njrat | 8fc35f16c6869daa3403ecf0a59f3eb1f6d03f47d12bb6655c360d13542e3e81

General

Target

71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
Size

31KB
MD5

71465e11a009dfd6d80db0d63fa2fd1b
SHA1

5923541e75e7669d8fdf0f2a7a74454793481330
SHA256

8fc35f16c6869daa3403ecf0a59f3eb1f6d03f47d12bb6655c360d13542e3e81
SHA512

f364302e73805a4f4784a5632c0a49e4d79f0a30f80c5ea58503cdd1edf3d75d41fb42ba4a023a2472511f6265fb1e3e75c92605eed528ef94e0f327606b4fe5
SSDEEP

768:3tijFXuTthUzxf6rFwA3Fh9vaDQmIDUu0tiw1j:oF+KKPsQVkBj

Score

10^/10

njrat 12d trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

12d

C2

senior12.ddns.net:6522

Mutex

b71af024f3fe5ce59b7d8571cfef3323

Attributes

reg_key
b71af024f3fe5ce59b7d8571cfef3323
splitter
Y262SUCZ4UJJ

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe

pid	process
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2752 AcroRd32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2944 71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2752 AcroRd32.exe
2752 AcroRd32.exe

pid	process
2752	AcroRd32.exe

description	pid	process
Token: SeDebugPrivilege	2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe

pid	process
2752	AcroRd32.exe
2752	AcroRd32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exerundll32.exe

description	pid	process	target process
PID 2944 wrote to memory of 3048	2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe	rundll32.exe
PID 2944 wrote to memory of 3048	2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe	rundll32.exe
PID 2944 wrote to memory of 3048	2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe	rundll32.exe
PID 2944 wrote to memory of 3048	2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe	rundll32.exe
PID 2944 wrote to memory of 3048	2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe	rundll32.exe
PID 2944 wrote to memory of 3048	2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe	rundll32.exe
PID 2944 wrote to memory of 3048	2944	71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe	rundll32.exe
PID 3048 wrote to memory of 2752	3048	rundll32.exe	AcroRd32.exe
PID 3048 wrote to memory of 2752	3048	rundll32.exe	AcroRd32.exe
PID 3048 wrote to memory of 2752	3048	rundll32.exe	AcroRd32.exe
PID 3048 wrote to memory of 2752	3048	rundll32.exe	AcroRd32.exe

C:\Users\Admin\AppData\Local\Temp\71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\71465e11a009dfd6d80db0d63fa2fd1b_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\shost
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3048

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\shost"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2752

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
426343b48807d378521acf5f0a7c4c6f

SHA1
73cebecbe8ffc851a2c12a9284886fcb6dcf35ae

SHA256
bd20def8bc06b8ebaf53d1a36d29a87f247ec39b3cf1b5de0216648c965181ec

SHA512
5088f44b635d7c5acfc65518d2bd6cdb857e0eafad292ce855907ffffdbddc6a6f6e53e716dd68e5682788f3f0199c29d767abfd9e1f21e6539ba3da8c68d523

Download Submit
C:\Users\Admin\AppData\Roaming\shost
Filesize
31KB

MD5
71465e11a009dfd6d80db0d63fa2fd1b

SHA1
5923541e75e7669d8fdf0f2a7a74454793481330

SHA256
8fc35f16c6869daa3403ecf0a59f3eb1f6d03f47d12bb6655c360d13542e3e81

SHA512
f364302e73805a4f4784a5632c0a49e4d79f0a30f80c5ea58503cdd1edf3d75d41fb42ba4a023a2472511f6265fb1e3e75c92605eed528ef94e0f327606b4fe5

Download Submit
memory/2944-0-0x0000000074D71000-0x0000000074D72000-memory.dmp

Filesize
4KB

Download
memory/2944-1-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/2944-2-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/2944-5-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing