe	30
PID 2480 wrote to memory of 2876	2480	VeilCracked.exe	30
PID 2480 wrote to memory of 2876	2480	VeilCracked.exe	30

C:\Users\Admin\AppData\Local\Temp\15745dbac240993bdf41da546f185342_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\15745dbac240993bdf41da546f185342_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\taskmgr.exe
  "C:\Users\Admin\AppData\Local\Temp\taskmgr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Users\Admin\AppData\Local\Temp\VeilCracked.exe
    "C:\Users\Admin\AppData\Local\Temp\VeilCracked.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\VeilCracked.exe" "VeilCracked.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rSmRqHT

Filesize
23KB

MD5
7fee8fd03656cbb623323de0eab3a9d3

SHA1
98dd3116a06ffc0a1564b835a2106e27ac51a13e

SHA256
a9c49fd43fabbaea62e37399ca35881fd8e6440c24cc18a2b1ba251a58919ca9

SHA512
768e2196bb89b85f56becc59dfcde2453f3bfb13d1ead21d19ea9eb251959de9557a58c91164d8644af551fa8dad0df54f95c5d77b83f6dffd28626f2d10eb09

Download Submit
\Users\Admin\AppData\Local\Temp\taskmgr.exe

Filesize
48KB

MD5
15745dbac240993bdf41da546f185342

SHA1
574d985e0e9253f819debcc80ad4bf0423d038bf

SHA256
f6d6f2f4c05d54eeda9abbfd15f8241c5836b44b27694136915cfcaf70374bde

SHA512
bb03514580f68bb1e06db304b4231ac715531867ae956663c53cb571438d2a43dfad12440a48440e3ea5b9c197e694a63354be30a8876190114bd269228d1ae1

Download Submit
memory/2220-0-0x0000000074AA1000-0x0000000074AA2000-memory.dmp

Filesize
4KB

Download
memory/2220-1-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download
memory/2220-2-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download
memory/2220-13-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download
memory/2916-15-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download
memory/2916-16-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download
memory/2916-14-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download
memory/2916-30-0x0000000074AA0000-0x000000007504B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads