njrat | 22c4762706b5affeb8e1b88a68616d42d72ef851def63908561a4ddb3b4914b4

General

Target

6cad475c6e8c9139055b3bdf3d716113_JaffaCakes118.exe
Size

31KB
MD5

6cad475c6e8c9139055b3bdf3d716113
SHA1

346ce2065899cc85fa1f752f8c88a45891f8c95d
SHA256

22c4762706b5affeb8e1b88a68616d42d72ef851def63908561a4ddb3b4914b4
SHA512

a592568b64a85ebe5818459237464fa9f646455c3a53a8cdae906e6ee1190b178369d1b4b157f01d806333d5577544f15a3c01598b94405b798c11619b205e41
SSDEEP

768:i/0JRmRzj+zxJ+hyAscnhTXv6woQmIDUu0tiFmj:fMa0jD3oQVk9j

Score

10^/10

njrat mybot evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

MyBot

C2

192.168.0.108:6522

Mutex

7004a169caddc15ac96f95a3f349997f

Attributes

reg_key
7004a169caddc15ac96f95a3f349997f
splitter
Y262SUCZ4UJJ

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1048 netsh.exe
Executes dropped EXE 1 IoCs

Processes:

sex.exe

pid process

2888 sex.exe
Loads dropped DLL 1 IoCs

Processes:

6cad475c6e8c9139055b3bdf3d716113_JaffaCakes118.exe

pid process

1976 6cad475c6e8c9139055b3bdf3d716113_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1048	netsh.exe

pid	process
2888	sex.exe

pid	process
1976	6cad475c6e8c9139055b3bdf3d716113_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

sex.exe

description	pid	process
Token: SeDebugPrivilege	2888	sex.exe
Token: 33	2888	sex.exe
Token: SeIncBasePriorityPrivilege	2888	sex.exe
Token: 33	2888	sex.exe
Token: SeIncBasePriorityPrivilege	2888	sex.exe
Token: 33	2888	sex.exe
Token: SeIncBasePriorityPrivilege	2888	sex.exe
Token: 33	2888	sex.exe
Token: SeIncBasePriorityPrivilege	2888	sex.exe
Token: 33	2888	sex.exe
Token: SeIncBasePriorityPrivilege	2888	sex.exe
Token: 33	2888	sex.exe
Token: SeIncBasePriorityPrivilege	2888	sex.exe
Token: 33	2888	sex.exe
Token: SeIncBasePriorityPrivilege	2888	sex.exe
Token: 33	2888	sex.exe
Token: SeIncBasePriorityPrivilege	2888	sex.exe
Token: 33	2888	sex.exe
Token: SeIncBasePriorityPrivilege	2888	sex.exe
Token: 33	2888	sex.exe
Token: SeIncBasePriorityPrivilege	2888	sex.exe
Token: 33	2888	sex.exe
Token: SeIncBasePriorityPrivilege	2888	sex.exe
Token: 33	2888	sex.exe
Token: SeIncBasePriorityPrivilege	2888	sex.exe
Token: 33	2888	sex.exe
Token: SeIncBasePriorityPrivilege	2888	sex.exe
Token: 33	2888	sex.exe
Token: SeIncBasePriorityPrivilege	2888	sex.exe
Token: 33	2888	sex.exe
Token: SeIncBasePriorityPrivilege	2888	sex.exe
Token: 33	2888	sex.exe
Token: SeIncBasePriorityPrivilege	2888	sex.exe
Token: 33	2888	sex.exe
Token: SeIncBasePriorityPrivilege	2888	sex.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

6cad475c6e8c9139055b3bdf3d716113_JaffaCakes118.exesex.exe

description	pid	process	target process
PID 1976 wrote to memory of 2888	1976	6cad475c6e8c9139055b3bdf3d716113_JaffaCakes118.exe	sex.exe
PID 1976 wrote to memory of 2888	1976	6cad475c6e8c9139055b3bdf3d716113_JaffaCakes118.exe	sex.exe
PID 1976 wrote to memory of 2888	1976	6cad475c6e8c9139055b3bdf3d716113_JaffaCakes118.exe	sex.exe
PID 1976 wrote to memory of 2888	1976	6cad475c6e8c9139055b3bdf3d716113_JaffaCakes118.exe	sex.exe
PID 2888 wrote to memory of 1048	2888	sex.exe	netsh.exe
PID 2888 wrote to memory of 1048	2888	sex.exe	netsh.exe
PID 2888 wrote to memory of 1048	2888	sex.exe	netsh.exe
PID 2888 wrote to memory of 1048	2888	sex.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\6cad475c6e8c9139055b3bdf3d716113_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6cad475c6e8c9139055b3bdf3d716113_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Local\Temp\sex.exe
"C:\Users\Admin\AppData\Local\Temp\sex.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\sex.exe" "sex.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1048

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\sex.exe
Filesize
31KB

MD5
6cad475c6e8c9139055b3bdf3d716113

SHA1
346ce2065899cc85fa1f752f8c88a45891f8c95d

SHA256
22c4762706b5affeb8e1b88a68616d42d72ef851def63908561a4ddb3b4914b4

SHA512
a592568b64a85ebe5818459237464fa9f646455c3a53a8cdae906e6ee1190b178369d1b4b157f01d806333d5577544f15a3c01598b94405b798c11619b205e41

Download Submit
memory/1976-0-0x0000000074151000-0x0000000074152000-memory.dmp

Filesize
4KB

Download
memory/1976-1-0x0000000074150000-0x00000000746FB000-memory.dmp

Filesize
5.7MB

Download
memory/1976-2-0x0000000074150000-0x00000000746FB000-memory.dmp

Filesize
5.7MB

Download
memory/1976-10-0x0000000074150000-0x00000000746FB000-memory.dmp

Filesize
5.7MB

Download
memory/2888-11-0x0000000074150000-0x00000000746FB000-memory.dmp

Filesize
5.7MB

Download
memory/2888-12-0x0000000074150000-0x00000000746FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing