Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    28-05-2024 21:29

General

  • Target

    7e771790005bf4bd41d8917e15ee449f_JaffaCakes118.exe

  • Size

    33KB

  • MD5

    7e771790005bf4bd41d8917e15ee449f

  • SHA1

    b4dfb1ada3a3d84ab60b1a7e13e0632fb20ca27b

  • SHA256

    70f3eaa129fa11addaf5f9a2c8f4dd51b54171af82efe9d15626e94fa066da3d

  • SHA512

    6beed852f9276647dcdf22c3329f6a6ede80584031e2c3d7461127986a17330e376bc5b7b7976483b309119004d40b1cbaaaa11a74eaeb5e35ecd42fa7bdd019

  • SSDEEP

    768:VvTJ6v6kk5ftm4uw4yNUHOhEl23GJJRH+jcnuVTiNeVRT:tJY6kk5ftjuw4y+ssSGH1QcGDVRT

Score
10/10

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

127.0.0.1:1177

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7e771790005bf4bd41d8917e15ee449f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7e771790005bf4bd41d8917e15ee449f_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:780
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\patsh
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\patsh"
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\patsh

    Filesize

    33KB

    MD5

    7e771790005bf4bd41d8917e15ee449f

    SHA1

    b4dfb1ada3a3d84ab60b1a7e13e0632fb20ca27b

    SHA256

    70f3eaa129fa11addaf5f9a2c8f4dd51b54171af82efe9d15626e94fa066da3d

    SHA512

    6beed852f9276647dcdf22c3329f6a6ede80584031e2c3d7461127986a17330e376bc5b7b7976483b309119004d40b1cbaaaa11a74eaeb5e35ecd42fa7bdd019

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    ae765a562855d836d331a6c52bd41903

    SHA1

    9adfa45fffcc19842ea96d5c4dba5132aced153d

    SHA256

    cc73d312133f3f2113b3dd884e1b26e9aaf2ac0f1b43debb0d9fce2dbf0e153b

    SHA512

    7283bde188d9de7d9e113ee83931d576a3ac8dd0d8e3bd33e3c6144ef230dd9150f27f16e7af90a609b083b7fe841b278aad6fa2afc4a9eeb2678b9097604038

  • memory/780-0-0x000007FEF53BE000-0x000007FEF53BF000-memory.dmp

    Filesize

    4KB

  • memory/780-1-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

    Filesize

    9.6MB

  • memory/780-2-0x00000000003E0000-0x00000000003F6000-memory.dmp

    Filesize

    88KB

  • memory/780-3-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

    Filesize

    9.6MB

  • memory/780-6-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

    Filesize

    9.6MB