Overview

overview

10

Static

static

3

6dc9f85dc6...18.exe

windows7-x64

10

6dc9f85dc6...18.exe

windows10-2004-x64

10

..exe

windows7-x64

10

..exe

windows10-2004-x64

10

fb.exe

windows7-x64

1

fb.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24-05-2024 07:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6dc9f85dc63d88d82305ee118a6dc35b_JaffaCakes118.exe

  • Size

    252KB

  • MD5

    6dc9f85dc63d88d82305ee118a6dc35b

  • SHA1

    0ad2a307a342ddf2f5f24f6ef80bffcc51bf912f

  • SHA256

    4a6fd719619ff72fa045f8fe1c386407d5819d321819119ffb5908bc40626865

  • SHA512

    a051cbbf93e2854d4b4249c013606f6ac20a4d50cbdf597786e006d739cf78454eb0f0ca0bc4a3a8e102143cb9cfcd09b0d3aa184c6874a554fba8bba912d64c

  • SSDEEP

    6144:bnx1pFOA758zGjdZAxlhGLnv4LNStRpRzAtpJkWl:DOA18zGuGDARSzAXl

Score
10/10
njrathackedevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

snopi.ddns.net:9100

Mutex

5bfa04bf4e1b1b13538ee68039ccfeba

Attributes
  • reg_key

    5bfa04bf4e1b1b13538ee68039ccfeba

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6dc9f85dc63d88d82305ee118a6dc35b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6dc9f85dc63d88d82305ee118a6dc35b_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Users\Admin\AppData\Local\Temp\..exe
      "C:\Users\Admin\AppData\Local\Temp\..exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2112
      • C:\Users\Admin\AppData\Local\Temp\smart.exe
        "C:\Users\Admin\AppData\Local\Temp\smart.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2548
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\smart.exe" "smart.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          PID:2096
    • C:\Users\Admin\AppData\Local\Temp\fb.exe
      "C:\Users\Admin\AppData\Local\Temp\fb.exe"
      2⤵
      • Executes dropped EXE
      PID:2700

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\..exe
    Filesize

    97KB

    MD5

    6b2f9bd816a587fc95b180165fc2de52

    SHA1

    883d0273809933c3f1c8c3028a3292a6b6b685a3

    SHA256

    3e724526d13e04bd577505dca03ce99a84ec6b51997b08bcb91b998ef724f5ec

    SHA512

    1b588c9ab8251c0f7389944cc9ba79c2ff17c37c1824743e06f0634c1a159835b3744b1a6e8718e1c2594832a913d657cb7d35b4eb7faed613f5e0fced8d1cea

    Download Submit

  • \Users\Admin\AppData\Local\Temp\fb.exe
    Filesize

    348KB

    MD5

    e4ef92e29a8783494b782f36b4945197

    SHA1

    f8cbd43814bee27349e88aec712c15fd5f8827e5

    SHA256

    934a506ab96759ed32ba1d0bd73191f0369b90af62ad52a934f577e5d1823161

    SHA512

    a1c38125b841e23223c7daf4230a6c4cfdec9dfef7d7a986ab6b037ba9de0be3744f6f53d24aa1ae03451ff7848695f33fb5effe8da3d5e455f3e630b54a4187

    Download Submit

  • memory/2112-14-0x0000000073BCE000-0x0000000073BCF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2112-15-0x0000000000AF0000-0x0000000000B10000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2112-18-0x00000000006D0000-0x00000000006DE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2548-26-0x0000000000FA0000-0x0000000000FC0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2700-16-0x0000000000AE0000-0x0000000000B3E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2700-17-0x0000000073BC0000-0x00000000742AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2700-27-0x0000000073BC0000-0x00000000742AE000-memory.dmp

    Filesize

    6.9MB

    Download