Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
15-05-2024 16:22
General
-
Target
4701184e44814ce10db47e9adf55088b_JaffaCakes118.exe
-
Size
134KB
-
MD5
4701184e44814ce10db47e9adf55088b
-
SHA1
658c1444f95ecb3930cb490368421eb0f2ec2b6a
-
SHA256
f816cf3c16d0925ccc3bcde9e7e01c80c4aa7f675595fcb6b599213cb4805de1
-
SHA512
db609061362e4319bcea52b9d073b7461fbc5156e4fe0b19fa9d840f1de5f95466137f5ec392a9beac5024040f905fdf5357121e81afe57a7cf1845e2d161045
-
SSDEEP
3072:/RizzKqY6rDC+tYw3RFa2je49OYwERuHTOUoRe:/Ri7/C+SQRgj4MHTOD
Malware Config
Extracted
njrat
0.6.4
تم الاختراق من قبل دكتور الغربية #
Dr187.ddns.net:999
59e66e4fd01ed7a53bb65713760bdb7d
-
reg_key
59e66e4fd01ed7a53bb65713760bdb7d
-
splitter
|'|'|
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4701184e44814ce10db47e9adf55088b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4701184e44814ce10db47e9adf55088b_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Google Root.exe"C:\Users\Admin\AppData\Local\Temp\Google Root.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Google Root.exe" "Google Root.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Google Root.exeFilesize
134KB
MD54701184e44814ce10db47e9adf55088b
SHA1658c1444f95ecb3930cb490368421eb0f2ec2b6a
SHA256f816cf3c16d0925ccc3bcde9e7e01c80c4aa7f675595fcb6b599213cb4805de1
SHA512db609061362e4319bcea52b9d073b7461fbc5156e4fe0b19fa9d840f1de5f95466137f5ec392a9beac5024040f905fdf5357121e81afe57a7cf1845e2d161045
-
memory/1256-9-0x0000000000BB0000-0x0000000000BD8000-memory.dmpFilesize
160KB
-
memory/1256-12-0x000007FEF5670000-0x000007FEF605C000-memory.dmpFilesize
9.9MB
-
memory/1256-13-0x000007FEF5670000-0x000007FEF605C000-memory.dmpFilesize
9.9MB
-
memory/1256-14-0x000007FEF5670000-0x000007FEF605C000-memory.dmpFilesize
9.9MB
-
memory/1256-15-0x000007FEF5670000-0x000007FEF605C000-memory.dmpFilesize
9.9MB
-
memory/2364-0-0x000007FEF5673000-0x000007FEF5674000-memory.dmpFilesize
4KB
-
memory/2364-1-0x0000000000C60000-0x0000000000C88000-memory.dmpFilesize
160KB
-
memory/2364-2-0x0000000000150000-0x000000000015C000-memory.dmpFilesize
48KB
-
memory/2364-3-0x000007FEF5670000-0x000007FEF605C000-memory.dmpFilesize
9.9MB
-
memory/2364-10-0x000007FEF5670000-0x000007FEF605C000-memory.dmpFilesize
9.9MB