njrat | 95ce20738417b106d618edd9e142138b7214516604b3d9bf4d653b29c25dfa61

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ee1151a07766fb6930fa6c4bc674b8a_JaffaCakes118.exe
Size

340KB
MD5

6ee1151a07766fb6930fa6c4bc674b8a
SHA1

0f1ca74bc9a40136998647c59e3b9ca1666cea52
SHA256

95ce20738417b106d618edd9e142138b7214516604b3d9bf4d653b29c25dfa61
SHA512

ebd111009f0cd03dd0ca00309747b6e2d341319eb16a2fd487ae1ad9cdfac76c1a8406b4d3c38ecae19a5dab2c2cf9dc0ed27a8dfd3c98cafb30f0592e5b540f
SSDEEP

6144:5/fAhvV6B8ErzPZp5wdz753RSkOKbEJCI94IvUHWT:1fAv6B8azBwdFOyEsI+IsHW

Score

10^/10

njrat hacked trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

195.123.220.225:3223

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

Server.exe

pid process

2384 Server.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Server.exe

pid process

2384 Server.exe

pid	process
2384	Server.exe

pid	process
2384	Server.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

Server.exe

description	pid	process
Token: SeDebugPrivilege	2384	Server.exe
Token: 33	2384	Server.exe
Token: SeIncBasePriorityPrivilege	2384	Server.exe
Token: 33	2384	Server.exe
Token: SeIncBasePriorityPrivilege	2384	Server.exe
Token: 33	2384	Server.exe
Token: SeIncBasePriorityPrivilege	2384	Server.exe
Token: 33	2384	Server.exe
Token: SeIncBasePriorityPrivilege	2384	Server.exe
Token: 33	2384	Server.exe
Token: SeIncBasePriorityPrivilege	2384	Server.exe
Token: 33	2384	Server.exe
Token: SeIncBasePriorityPrivilege	2384	Server.exe
Token: 33	2384	Server.exe
Token: SeIncBasePriorityPrivilege	2384	Server.exe
Token: 33	2384	Server.exe
Token: SeIncBasePriorityPrivilege	2384	Server.exe
Token: 33	2384	Server.exe
Token: SeIncBasePriorityPrivilege	2384	Server.exe
Token: 33	2384	Server.exe
Token: SeIncBasePriorityPrivilege	2384	Server.exe
Token: 33	2384	Server.exe
Token: SeIncBasePriorityPrivilege	2384	Server.exe
Token: 33	2384	Server.exe
Token: SeIncBasePriorityPrivilege	2384	Server.exe
Token: 33	2384	Server.exe
Token: SeIncBasePriorityPrivilege	2384	Server.exe
Token: 33	2384	Server.exe
Token: SeIncBasePriorityPrivilege	2384	Server.exe
Token: 33	2384	Server.exe
Token: SeIncBasePriorityPrivilege	2384	Server.exe
Token: 33	2384	Server.exe
Token: SeIncBasePriorityPrivilege	2384	Server.exe
Token: 33	2384	Server.exe
Token: SeIncBasePriorityPrivilege	2384	Server.exe
Token: 33	2384	Server.exe
Token: SeIncBasePriorityPrivilege	2384	Server.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

6ee1151a07766fb6930fa6c4bc674b8a_JaffaCakes118.exe

description	pid	process	target process
PID 832 wrote to memory of 2384	832	6ee1151a07766fb6930fa6c4bc674b8a_JaffaCakes118.exe	Server.exe
PID 832 wrote to memory of 2384	832	6ee1151a07766fb6930fa6c4bc674b8a_JaffaCakes118.exe	Server.exe
PID 832 wrote to memory of 2384	832	6ee1151a07766fb6930fa6c4bc674b8a_JaffaCakes118.exe	Server.exe
PID 832 wrote to memory of 2384	832	6ee1151a07766fb6930fa6c4bc674b8a_JaffaCakes118.exe	Server.exe

C:\Users\Admin\AppData\Local\Temp\6ee1151a07766fb6930fa6c4bc674b8a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6ee1151a07766fb6930fa6c4bc674b8a_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:832

C:\Server.exe
"C:\Server.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Server.exe

Filesize
43KB

MD5
e1b492ae05dc82e85731cc0ff9c492bc

SHA1
c86459cfdd119713a072c00af6365a0a9457ad0a

SHA256
8c290da9a90ce2e5db422656fbd8e1f557ea1236e49604b4a1ab6db7b5ea5bfb

SHA512
572dcf504cfd6a25e5d01fd1d4d0ede9f85573818644fe9bba72fdbd343921568eaef7840a7bc32cda09e19d640bef98cd1dd8bb51d6ceb4a9b62115d5c5fbba

Download Submit
memory/2384-11-0x000000007383E000-0x000000007383F000-memory.dmp

Filesize
4KB

Download
memory/2384-12-0x0000000000FE0000-0x0000000000FF2000-memory.dmp

Filesize
72KB

Download
memory/2384-13-0x0000000073830000-0x0000000073F1E000-memory.dmp

Filesize
6.9MB

Download
memory/2384-14-0x000000007383E000-0x000000007383F000-memory.dmp

Filesize
4KB

Download
memory/2384-15-0x0000000073830000-0x0000000073F1E000-memory.dmp

Filesize
6.9MB

Download