Analysis Overview
SHA256
70f3eaa129fa11addaf5f9a2c8f4dd51b54171af82efe9d15626e94fa066da3d
Threat Level: Known bad
The file 7e771790005bf4bd41d8917e15ee449f_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-28 21:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-28 21:29
Reported
2024-05-28 21:31
Platform
win7-20231129-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
njRAT/Bladabindi
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7e771790005bf4bd41d8917e15ee449f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7e771790005bf4bd41d8917e15ee449f_JaffaCakes118.exe"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\patsh
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\patsh"
Network
Files
memory/780-0-0x000007FEF53BE000-0x000007FEF53BF000-memory.dmp
memory/780-1-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp
memory/780-2-0x00000000003E0000-0x00000000003F6000-memory.dmp
memory/780-3-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp
memory/780-6-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\patsh
| MD5 | 7e771790005bf4bd41d8917e15ee449f |
| SHA1 | b4dfb1ada3a3d84ab60b1a7e13e0632fb20ca27b |
| SHA256 | 70f3eaa129fa11addaf5f9a2c8f4dd51b54171af82efe9d15626e94fa066da3d |
| SHA512 | 6beed852f9276647dcdf22c3329f6a6ede80584031e2c3d7461127986a17330e376bc5b7b7976483b309119004d40b1cbaaaa11a74eaeb5e35ecd42fa7bdd019 |
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | ae765a562855d836d331a6c52bd41903 |
| SHA1 | 9adfa45fffcc19842ea96d5c4dba5132aced153d |
| SHA256 | cc73d312133f3f2113b3dd884e1b26e9aaf2ac0f1b43debb0d9fce2dbf0e153b |
| SHA512 | 7283bde188d9de7d9e113ee83931d576a3ac8dd0d8e3bd33e3c6144ef230dd9150f27f16e7af90a609b083b7fe841b278aad6fa2afc4a9eeb2678b9097604038 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-28 21:29
Reported
2024-05-28 21:31
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
158s
Command Line
Signatures
njRAT/Bladabindi
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\7e771790005bf4bd41d8917e15ee449f_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\7e771790005bf4bd41d8917e15ee449f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7e771790005bf4bd41d8917e15ee449f_JaffaCakes118.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.131.50.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| FR | 216.58.214.170:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 170.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
memory/4868-0-0x00007FF9EACE5000-0x00007FF9EACE6000-memory.dmp
memory/4868-1-0x00007FF9EAA30000-0x00007FF9EB3D1000-memory.dmp
memory/4868-2-0x00007FF9EAA30000-0x00007FF9EB3D1000-memory.dmp
memory/4868-3-0x000000001B7F0000-0x000000001BCBE000-memory.dmp
memory/4868-4-0x000000001B180000-0x000000001B196000-memory.dmp
memory/4868-5-0x000000001BCC0000-0x000000001BD66000-memory.dmp
memory/4868-9-0x00007FF9EAA30000-0x00007FF9EB3D1000-memory.dmp