Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
19-05-2024 07:26
General
-
Target
593b3910c7e97e6d426e6334f94a4ba1_JaffaCakes118.exe
-
Size
58KB
-
MD5
593b3910c7e97e6d426e6334f94a4ba1
-
SHA1
5a965364feb9ffa80fbacde302a7d85e835d2749
-
SHA256
ed72d5b85be09ea8d6da3f34c867224f996306e76732026fa30d45c6e9c83f46
-
SHA512
efc0581a3a82137f9763fa785ef9df3cdae54a99bd884c03b05e087816dd0e5eb16f4361292508ee59e3c596887e44063737a8fc09f99f79e5eaee4e27a107be
-
SSDEEP
1536:IKYQ3VQByoCI9sVc1lFODeQXYZoIQkKhlW83:vF3VkyoDsC/FODjIQkKq83
Malware Config
Extracted
njrat
0.6.4
تم الاختراق من قبل دكتور الغربية #
Dr187.ddns.net:999
59e66e4fd01ed7a53bb65713760bdb7d
-
reg_key
59e66e4fd01ed7a53bb65713760bdb7d
-
splitter
|'|'|
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\593b3910c7e97e6d426e6334f94a4ba1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\593b3910c7e97e6d426e6334f94a4ba1_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Google Root.exe"C:\Users\Admin\AppData\Local\Temp\Google Root.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Google Root.exe" "Google Root.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Google Root.exeFilesize
58KB
MD5593b3910c7e97e6d426e6334f94a4ba1
SHA15a965364feb9ffa80fbacde302a7d85e835d2749
SHA256ed72d5b85be09ea8d6da3f34c867224f996306e76732026fa30d45c6e9c83f46
SHA512efc0581a3a82137f9763fa785ef9df3cdae54a99bd884c03b05e087816dd0e5eb16f4361292508ee59e3c596887e44063737a8fc09f99f79e5eaee4e27a107be
-
memory/2348-0-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmpFilesize
4KB
-
memory/2348-1-0x0000000001140000-0x0000000001154000-memory.dmpFilesize
80KB
-
memory/2348-2-0x00000000001D0000-0x00000000001DE000-memory.dmpFilesize
56KB
-
memory/2360-8-0x00000000013E0000-0x00000000013F4000-memory.dmpFilesize
80KB
-
memory/2360-10-0x000007FEF5F80000-0x000007FEF696C000-memory.dmpFilesize
9.9MB
-
memory/2360-11-0x000007FEF5F80000-0x000007FEF696C000-memory.dmpFilesize
9.9MB
-
memory/2360-12-0x000007FEF5F80000-0x000007FEF696C000-memory.dmpFilesize
9.9MB
-
memory/2360-13-0x000007FEF5F80000-0x000007FEF696C000-memory.dmpFilesize
9.9MB