njrat | 14396a942f7a0b580e799d6c15e281150a6c7f25a30a917bf445388058665f9e

General

Target

6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe
Size

520KB
MD5

6658e474113c5241f9ad3b32ad7e6228
SHA1

4466ee86ddafd15f05f6312e929f4875ebb25996
SHA256

14396a942f7a0b580e799d6c15e281150a6c7f25a30a917bf445388058665f9e
SHA512

d941d727aa4ef18a2661406ec75c1a54e65e308db90f95f10136aa6cf49286a8e37a7892bcde439282bc85b2da862834ef128ffe79d55da7cd8df0735c63c130
SSDEEP

3072:7V/gcQgdWMlHEINo3vXbrFXIUyLu+n2SyTvcnrLi2DQXf:+JNMiI6fL5IBLu+D/e2Qf

Score

10^/10

njrat victime evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

VICTIME

C2

med78520.no-ip.org:1604

Mutex

191da080f1cb6252fab9081030369fa6

Attributes

reg_key
191da080f1cb6252fab9081030369fa6
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3856 netsh.exe

pid	process
3856	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe

Drops startup file 2 IoCs

Processes:

explorerr.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\191da080f1cb6252fab9081030369fa6.exe	explorerr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\191da080f1cb6252fab9081030369fa6.exe	explorerr.exe

Executes dropped EXE 2 IoCs

Processes:

explorerr.exeexplorerr.exe

pid process

1844 explorerr.exe
2644 explorerr.exe

pid	process
1844	explorerr.exe
2644	explorerr.exe

Loads dropped DLL 8 IoCs

Processes:

6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exeexplorerr.exe

pid	process
3492	6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe
3492	6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe
3492	6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe
3492	6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe
1844	explorerr.exe
1844	explorerr.exe
1844	explorerr.exe
1844	explorerr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorerr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\191da080f1cb6252fab9081030369fa6 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\explorerr.exe\" .."	explorerr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\191da080f1cb6252fab9081030369fa6 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\explorerr.exe\" .."	explorerr.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exeexplorerr.exe

description	pid	process	target process
PID 3492 set thread context of 4424	3492	6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe	6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe
PID 1844 set thread context of 2644	1844	explorerr.exe	explorerr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exeexplorerr.exeexplorerr.exe

description	pid	process
Token: SeDebugPrivilege	3492	6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe
Token: SeDebugPrivilege	1844	explorerr.exe
Token: SeDebugPrivilege	2644	explorerr.exe
Token: 33	2644	explorerr.exe
Token: SeIncBasePriorityPrivilege	2644	explorerr.exe
Token: 33	2644	explorerr.exe
Token: SeIncBasePriorityPrivilege	2644	explorerr.exe
Token: 33	2644	explorerr.exe
Token: SeIncBasePriorityPrivilege	2644	explorerr.exe
Token: 33	2644	explorerr.exe
Token: SeIncBasePriorityPrivilege	2644	explorerr.exe
Token: 33	2644	explorerr.exe
Token: SeIncBasePriorityPrivilege	2644	explorerr.exe
Token: 33	2644	explorerr.exe
Token: SeIncBasePriorityPrivilege	2644	explorerr.exe
Token: 33	2644	explorerr.exe
Token: SeIncBasePriorityPrivilege	2644	explorerr.exe
Token: 33	2644	explorerr.exe
Token: SeIncBasePriorityPrivilege	2644	explorerr.exe
Token: 33	2644	explorerr.exe
Token: SeIncBasePriorityPrivilege	2644	explorerr.exe
Token: 33	2644	explorerr.exe
Token: SeIncBasePriorityPrivilege	2644	explorerr.exe
Token: 33	2644	explorerr.exe
Token: SeIncBasePriorityPrivilege	2644	explorerr.exe
Token: 33	2644	explorerr.exe
Token: SeIncBasePriorityPrivilege	2644	explorerr.exe
Token: 33	2644	explorerr.exe
Token: SeIncBasePriorityPrivilege	2644	explorerr.exe
Token: 33	2644	explorerr.exe
Token: SeIncBasePriorityPrivilege	2644	explorerr.exe
Token: 33	2644	explorerr.exe
Token: SeIncBasePriorityPrivilege	2644	explorerr.exe
Token: 33	2644	explorerr.exe
Token: SeIncBasePriorityPrivilege	2644	explorerr.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exeexplorerr.exeexplorerr.exe

description	pid	process	target process
PID 3492 wrote to memory of 4424	3492	6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe	6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe
PID 3492 wrote to memory of 4424	3492	6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe	6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe
PID 3492 wrote to memory of 4424	3492	6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe	6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe
PID 3492 wrote to memory of 4424	3492	6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe	6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe
PID 3492 wrote to memory of 4424	3492	6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe	6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe
PID 3492 wrote to memory of 4424	3492	6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe	6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe
PID 3492 wrote to memory of 4424	3492	6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe	6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe
PID 3492 wrote to memory of 4424	3492	6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe	6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe
PID 4424 wrote to memory of 1844	4424	6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe	explorerr.exe
PID 4424 wrote to memory of 1844	4424	6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe	explorerr.exe
PID 4424 wrote to memory of 1844	4424	6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe	explorerr.exe
PID 1844 wrote to memory of 2644	1844	explorerr.exe	explorerr.exe
PID 1844 wrote to memory of 2644	1844	explorerr.exe	explorerr.exe
PID 1844 wrote to memory of 2644	1844	explorerr.exe	explorerr.exe
PID 1844 wrote to memory of 2644	1844	explorerr.exe	explorerr.exe
PID 1844 wrote to memory of 2644	1844	explorerr.exe	explorerr.exe
PID 1844 wrote to memory of 2644	1844	explorerr.exe	explorerr.exe
PID 1844 wrote to memory of 2644	1844	explorerr.exe	explorerr.exe
PID 1844 wrote to memory of 2644	1844	explorerr.exe	explorerr.exe
PID 2644 wrote to memory of 3856	2644	explorerr.exe	netsh.exe
PID 2644 wrote to memory of 3856	2644	explorerr.exe	netsh.exe
PID 2644 wrote to memory of 3856	2644	explorerr.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3492

