Malware Analysis Report

2024-10-23 20:45

Sample ID 240528-1bymdada4z
Target 7e771790005bf4bd41d8917e15ee449f_JaffaCakes118
SHA256 70f3eaa129fa11addaf5f9a2c8f4dd51b54171af82efe9d15626e94fa066da3d
Tags
njrat hacked trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

70f3eaa129fa11addaf5f9a2c8f4dd51b54171af82efe9d15626e94fa066da3d

Threat Level: Known bad

The file 7e771790005bf4bd41d8917e15ee449f_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

njrat hacked trojan

njRAT/Bladabindi

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-28 21:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-28 21:29

Reported

2024-05-28 21:31

Platform

win7-20231129-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7e771790005bf4bd41d8917e15ee449f_JaffaCakes118.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7e771790005bf4bd41d8917e15ee449f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7e771790005bf4bd41d8917e15ee449f_JaffaCakes118.exe"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\patsh

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\patsh"

Network

N/A

Files

memory/780-0-0x000007FEF53BE000-0x000007FEF53BF000-memory.dmp

memory/780-1-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

memory/780-2-0x00000000003E0000-0x00000000003F6000-memory.dmp

memory/780-3-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

memory/780-6-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\patsh

MD5 7e771790005bf4bd41d8917e15ee449f
SHA1 b4dfb1ada3a3d84ab60b1a7e13e0632fb20ca27b
SHA256 70f3eaa129fa11addaf5f9a2c8f4dd51b54171af82efe9d15626e94fa066da3d
SHA512 6beed852f9276647dcdf22c3329f6a6ede80584031e2c3d7461127986a17330e376bc5b7b7976483b309119004d40b1cbaaaa11a74eaeb5e35ecd42fa7bdd019

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 ae765a562855d836d331a6c52bd41903
SHA1 9adfa45fffcc19842ea96d5c4dba5132aced153d
SHA256 cc73d312133f3f2113b3dd884e1b26e9aaf2ac0f1b43debb0d9fce2dbf0e153b
SHA512 7283bde188d9de7d9e113ee83931d576a3ac8dd0d8e3bd33e3c6144ef230dd9150f27f16e7af90a609b083b7fe841b278aad6fa2afc4a9eeb2678b9097604038

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-28 21:29

Reported

2024-05-28 21:31

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7e771790005bf4bd41d8917e15ee449f_JaffaCakes118.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\7e771790005bf4bd41d8917e15ee449f_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7e771790005bf4bd41d8917e15ee449f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7e771790005bf4bd41d8917e15ee449f_JaffaCakes118.exe"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 200.131.50.23.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
FR 216.58.214.170:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 170.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

memory/4868-0-0x00007FF9EACE5000-0x00007FF9EACE6000-memory.dmp

memory/4868-1-0x00007FF9EAA30000-0x00007FF9EB3D1000-memory.dmp

memory/4868-2-0x00007FF9EAA30000-0x00007FF9EB3D1000-memory.dmp

memory/4868-3-0x000000001B7F0000-0x000000001BCBE000-memory.dmp

memory/4868-4-0x000000001B180000-0x000000001B196000-memory.dmp

memory/4868-5-0x000000001BCC0000-0x000000001BD66000-memory.dmp

memory/4868-9-0x00007FF9EAA30000-0x00007FF9EB3D1000-memory.dmp