njrat | f5f37fe430f04da2a66bd73cb8012586340df7ba3ba8021119c94a9123569c5b

General

Target

72abfe56888d66111e9a6c9988a6ee82_JaffaCakes118.exe
Size

43KB
MD5

72abfe56888d66111e9a6c9988a6ee82
SHA1

6d7962d81e137ac1584d4d1da2238477d68e5f3f
SHA256

f5f37fe430f04da2a66bd73cb8012586340df7ba3ba8021119c94a9123569c5b
SHA512

8da0009c51085dbb76f3ac589c6b7e28612da9fbb0f9afeaba82e2549b8c99a910c6fe9ccd932561971ba07431da90927a9a44bdaf91aeeb65818f30c1c4ead7
SSDEEP

384:AZyAj3n1iDcsyEqtlzQAyuqEZGyeEtzcIij+ZsNO3PlpJKkkjh/TzF7pWnY/greT:mL3nU4pEqtVQAxuypuXQ/oh3+L

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

127.0.0.1:5552

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 2 IoCs

Processes:

Dllhost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	Dllhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	Dllhost.exe

Executes dropped EXE 3 IoCs

Processes:

Dllhost.exeServer.exeServer.exe

pid process

2148 Dllhost.exe
2788 Server.exe
1816 Server.exe
Loads dropped DLL 1 IoCs

Processes:

72abfe56888d66111e9a6c9988a6ee82_JaffaCakes118.exe

pid process

2288 72abfe56888d66111e9a6c9988a6ee82_JaffaCakes118.exe

pid	process
2148	Dllhost.exe
2788	Server.exe
1816	Server.exe

pid	process
2288	72abfe56888d66111e9a6c9988a6ee82_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Dllhost.exe\" .."	Dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Dllhost.exe\" .."	Dllhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2664 schtasks.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

72abfe56888d66111e9a6c9988a6ee82_JaffaCakes118.exeDllhost.exe

pid process

2288 72abfe56888d66111e9a6c9988a6ee82_JaffaCakes118.exe
2148 Dllhost.exe

pid	process
2664	schtasks.exe

pid	process
2288	72abfe56888d66111e9a6c9988a6ee82_JaffaCakes118.exe
2148	Dllhost.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

Dllhost.exe

description	pid	process
Token: SeDebugPrivilege	2148	Dllhost.exe
Token: 33	2148	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2148	Dllhost.exe
Token: 33	2148	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2148	Dllhost.exe
Token: 33	2148	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2148	Dllhost.exe
Token: 33	2148	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2148	Dllhost.exe
Token: 33	2148	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2148	Dllhost.exe
Token: 33	2148	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2148	Dllhost.exe
Token: 33	2148	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2148	Dllhost.exe
Token: 33	2148	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2148	Dllhost.exe
Token: 33	2148	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2148	Dllhost.exe
Token: 33	2148	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2148	Dllhost.exe
Token: 33	2148	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2148	Dllhost.exe
Token: 33	2148	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2148	Dllhost.exe
Token: 33	2148	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2148	Dllhost.exe
Token: 33	2148	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2148	Dllhost.exe
Token: 33	2148	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2148	Dllhost.exe
Token: 33	2148	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2148	Dllhost.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

72abfe56888d66111e9a6c9988a6ee82_JaffaCakes118.exeDllhost.exetaskeng.exe

description	pid	process	target process
PID 2288 wrote to memory of 2148	2288	72abfe56888d66111e9a6c9988a6ee82_JaffaCakes118.exe	Dllhost.exe
PID 2288 wrote to memory of 2148	2288	72abfe56888d66111e9a6c9988a6ee82_JaffaCakes118.exe	Dllhost.exe
PID 2288 wrote to memory of 2148	2288	72abfe56888d66111e9a6c9988a6ee82_JaffaCakes118.exe	Dllhost.exe
PID 2288 wrote to memory of 2148	2288	72abfe56888d66111e9a6c9988a6ee82_JaffaCakes118.exe	Dllhost.exe
PID 2148 wrote to memory of 2664	2148	Dllhost.exe	schtasks.exe
PID 2148 wrote to memory of 2664	2148	Dllhost.exe	schtasks.exe
PID 2148 wrote to memory of 2664	2148	Dllhost.exe	schtasks.exe
PID 2148 wrote to memory of 2664	2148	Dllhost.exe	schtasks.exe
PID 2824 wrote to memory of 2788	2824	taskeng.exe	Server.exe
PID 2824 wrote to memory of 2788	2824	taskeng.exe	Server.exe
PID 2824 wrote to memory of 2788	2824	taskeng.exe	Server.exe
PID 2824 wrote to memory of 2788	2824	taskeng.exe	Server.exe
PID 2824 wrote to memory of 1816	2824	taskeng.exe	Server.exe
PID 2824 wrote to memory of 1816	2824	taskeng.exe	Server.exe
PID 2824 wrote to memory of 1816	2824	taskeng.exe	Server.exe
PID 2824 wrote to memory of 1816	2824	taskeng.exe	Server.exe

C:\Users\Admin\AppData\Local\Temp\72abfe56888d66111e9a6c9988a6ee82_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\72abfe56888d66111e9a6c9988a6ee82_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Users\Admin\AppData\Local\Temp\Dllhost.exe
  "C:\Users\Admin\AppData\Local\Temp\Dllhost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
    3⤵
    - Creates scheduled task(s)
    PID:2664

C:\Windows\system32\taskeng.exe
taskeng.exe {65730BD1-7822-48BB-A9A4-5C04264FF269} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp/Server.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp/Server.exe
  2⤵
  - Executes dropped EXE
  PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Dllhost.exe

Filesize
43KB

MD5
72abfe56888d66111e9a6c9988a6ee82

SHA1
6d7962d81e137ac1584d4d1da2238477d68e5f3f

SHA256
f5f37fe430f04da2a66bd73cb8012586340df7ba3ba8021119c94a9123569c5b

SHA512
8da0009c51085dbb76f3ac589c6b7e28612da9fbb0f9afeaba82e2549b8c99a910c6fe9ccd932561971ba07431da90927a9a44bdaf91aeeb65818f30c1c4ead7

Download Submit
memory/1816-22-0x0000000000A00000-0x0000000000A12000-memory.dmp

Filesize
72KB

Download
memory/2148-10-0x0000000074D40000-0x000000007542E000-memory.dmp

Filesize
6.9MB

Download
memory/2148-11-0x0000000000C90000-0x0000000000CA2000-memory.dmp

Filesize
72KB

Download
memory/2148-13-0x0000000074D40000-0x000000007542E000-memory.dmp

Filesize
6.9MB

Download
memory/2148-16-0x0000000074D40000-0x000000007542E000-memory.dmp

Filesize
6.9MB

Download
memory/2148-17-0x0000000074D40000-0x000000007542E000-memory.dmp

Filesize
6.9MB

Download
memory/2288-0-0x0000000074D4E000-0x0000000074D4F000-memory.dmp

Filesize
4KB

Download
memory/2288-1-0x0000000000800000-0x0000000000812000-memory.dmp

Filesize
72KB

Download
memory/2288-2-0x0000000074D40000-0x000000007542E000-memory.dmp

Filesize
6.9MB

Download
memory/2288-12-0x0000000074D40000-0x000000007542E000-memory.dmp

Filesize
6.9MB

Download
memory/2788-20-0x00000000000E0000-0x00000000000F2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads