Malware Analysis Report

2024-10-23 20:47

Sample ID 240528-qd8v1sef3w
Target 7d10d67d9f7590e5eff4c9818c6db8e2_JaffaCakes118
SHA256 7ed6db0961936f9c11762d1b06ae4918719c38906cb556ad9005383ffcb6b715
Tags
njrat torrent evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7ed6db0961936f9c11762d1b06ae4918719c38906cb556ad9005383ffcb6b715

Threat Level: Known bad

The file 7d10d67d9f7590e5eff4c9818c6db8e2_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

njrat torrent evasion persistence trojan

njRAT/Bladabindi

Modifies Windows Firewall

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-28 13:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-28 13:09

Reported

2024-05-28 13:12

Platform

win7-20240221-en

Max time kernel

149s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7d10d67d9f7590e5eff4c9818c6db8e2_JaffaCakes118.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\ecbfc751e50996e8c53d87b0a26dc0af = "\"C:\\Users\\Admin\\AppData\\Roaming\\Kerneldll32.exe\" .." C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ecbfc751e50996e8c53d87b0a26dc0af = "\"C:\\Users\\Admin\\AppData\\Roaming\\Kerneldll32.exe\" .." C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7d10d67d9f7590e5eff4c9818c6db8e2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7d10d67d9f7590e5eff4c9818c6db8e2_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\Kerneldll32.exe

"C:\Users\Admin\AppData\Roaming\Kerneldll32.exe"

C:\Windows\system32\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Kerneldll32.exe" "Kerneldll32.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.fb.linkpc.net udp
CN 123.116.145.186:1070 www.fb.linkpc.net tcp
CN 123.116.145.186:1070 www.fb.linkpc.net tcp
CN 123.116.145.186:1070 www.fb.linkpc.net tcp
CN 123.116.145.186:1070 www.fb.linkpc.net tcp
CN 123.116.145.186:1070 www.fb.linkpc.net tcp
US 8.8.8.8:53 www.fb.linkpc.net udp
CN 123.116.145.186:1070 www.fb.linkpc.net tcp

Files

memory/2968-0-0x000007FEF5F7E000-0x000007FEF5F7F000-memory.dmp

memory/2968-1-0x0000000000580000-0x000000000058E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Kerneldll32.exe

MD5 7d10d67d9f7590e5eff4c9818c6db8e2
SHA1 21051468dfffc8065b12f82e53aa83c9edfe9049
SHA256 7ed6db0961936f9c11762d1b06ae4918719c38906cb556ad9005383ffcb6b715
SHA512 b0e0f077dbb464c738044b379f337e3e5ffcfc7a5237a4195fe37b7a2504484cd876c96ead916dc027a9360acd16c61dd56ee9548b3053fcd564c45ee81f2c2c

memory/2968-7-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

memory/2964-9-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

memory/2968-8-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

memory/2964-11-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

memory/2964-10-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

memory/2964-12-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

memory/2964-13-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-28 13:09

Reported

2024-05-28 13:12

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7d10d67d9f7590e5eff4c9818c6db8e2_JaffaCakes118.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7d10d67d9f7590e5eff4c9818c6db8e2_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ecbfc751e50996e8c53d87b0a26dc0af = "\"C:\\Users\\Admin\\AppData\\Roaming\\Kerneldll32.exe\" .." C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ecbfc751e50996e8c53d87b0a26dc0af = "\"C:\\Users\\Admin\\AppData\\Roaming\\Kerneldll32.exe\" .." C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Kerneldll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7d10d67d9f7590e5eff4c9818c6db8e2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7d10d67d9f7590e5eff4c9818c6db8e2_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\Kerneldll32.exe

"C:\Users\Admin\AppData\Roaming\Kerneldll32.exe"

C:\Windows\SYSTEM32\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Kerneldll32.exe" "Kerneldll32.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 www.fb.linkpc.net udp
CN 123.116.145.186:1070 www.fb.linkpc.net tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
CN 123.116.145.186:1070 www.fb.linkpc.net tcp
CN 123.116.145.186:1070 www.fb.linkpc.net tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
CN 123.116.145.186:1070 www.fb.linkpc.net tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
CN 123.116.145.186:1070 www.fb.linkpc.net tcp
US 8.8.8.8:53 www.fb.linkpc.net udp
US 8.8.8.8:53 www.fb.linkpc.net udp
CN 123.116.145.186:1070 www.fb.linkpc.net tcp

Files

memory/1000-0-0x00007FFA45CF5000-0x00007FFA45CF6000-memory.dmp

memory/1000-1-0x00007FFA45A40000-0x00007FFA463E1000-memory.dmp

memory/1000-2-0x000000001BE10000-0x000000001BEB6000-memory.dmp

memory/1000-3-0x00007FFA45A40000-0x00007FFA463E1000-memory.dmp

memory/1000-4-0x0000000001530000-0x000000000153E000-memory.dmp

memory/1000-5-0x000000001CA60000-0x000000001CF2E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Kerneldll32.exe

MD5 7d10d67d9f7590e5eff4c9818c6db8e2
SHA1 21051468dfffc8065b12f82e53aa83c9edfe9049
SHA256 7ed6db0961936f9c11762d1b06ae4918719c38906cb556ad9005383ffcb6b715
SHA512 b0e0f077dbb464c738044b379f337e3e5ffcfc7a5237a4195fe37b7a2504484cd876c96ead916dc027a9360acd16c61dd56ee9548b3053fcd564c45ee81f2c2c

memory/1000-19-0x00007FFA45A40000-0x00007FFA463E1000-memory.dmp

memory/2788-20-0x00007FFA45A40000-0x00007FFA463E1000-memory.dmp

memory/2788-21-0x00007FFA45A40000-0x00007FFA463E1000-memory.dmp

memory/2788-18-0x00007FFA45A40000-0x00007FFA463E1000-memory.dmp

memory/2788-22-0x000000001C0D0000-0x000000001C16C000-memory.dmp

memory/2788-23-0x000000001BEE0000-0x000000001BEE8000-memory.dmp

memory/2788-24-0x00007FFA45A40000-0x00007FFA463E1000-memory.dmp