njrat | f7b6de225de9565fe776d6251a1e8b943f17b6bf6aa2534e60519edef2f96848

General

Target

72e3de9cd1c8fa1060ed55328593f8e9_JaffaCakes118.exe
Size

29KB
MD5

72e3de9cd1c8fa1060ed55328593f8e9
SHA1

b25ad9ba727df26d4a4b09f433ea92fe850fd604
SHA256

f7b6de225de9565fe776d6251a1e8b943f17b6bf6aa2534e60519edef2f96848
SHA512

f2056faadd9328d5db0dad6a35f8c252f1cb2447fe7e646808211540fd592cd967910c67a17ea6d71d968d31d0d8e38e7405a32948ff18aa33de7bbe5180ce32
SSDEEP

384:HXADuwIclGTiykFS62IWbaxyWGzWfsL6MHT5Km2NFmVDTdZ6z6UiLccUievXeREn:3JwTlG+WdWGJHTINFUTP62jcpzyiC

Score

10^/10

njrat virus_corona evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

virus_corona

C2

hakim32.ddns.net:2000

Mutex

854adc37b7072004486bd544097649ff

Attributes

reg_key
854adc37b7072004486bd544097649ff
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2776	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\854adc37b7072004486bd544097649ff.exe	joe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\854adc37b7072004486bd544097649ff.exe	joe.exe

Executes dropped EXE 1 IoCs

pid	Process
2324	joe.exe

Loads dropped DLL 1 IoCs

pid	Process
1368	72e3de9cd1c8fa1060ed55328593f8e9_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	joe.exe
Token: 33	2324	joe.exe
Token: SeIncBasePriorityPrivilege	2324	joe.exe
Token: 33	2324	joe.exe
Token: SeIncBasePriorityPrivilege	2324	joe.exe
Token: 33	2324	joe.exe
Token: SeIncBasePriorityPrivilege	2324	joe.exe
Token: 33	2324	joe.exe
Token: SeIncBasePriorityPrivilege	2324	joe.exe
Token: 33	2324	joe.exe
Token: SeIncBasePriorityPrivilege	2324	joe.exe
Token: 33	2324	joe.exe
Token: SeIncBasePriorityPrivilege	2324	joe.exe
Token: 33	2324	joe.exe
Token: SeIncBasePriorityPrivilege	2324	joe.exe
Token: 33	2324	joe.exe
Token: SeIncBasePriorityPrivilege	2324	joe.exe
Token: 33	2324	joe.exe
Token: SeIncBasePriorityPrivilege	2324	joe.exe
Token: 33	2324	joe.exe
Token: SeIncBasePriorityPrivilege	2324	joe.exe
Token: 33	2324	joe.exe
Token: SeIncBasePriorityPrivilege	2324	joe.exe
Token: 33	2324	joe.exe
Token: SeIncBasePriorityPrivilege	2324	joe.exe
Token: 33	2324	joe.exe
Token: SeIncBasePriorityPrivilege	2324	joe.exe
Token: 33	2324	joe.exe
Token: SeIncBasePriorityPrivilege	2324	joe.exe
Token: 33	2324	joe.exe
Token: SeIncBasePriorityPrivilege	2324	joe.exe
Token: 33	2324	joe.exe
Token: SeIncBasePriorityPrivilege	2324	joe.exe
Token: 33	2324	joe.exe
Token: SeIncBasePriorityPrivilege	2324	joe.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 2324	1368	72e3de9cd1c8fa1060ed55328593f8e9_JaffaCakes118.exe	28
PID 1368 wrote to memory of 2324	1368	72e3de9cd1c8fa1060ed55328593f8e9_JaffaCakes118.exe	28
PID 1368 wrote to memory of 2324	1368	72e3de9cd1c8fa1060ed55328593f8e9_JaffaCakes118.exe	28
PID 1368 wrote to memory of 2324	1368	72e3de9cd1c8fa1060ed55328593f8e9_JaffaCakes118.exe	28
PID 2324 wrote to memory of 2776	2324	joe.exe	29
PID 2324 wrote to memory of 2776	2324	joe.exe	29
PID 2324 wrote to memory of 2776	2324	joe.exe	29
PID 2324 wrote to memory of 2776	2324	joe.exe	29

C:\Users\Admin\AppData\Local\Temp\72e3de9cd1c8fa1060ed55328593f8e9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\72e3de9cd1c8fa1060ed55328593f8e9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Users\Admin\AppData\Local\Temp\joe.exe
  "C:\Users\Admin\AppData\Local\Temp\joe.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\joe.exe" "joe.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
cac4598fdc0f92181616d12833eb6ca1

SHA1
80a7b7a46a0e8e674b782b9eb569e5430a69c84b

SHA256
275918973c23ad700f278c69cc03c9c82ec9f4d9ed0f53111ad22bec197ff440

SHA512
01a7556bfcce6d9d8251aadc7f6e6169fdd0477d487ce88729c44bfe8b85b2eee500985d553c0479765ef5b5c6dc3517c0305efb9089814c3f8a9ea6fc51c713

Download Submit
\Users\Admin\AppData\Local\Temp\joe.exe

Filesize
29KB

MD5
72e3de9cd1c8fa1060ed55328593f8e9

SHA1
b25ad9ba727df26d4a4b09f433ea92fe850fd604

SHA256
f7b6de225de9565fe776d6251a1e8b943f17b6bf6aa2534e60519edef2f96848

SHA512
f2056faadd9328d5db0dad6a35f8c252f1cb2447fe7e646808211540fd592cd967910c67a17ea6d71d968d31d0d8e38e7405a32948ff18aa33de7bbe5180ce32

Download Submit
memory/1368-0-0x00000000748A1000-0x00000000748A2000-memory.dmp

Filesize
4KB

Download
memory/1368-1-0x00000000748A0000-0x0000000074E4B000-memory.dmp

Filesize
5.7MB

Download
memory/1368-2-0x00000000748A0000-0x0000000074E4B000-memory.dmp

Filesize
5.7MB

Download
memory/1368-11-0x00000000748A0000-0x0000000074E4B000-memory.dmp

Filesize
5.7MB

Download
memory/2324-12-0x00000000748A0000-0x0000000074E4B000-memory.dmp

Filesize
5.7MB

Download
memory/2324-16-0x00000000748A0000-0x0000000074E4B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads