njrat | 65a93c84ced49ca27aa9054207fa34b8f572163fe35c3804ed7057e828a080a7

General

Target

6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe
Size

213KB
MD5

6b91dc8b77d784e9f1904f25f3f66faf
SHA1

110893b2ef0523f24c791f3697d9e4bc5b9eda5f
SHA256

65a93c84ced49ca27aa9054207fa34b8f572163fe35c3804ed7057e828a080a7
SHA512

e5c73b5c276d570b6e282965d63bbfcc5b5becb70cdb6e5671e3bb9d822d0d8e694da5e7849ec8e16e84021c86019dc4e7e745e1fd7b8eb7683426ba99a3c522
SSDEEP

3072:nDn5ViIulvUefkqTNfO5sn02MIzSS38eYYD5/tg4:twIUPfkqBfOh2MIzyDYD5

Score

10^/10

njrat blessedgroup evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

BlessedGroup

C2

212.83.167.116:1604

Mutex

83fed1c87ede166436b0f205e59a52cf

Attributes

reg_key
83fed1c87ede166436b0f205e59a52cf
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Disables RegEdit via registry modification 2 IoCs

evasion

Processes:

6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exeeTopY.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	eTopY.exe

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2176 netsh.exe

pid	process
2176	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exeeTopY.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	eTopY.exe

Drops startup file 2 IoCs

Processes:

eTopY.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\83fed1c87ede166436b0f205e59a52cf.exe	eTopY.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\83fed1c87ede166436b0f205e59a52cf.exe	eTopY.exe

Executes dropped EXE 4 IoCs

Processes:

6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exeeTopY.exetk.exeeTopY.exe

pid process

1644 6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe
4152 eTopY.exe
4900 tk.exe
4816 eTopY.exe

pid	process
1644	6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe
4152	eTopY.exe
4900	tk.exe
4816	eTopY.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

eTopY.exeeTopY.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\@@#@#$#5rgvbtayt7qwyqu%%%%nb77^$$#$$%&&(%%#%& = "\"ApplicationData\\d2.exe\""	eTopY.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\83fed1c87ede166436b0f205e59a52cf = "\"C:\\Users\\Admin\\AppData\\Roaming\\eTopY.exe\" .."	eTopY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\83fed1c87ede166436b0f205e59a52cf = "\"C:\\Users\\Admin\\AppData\\Roaming\\eTopY.exe\" .."	eTopY.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exeeTopY.exe

description	pid	process	target process
PID 3696 set thread context of 1644	3696	6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe	6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe
PID 4152 set thread context of 4816	4152	eTopY.exe	eTopY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exeeTopY.exe

pid	process
3696	6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe
3696	6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe
3696	6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe
3696	6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe
4152	eTopY.exe
4152	eTopY.exe
4152	eTopY.exe
4152	eTopY.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exeeTopY.exeeTopY.exe

description	pid	process
Token: SeDebugPrivilege	3696	6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe
Token: SeDebugPrivilege	4152	eTopY.exe
Token: SeDebugPrivilege	4816	eTopY.exe
Token: 33	4816	eTopY.exe
Token: SeIncBasePriorityPrivilege	4816	eTopY.exe
Token: 33	4816	eTopY.exe
Token: SeIncBasePriorityPrivilege	4816	eTopY.exe
Token: 33	4816	eTopY.exe
Token: SeIncBasePriorityPrivilege	4816	eTopY.exe
Token: 33	4816	eTopY.exe
Token: SeIncBasePriorityPrivilege	4816	eTopY.exe
Token: 33	4816	eTopY.exe
Token: SeIncBasePriorityPrivilege	4816	eTopY.exe
Token: 33	4816	eTopY.exe
Token: SeIncBasePriorityPrivilege	4816	eTopY.exe
Token: 33	4816	eTopY.exe
Token: SeIncBasePriorityPrivilege	4816	eTopY.exe
Token: 33	4816	eTopY.exe
Token: SeIncBasePriorityPrivilege	4816	eTopY.exe
Token: 33	4816	eTopY.exe
Token: SeIncBasePriorityPrivilege	4816	eTopY.exe
Token: 33	4816	eTopY.exe
Token: SeIncBasePriorityPrivilege	4816	eTopY.exe
Token: 33	4816	eTopY.exe
Token: SeIncBasePriorityPrivilege	4816	eTopY.exe
Token: 33	4816	eTopY.exe
Token: SeIncBasePriorityPrivilege	4816	eTopY.exe
Token: 33	4816	eTopY.exe
Token: SeIncBasePriorityPrivilege	4816	eTopY.exe
Token: 33	4816	eTopY.exe
Token: SeIncBasePriorityPrivilege	4816	eTopY.exe
Token: 33	4816	eTopY.exe
Token: SeIncBasePriorityPrivilege	4816	eTopY.exe
Token: 33	4816	eTopY.exe
Token: SeIncBasePriorityPrivilege	4816	eTopY.exe
Token: 33	4816	eTopY.exe
Token: SeIncBasePriorityPrivilege	4816	eTopY.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exeeTopY.exeeTopY.exe

description	pid	process	target process
PID 3696 wrote to memory of 1644	3696	6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe	6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe
PID 3696 wrote to memory of 1644	3696	6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe	6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe
PID 3696 wrote to memory of 1644	3696	6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe	6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe
PID 3696 wrote to memory of 1644	3696	6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe	6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe
PID 3696 wrote to memory of 1644	3696	6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe	6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe
PID 3696 wrote to memory of 1644	3696	6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe	6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe
PID 3696 wrote to memory of 1644	3696	6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe	6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe
PID 3696 wrote to memory of 1644	3696	6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe	6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe
PID 1644 wrote to memory of 4152	1644	6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe	eTopY.exe
PID 1644 wrote to memory of 4152	1644	6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe	eTopY.exe
PID 1644 wrote to memory of 4152	1644	6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe	eTopY.exe
PID 4152 wrote to memory of 4900	4152	eTopY.exe	tk.exe
PID 4152 wrote to memory of 4900	4152	eTopY.exe	tk.exe
PID 4152 wrote to memory of 4900	4152	eTopY.exe	tk.exe
PID 4152 wrote to memory of 4816	4152	eTopY.exe	eTopY.exe
PID 4152 wrote to memory of 4816	4152	eTopY.exe	eTopY.exe
PID 4152 wrote to memory of 4816	4152	eTopY.exe	eTopY.exe
PID 4152 wrote to memory of 4816	4152	eTopY.exe	eTopY.exe
PID 4152 wrote to memory of 4816	4152	eTopY.exe	eTopY.exe
PID 4152 wrote to memory of 4816	4152	eTopY.exe	eTopY.exe
PID 4152 wrote to memory of 4816	4152	eTopY.exe	eTopY.exe
PID 4152 wrote to memory of 4816	4152	eTopY.exe	eTopY.exe
PID 4816 wrote to memory of 2176	4816	eTopY.exe	netsh.exe
PID 4816 wrote to memory of 2176	4816	eTopY.exe	netsh.exe
PID 4816 wrote to memory of 2176	4816	eTopY.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe"
1⤵
- Disables RegEdit via registry modification
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3696

C:\Users\Admin\AppData\Local\Temp\6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1644

C:\Users\Admin\AppData\Roaming\eTopY.exe
"C:\Users\Admin\AppData\Roaming\eTopY.exe"
3⤵
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4152

C:\Users\Admin\AppData\Local\Temp\tk.exe
"C:\Users\Admin\AppData\Local\Temp\tk.exe"
4⤵
- Executes dropped EXE
PID:4900

C:\Users\Admin\AppData\Roaming\eTopY.exe
"C:\Users\Admin\AppData\Roaming\eTopY.exe"
4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\eTopY.exe" "eTopY.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe.log

Filesize
400B

MD5
0a9b4592cd49c3c21f6767c2dabda92f

SHA1
f534297527ae5ccc0ecb2221ddeb8e58daeb8b74

SHA256
c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd

SHA512
6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b91dc8b77d784e9f1904f25f3f66faf_JaffaCakes118.exe

Filesize
213KB

MD5
6b91dc8b77d784e9f1904f25f3f66faf

SHA1
110893b2ef0523f24c791f3697d9e4bc5b9eda5f

SHA256
65a93c84ced49ca27aa9054207fa34b8f572163fe35c3804ed7057e828a080a7

SHA512
e5c73b5c276d570b6e282965d63bbfcc5b5becb70cdb6e5671e3bb9d822d0d8e694da5e7849ec8e16e84021c86019dc4e7e745e1fd7b8eb7683426ba99a3c522

Download Submit
C:\Users\Admin\AppData\Local\Temp\tk.exe

Filesize
23KB

MD5
d59fef8c6b7c45b4dbd396b4fe27f9b6

SHA1
fe8ce1b07e0cdc0cf2cc6e053db48855aa88da54

SHA256
1c7cdd42bc908cd34051f2fc4bc2858e14d8f25edc94b6698e0b399cb670efe1

SHA512
9f822bfa93b7b3982686f22016048712f0d42b180417565d222005784d4e8eadccb3b77b4733289dd2c8c20c6552195611d5871b7448658dbb0d4898a865c5ec

Download Submit
memory/1644-11-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/1644-10-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/1644-5-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1644-7-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1644-26-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/1644-6-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3696-2-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/3696-0-0x0000000075082000-0x0000000075083000-memory.dmp

Filesize
4KB

Download
memory/3696-13-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/3696-4-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/3696-3-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/3696-1-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/4152-27-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/4152-28-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/4152-29-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/4152-44-0x0000000075080000-0x0000000075631000-memory.dmp

Filesize
5.7MB

Download
memory/4816-41-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads