Analysis
-
max time kernel
149s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
18-05-2024 08:19
General
-
Target
53cd92f44b837f835fe4e3ab7a53dda1_JaffaCakes118.exe
-
Size
228KB
-
MD5
53cd92f44b837f835fe4e3ab7a53dda1
-
SHA1
c054c5568ecbf3eb7535670a0b5de3cc2763b476
-
SHA256
24edc3ee97543e44ed48c91413aa4a34a57866cee28c86b1187ecdcddc52983c
-
SHA512
3d7319303af1f68f80e08769925a7c5a435d127b3dc529657a90c1b43a99d09fb1281110136a64186b11f5b79d9d4b69555ddf433c22d0527fc591bce83ce604
-
SSDEEP
6144:/Puw1LRQ2l67whSrkbo2F3S1NfyKT00m3UVwBmTVi/VxG:Huw1Lm2l6VM0II1UHVVx
Malware Config
Extracted
njrat
0.6.4
تم الاختراق من قبل دكتور الغربية #
Dr187.ddns.net:999
59e66e4fd01ed7a53bb65713760bdb7d
-
reg_key
59e66e4fd01ed7a53bb65713760bdb7d
-
splitter
|'|'|
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\53cd92f44b837f835fe4e3ab7a53dda1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\53cd92f44b837f835fe4e3ab7a53dda1_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Google Root.exe"C:\Users\Admin\AppData\Local\Temp\Google Root.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Google Root.exe" "Google Root.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\Google Root.exeFilesize
228KB
MD553cd92f44b837f835fe4e3ab7a53dda1
SHA1c054c5568ecbf3eb7535670a0b5de3cc2763b476
SHA25624edc3ee97543e44ed48c91413aa4a34a57866cee28c86b1187ecdcddc52983c
SHA5123d7319303af1f68f80e08769925a7c5a435d127b3dc529657a90c1b43a99d09fb1281110136a64186b11f5b79d9d4b69555ddf433c22d0527fc591bce83ce604
-
memory/2276-0-0x000000007420E000-0x000000007420F000-memory.dmpFilesize
4KB
-
memory/2276-1-0x00000000008B0000-0x00000000008EE000-memory.dmpFilesize
248KB
-
memory/2276-3-0x0000000074200000-0x00000000748EE000-memory.dmpFilesize
6.9MB
-
memory/2276-2-0x0000000000230000-0x000000000023E000-memory.dmpFilesize
56KB
-
memory/2276-15-0x0000000074200000-0x00000000748EE000-memory.dmpFilesize
6.9MB
-
memory/2936-12-0x0000000074200000-0x00000000748EE000-memory.dmpFilesize
6.9MB
-
memory/2936-11-0x0000000000B30000-0x0000000000B6E000-memory.dmpFilesize
248KB
-
memory/2936-13-0x0000000074200000-0x00000000748EE000-memory.dmpFilesize
6.9MB
-
memory/2936-16-0x0000000074200000-0x00000000748EE000-memory.dmpFilesize
6.9MB
-
memory/2936-17-0x0000000074200000-0x00000000748EE000-memory.dmpFilesize
6.9MB