C:\Users\Admin\AppData\Local\Temp\6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4424

C:\Users\Admin\AppData\Local\Temp\explorerr.exe
"C:\Users\Admin\AppData\Local\Temp\explorerr.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844

C:\Users\Admin\AppData\Local\Temp\explorerr.exe
C:\Users\Admin\AppData\Local\Temp\explorerr.exe
4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\explorerr.exe" "explorerr.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:3856

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
Filesize
471B

MD5
c40628755d6fe8cb521ef3618b225a48

SHA1
0c91fef5d0dcd1291bc97f447a2a8e99bdbd3000

SHA256
c1bea41278027541d469080e9e0da49af66bf70ca283c474f97c2c3c724e5333

SHA512
3a64c189c67f14aa3ccd343384991505ad06c0b54bbe3ab13bb577088a3dc7b3a3470898d0b12d61cc3566b841286a27a32ca18ef3d456886fb24d61dd7b731f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_589C991A0C2D41D117DB46181BD31094
Filesize
490B

MD5
b498e4ebae60e425839706164e7e8f30

SHA1
88b66eb19a70c9bc13b78b9d153ad6ec44ebec68

SHA256
7a44dc90e024c5f192353872b11c7592b7da550767272028702e9576b49c40cb

SHA512
6dd72c72bcdc798b4d1a3ee9235fa639e84316d64bd6c9b56718fec9826b4924d1ca5fb82f015684192fc2f662d8112b630ae7603e34f2c5187a4bcf24815ca7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
Filesize
404B

MD5
711d4fc49ae08ab837bdb98d0fee6cf8

SHA1
c2d6eb02620db551c6f14b6adb7d886048b6674a

SHA256
ad4948b4e74ea3cc0285d586c27aeb70243fab46fbbc9c9615ff738e322b628e

SHA512
d851c96bcad6e2a92dc4142180f0d6878ee5a6db4a552dbb33e1764606ea0b15be5e9efef9ad32c754b6765677c503b4cb74a1c5d8dcff18787708f25f878b73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_589C991A0C2D41D117DB46181BD31094
Filesize
408B

MD5
56312d45eaf879b21497070905cf225e

SHA1
e72f08b8a2291519f82930e4055cb4f54ee927df

SHA256
5e6286592a8cabcc3407e2372f910545b1719d1d70d3f73ed39838edc9876f19

SHA512
8c31180cc5c7fa6b4f58e2df7e568b11ac24908b5f963099dfa9c265856505d17ec5c0ae3d5fc87f3bfc8df89c33d5fc25c925f96b2eafb827c15dd8f97c3c9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\6658e474113c5241f9ad3b32ad7e6228_JaffaCakes118.exe.log
Filesize
594B

MD5
fdb26b3b547022b45cfaeee57eafd566

SHA1
11c6798b8a59233f404014c5e79b3363cd564b37

SHA256
2707fc7f074413881b7bafca05079327b188db6005709951e7f69d39a2af97c0

SHA512
44d9bb8c0f0b341690d00eda86e15a50f7f29ce9595925c1a2a7e19ad26202d10049a7a97bea278ecb7d429ad555de8edceeffff664d4b06309a9410a09bb700

Download Submit
C:\Users\Admin\AppData\Local\Temp\DLLRun.dll
Filesize
98KB

MD5
349294e042256b71cfa11d7cd691ac49

SHA1
7978044a7ed2be1cc74294c9c8b3794a7256a33f

SHA256
c4c1bac452420a233ba950aed21c0a87f827155f442321b7655a5fe49889eb1e

SHA512
b9c4fcc101e59fa181c9a4fb144dc285897ead9082ceb2a23f56310f181484273bc969dceddaf5c00c80e7b3322a05cca13d1d0ad7b725f94bb68c938b3b684b

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorerr.exe
Filesize
520KB

MD5
6658e474113c5241f9ad3b32ad7e6228

SHA1
4466ee86ddafd15f05f6312e929f4875ebb25996

SHA256
14396a942f7a0b580e799d6c15e281150a6c7f25a30a917bf445388058665f9e

SHA512
d941d727aa4ef18a2661406ec75c1a54e65e308db90f95f10136aa6cf49286a8e37a7892bcde439282bc85b2da862834ef128ffe79d55da7cd8df0735c63c130

Download Submit
memory/1844-55-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/1844-54-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/1844-45-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/1844-44-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/3492-2-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/3492-23-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/3492-0-0x00000000752A2000-0x00000000752A3000-memory.dmp

Filesize
4KB

Download
memory/3492-25-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/3492-1-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/4424-39-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/4424-21-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4424-26-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download
memory/4424-24-0x00000000752A0000-0x0000000075851000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads