njrat | b019f264edfde3939e799eee24361725d6b70d8701d58c8a782e316575dcce18

General

Target

60b9f5772f52920b02507511dc5ff5cd_JaffaCakes118.exe
Size

23KB
MD5

60b9f5772f52920b02507511dc5ff5cd
SHA1

6eda493c46a883761cc4d69516fb84ff9975a3df
SHA256

b019f264edfde3939e799eee24361725d6b70d8701d58c8a782e316575dcce18
SHA512

c17a3397c918ad7b5c2bf8d794c0885af0511378e770b9f16a0c067de86426c83a237527e425e58c76bd93dc8ee001ede8561fc2f61fdc5fa314f22fddf401dc
SSDEEP

384:xTWSEFDn65Egj6RGiYCINTY6xgXakh2oZDJmRvR6JZlbw8hqIusZzZGI:Nm7OM9YX0MRpcnuo

Score

10^/10

njrat evasion persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4996	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	60b9f5772f52920b02507511dc5ff5cd_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1752	njrat fr3on.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5960382bc6c885bc624da9f2db2ec726 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\njrat fr3on.exe\" .."	njrat fr3on.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5960382bc6c885bc624da9f2db2ec726 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\njrat fr3on.exe\" .."	njrat fr3on.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	1752	njrat fr3on.exe
Token: 33	1752	njrat fr3on.exe
Token: SeIncBasePriorityPrivilege	1752	njrat fr3on.exe
Token: 33	1752	njrat fr3on.exe
Token: SeIncBasePriorityPrivilege	1752	njrat fr3on.exe
Token: 33	1752	njrat fr3on.exe
Token: SeIncBasePriorityPrivilege	1752	njrat fr3on.exe
Token: 33	1752	njrat fr3on.exe
Token: SeIncBasePriorityPrivilege	1752	njrat fr3on.exe
Token: 33	1752	njrat fr3on.exe
Token: SeIncBasePriorityPrivilege	1752	njrat fr3on.exe
Token: 33	1752	njrat fr3on.exe
Token: SeIncBasePriorityPrivilege	1752	njrat fr3on.exe
Token: 33	1752	njrat fr3on.exe
Token: SeIncBasePriorityPrivilege	1752	njrat fr3on.exe
Token: 33	1752	njrat fr3on.exe
Token: SeIncBasePriorityPrivilege	1752	njrat fr3on.exe
Token: 33	1752	njrat fr3on.exe
Token: SeIncBasePriorityPrivilege	1752	njrat fr3on.exe
Token: 33	1752	njrat fr3on.exe
Token: SeIncBasePriorityPrivilege	1752	njrat fr3on.exe
Token: 33	1752	njrat fr3on.exe
Token: SeIncBasePriorityPrivilege	1752	njrat fr3on.exe
Token: 33	1752	njrat fr3on.exe
Token: SeIncBasePriorityPrivilege	1752	njrat fr3on.exe
Token: 33	1752	njrat fr3on.exe
Token: SeIncBasePriorityPrivilege	1752	njrat fr3on.exe
Token: 33	1752	njrat fr3on.exe
Token: SeIncBasePriorityPrivilege	1752	njrat fr3on.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 1752	2432	60b9f5772f52920b02507511dc5ff5cd_JaffaCakes118.exe	98
PID 2432 wrote to memory of 1752	2432	60b9f5772f52920b02507511dc5ff5cd_JaffaCakes118.exe	98
PID 2432 wrote to memory of 1752	2432	60b9f5772f52920b02507511dc5ff5cd_JaffaCakes118.exe	98
PID 1752 wrote to memory of 4996	1752	njrat fr3on.exe	100
PID 1752 wrote to memory of 4996	1752	njrat fr3on.exe	100
PID 1752 wrote to memory of 4996	1752	njrat fr3on.exe	100

C:\Users\Admin\AppData\Local\Temp\60b9f5772f52920b02507511dc5ff5cd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\60b9f5772f52920b02507511dc5ff5cd_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Local\Temp\njrat fr3on.exe
  "C:\Users\Admin\AppData\Local\Temp\njrat fr3on.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\njrat fr3on.exe" "njrat fr3on.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:4996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\njrat fr3on.exe

Filesize
23KB

MD5
60b9f5772f52920b02507511dc5ff5cd

SHA1
6eda493c46a883761cc4d69516fb84ff9975a3df

SHA256
b019f264edfde3939e799eee24361725d6b70d8701d58c8a782e316575dcce18

SHA512
c17a3397c918ad7b5c2bf8d794c0885af0511378e770b9f16a0c067de86426c83a237527e425e58c76bd93dc8ee001ede8561fc2f61fdc5fa314f22fddf401dc

Download Submit
memory/1752-13-0x00000000749C0000-0x0000000074F71000-memory.dmp

Filesize
5.7MB

Download
memory/1752-14-0x00000000749C0000-0x0000000074F71000-memory.dmp

Filesize
5.7MB

Download
memory/1752-16-0x00000000749C0000-0x0000000074F71000-memory.dmp

Filesize
5.7MB

Download
memory/1752-18-0x00000000749C0000-0x0000000074F71000-memory.dmp

Filesize
5.7MB

Download
memory/2432-0-0x00000000749C2000-0x00000000749C3000-memory.dmp

Filesize
4KB

Download
memory/2432-1-0x00000000749C0000-0x0000000074F71000-memory.dmp

Filesize
5.7MB

Download
memory/2432-2-0x00000000749C0000-0x0000000074F71000-memory.dmp

Filesize
5.7MB

Download
memory/2432-11-0x00000000749C2000-0x00000000749C3000-memory.dmp

Filesize
4KB

Download
memory/2432-12-0x00000000749C0000-0x0000000074F71000-memory.dmp

Filesize
5.7MB

Download
memory/2432-17-0x00000000749C0000-0x0000000074F71000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads