Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-05-2024 05:12

General

  • Target

    7bd1449412431d9fac27834f581a0268_JaffaCakes118.exe

  • Size

    565KB

  • MD5

    7bd1449412431d9fac27834f581a0268

  • SHA1

    a4bed12dcbf4468d4b522609a5e50f0e1395c8a7

  • SHA256

    ab0cf46b521df780e8d0218b58c11eb2d35cbd04a90cbfc28fcf4e5051d607e1

  • SHA512

    6f79fbb2662778c7990ac180ef533f52a5446d50686c2c5068d813e0f5ceca4435b9b7aaa638d2d10f5dc61643f940ff3a07e2ed9d3028946042a3e989edcd55

  • SSDEEP

    12288:DOgs3HszQpXU13UUI5TBSOzh2fQSLFnJgrrjU:Ns3aQpXUSUIFUA2fQSLFJt

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

C2

chola1.ddns.net:1177

Mutex

43df5702df2db1f4d0e90dcf8d9bdc19

Attributes
  • reg_key

    43df5702df2db1f4d0e90dcf8d9bdc19

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 5 IoCs
  • Drops startup file 10 IoCs
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 20 IoCs
  • Adds Run key to start application 2 TTPs 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7bd1449412431d9fac27834f581a0268_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7bd1449412431d9fac27834f581a0268_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Users\Admin\AppData\Roaming\Lammer.EXE
      "C:\Users\Admin\AppData\Roaming\Lammer.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2340
      • C:\Users\Admin\AppData\Local\Temp\Windows.exe
        "C:\Users\Admin\AppData\Local\Temp\Windows.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2952
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows.exe" "Windows.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          PID:2316
    • C:\Users\Admin\AppData\Roaming\Lammer1.EXE
      "C:\Users\Admin\AppData\Roaming\Lammer1.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2828
      • C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe
        "C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:832
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe" "WindowsDefender.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          PID:2056
    • C:\Users\Admin\AppData\Roaming\Lammer2.EXE
      "C:\Users\Admin\AppData\Roaming\Lammer2.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Users\Admin\AppData\Local\Temp\System32.exe
        "C:\Users\Admin\AppData\Local\Temp\System32.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1300
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\System32.exe" "System32.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          PID:2084
    • C:\Users\Admin\AppData\Roaming\Lammer3.EXE
      "C:\Users\Admin\AppData\Roaming\Lammer3.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2564
      • C:\Users\Admin\AppData\Local\Temp\chrome.exe
        "C:\Users\Admin\AppData\Local\Temp\chrome.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2620
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\chrome.exe" "chrome.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          PID:2064
    • C:\Users\Admin\AppData\Roaming\Lammer4.EXE
      "C:\Users\Admin\AppData\Roaming\Lammer4.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Users\Admin\AppData\Local\Temp\schost.exe
        "C:\Users\Admin\AppData\Local\Temp\schost.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1288
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\schost.exe" "schost.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          PID:2088

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Lammer4.exe

    Filesize

    23KB

    MD5

    6534ac0f8282bda742f84c0be0d59fdb

    SHA1

    f2825254164b55e643a7a9f9cf37d82a0cb58c67

    SHA256

    9a06aad85ab062c00d2228fe01749738e8b4837a9199817e22424dc924e833d5

    SHA512

    238a2d1be71a1f469bd4c42804bbddeb70e952343d0b72c7731e5628cb4be7b59b03c2114c15a76152ee410d4c29796e5ab90dd241dda17876774d3d358c285c

  • \Users\Admin\AppData\Roaming\Lammer.exe

    Filesize

    23KB

    MD5

    4930dde1b76d3a886b539c8fbe0c4ee7

    SHA1

    436d5fecd006d51ae9da268600d93e62ec0c9e28

    SHA256

    843ca7195e41f30700a18eda1168462c8746987c8ae92aa7af9f642aaa67278b

    SHA512

    c5d160c2606a3e55f7c610567ac84fabd6d6700ba5ee163c04e440f8b15679c26407258241e83b939658898b3f65957aaf5a108089bf1bbba6649d3e6310f740

  • \Users\Admin\AppData\Roaming\Lammer1.exe

    Filesize

    23KB

    MD5

    cde9fc63215bd544e1bd36a532ad97e7

    SHA1

    4fe8dd9ec4696640a2c70c1ce9682a5045f39d85

    SHA256

    5994b98560fe850659064216f9a3030810d933c40163ca35fd9cf5914287bb27

    SHA512

    1d18497fdf40a1aabaff7998b265fc613e648fca31a0accd8f4e9827a843fe27b06f128cc09696fc32c03505c552ce97383b949b6f6f7d9de1930cedfe3b4ee1

  • \Users\Admin\AppData\Roaming\Lammer2.exe

    Filesize

    23KB

    MD5

    778eefef5ec195cffc908663e3234024

    SHA1

    5376facf2c5417f930236eae3206477714afaceb

    SHA256

    a5a2a1283ce6cea0c16b6259c9af3fb5d3a413cf274d7823ec93a6da857ec9a7

    SHA512

    cb43ced7a4a9518aa925e8e48b57072518c165d4356794faffe484694835b656bea91ad7df36ffcff5764816b866ec36944939eb24d4a7e09539dc96bf30a338

  • \Users\Admin\AppData\Roaming\Lammer3.exe

    Filesize

    23KB

    MD5

    e1610181327b8e358105540b0c6e694b

    SHA1

    6cc14c8e5c7e3f82b87f003f3c3c97a0f4e22bbd

    SHA256

    1394827b4f6d8ef8a352da505f1a6875915ad4a6bba4665181ddd410e89f1ac6

    SHA512

    2b3aeba04d993003727cac48db835fa5a22918dc8e3a11b4f022089802e9c8539ac6db3332e755fd5d5a225d244b515831e0d468d46b946cf8ab92eb6225e960

  • memory/2340-72-0x0000000000470000-0x00000000004B0000-memory.dmp

    Filesize

    256KB

  • memory/2828-73-0x0000000000560000-0x00000000005A0000-memory.dmp

    Filesize

    256KB