njrat | 55ab4a25ebc82efbfeaafd3ca704df8e5b1e14596fe1316f90169b7319a8eb13

General

Target

717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Size

23KB
MD5

717185d0155273e35ef0c3e4209b7d22
SHA1

a8f366a2d23c645d9c375fa4a6b3a4a225017011
SHA256

55ab4a25ebc82efbfeaafd3ca704df8e5b1e14596fe1316f90169b7319a8eb13
SHA512

6985889f84719addf771cec7ce5d32d014da3793a23ba72859766ecbc2d5c97540dfe0c9000977cae0255e4cc48256b64ed8dab365b58c5e88f5b73332c15cc8
SSDEEP

384:BM8aSyS9gB3Y1KIay2X8cLZI6XgxsGJVPpmRvR6JZlbw8hqIusZzZD7:Z589tXvRpcnuY

Score

10^/10

njrat evasion trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2732 netsh.exe

pid	process
2732	netsh.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: 33	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: 33	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: 33	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: 33	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: 33	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: 33	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: 33	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: 33	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: 33	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: 33	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: 33	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: 33	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: 33	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: 33	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: 33	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: 33	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: 33	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe

description	pid	process	target process
PID 2184 wrote to memory of 2732	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe	netsh.exe
PID 2184 wrote to memory of 2732	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe	netsh.exe
PID 2184 wrote to memory of 2732	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe	netsh.exe
PID 2184 wrote to memory of 2732	2184	717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe" "717185d0155273e35ef0c3e4209b7d22_JaffaCakes118.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2184-2-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/2184-1-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download
memory/2184-0-0x0000000074331000-0x0000000074332000-memory.dmp

Filesize
4KB

Download
memory/2184-3-0x0000000074330000-0x00000000748DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing