Analysis Overview
SHA256
7ed6db0961936f9c11762d1b06ae4918719c38906cb556ad9005383ffcb6b715
Threat Level: Known bad
The file 7d10d67d9f7590e5eff4c9818c6db8e2_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Modifies Windows Firewall
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-28 13:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-28 13:09
Reported
2024-05-28 13:12
Platform
win7-20240221-en
Max time kernel
149s
Max time network
138s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Kerneldll32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\ecbfc751e50996e8c53d87b0a26dc0af = "\"C:\\Users\\Admin\\AppData\\Roaming\\Kerneldll32.exe\" .." | C:\Users\Admin\AppData\Roaming\Kerneldll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ecbfc751e50996e8c53d87b0a26dc0af = "\"C:\\Users\\Admin\\AppData\\Roaming\\Kerneldll32.exe\" .." | C:\Users\Admin\AppData\Roaming\Kerneldll32.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Kerneldll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2968 wrote to memory of 2964 | N/A | C:\Users\Admin\AppData\Local\Temp\7d10d67d9f7590e5eff4c9818c6db8e2_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\Kerneldll32.exe |
| PID 2968 wrote to memory of 2964 | N/A | C:\Users\Admin\AppData\Local\Temp\7d10d67d9f7590e5eff4c9818c6db8e2_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\Kerneldll32.exe |
| PID 2968 wrote to memory of 2964 | N/A | C:\Users\Admin\AppData\Local\Temp\7d10d67d9f7590e5eff4c9818c6db8e2_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\Kerneldll32.exe |
| PID 2964 wrote to memory of 2096 | N/A | C:\Users\Admin\AppData\Roaming\Kerneldll32.exe | C:\Windows\system32\netsh.exe |
| PID 2964 wrote to memory of 2096 | N/A | C:\Users\Admin\AppData\Roaming\Kerneldll32.exe | C:\Windows\system32\netsh.exe |
| PID 2964 wrote to memory of 2096 | N/A | C:\Users\Admin\AppData\Roaming\Kerneldll32.exe | C:\Windows\system32\netsh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\7d10d67d9f7590e5eff4c9818c6db8e2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7d10d67d9f7590e5eff4c9818c6db8e2_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\Kerneldll32.exe
"C:\Users\Admin\AppData\Roaming\Kerneldll32.exe"
C:\Windows\system32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Kerneldll32.exe" "Kerneldll32.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.fb.linkpc.net | udp |
| CN | 123.116.145.186:1070 | www.fb.linkpc.net | tcp |
| CN | 123.116.145.186:1070 | www.fb.linkpc.net | tcp |
| CN | 123.116.145.186:1070 | www.fb.linkpc.net | tcp |
| CN | 123.116.145.186:1070 | www.fb.linkpc.net | tcp |
| CN | 123.116.145.186:1070 | www.fb.linkpc.net | tcp |
| US | 8.8.8.8:53 | www.fb.linkpc.net | udp |
| CN | 123.116.145.186:1070 | www.fb.linkpc.net | tcp |
Files
memory/2968-0-0x000007FEF5F7E000-0x000007FEF5F7F000-memory.dmp
memory/2968-1-0x0000000000580000-0x000000000058E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Kerneldll32.exe
| MD5 | 7d10d67d9f7590e5eff4c9818c6db8e2 |
| SHA1 | 21051468dfffc8065b12f82e53aa83c9edfe9049 |
| SHA256 | 7ed6db0961936f9c11762d1b06ae4918719c38906cb556ad9005383ffcb6b715 |
| SHA512 | b0e0f077dbb464c738044b379f337e3e5ffcfc7a5237a4195fe37b7a2504484cd876c96ead916dc027a9360acd16c61dd56ee9548b3053fcd564c45ee81f2c2c |
memory/2968-7-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp
memory/2964-9-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp
memory/2968-8-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp
memory/2964-11-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp
memory/2964-10-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp
memory/2964-12-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp
memory/2964-13-0x000007FEF5CC0000-0x000007FEF665D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-28 13:09
Reported
2024-05-28 13:12
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7d10d67d9f7590e5eff4c9818c6db8e2_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Kerneldll32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ecbfc751e50996e8c53d87b0a26dc0af = "\"C:\\Users\\Admin\\AppData\\Roaming\\Kerneldll32.exe\" .." | C:\Users\Admin\AppData\Roaming\Kerneldll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ecbfc751e50996e8c53d87b0a26dc0af = "\"C:\\Users\\Admin\\AppData\\Roaming\\Kerneldll32.exe\" .." | C:\Users\Admin\AppData\Roaming\Kerneldll32.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Kerneldll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1000 wrote to memory of 2788 | N/A | C:\Users\Admin\AppData\Local\Temp\7d10d67d9f7590e5eff4c9818c6db8e2_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\Kerneldll32.exe |
| PID 1000 wrote to memory of 2788 | N/A | C:\Users\Admin\AppData\Local\Temp\7d10d67d9f7590e5eff4c9818c6db8e2_JaffaCakes118.exe | C:\Users\Admin\AppData\Roaming\Kerneldll32.exe |
| PID 2788 wrote to memory of 3908 | N/A | C:\Users\Admin\AppData\Roaming\Kerneldll32.exe | C:\Windows\SYSTEM32\netsh.exe |
| PID 2788 wrote to memory of 3908 | N/A | C:\Users\Admin\AppData\Roaming\Kerneldll32.exe | C:\Windows\SYSTEM32\netsh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\7d10d67d9f7590e5eff4c9818c6db8e2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7d10d67d9f7590e5eff4c9818c6db8e2_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\Kerneldll32.exe
"C:\Users\Admin\AppData\Roaming\Kerneldll32.exe"
C:\Windows\SYSTEM32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Kerneldll32.exe" "Kerneldll32.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.fb.linkpc.net | udp |
| CN | 123.116.145.186:1070 | www.fb.linkpc.net | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| CN | 123.116.145.186:1070 | www.fb.linkpc.net | tcp |
| CN | 123.116.145.186:1070 | www.fb.linkpc.net | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| CN | 123.116.145.186:1070 | www.fb.linkpc.net | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| CN | 123.116.145.186:1070 | www.fb.linkpc.net | tcp |
| US | 8.8.8.8:53 | www.fb.linkpc.net | udp |
| US | 8.8.8.8:53 | www.fb.linkpc.net | udp |
| CN | 123.116.145.186:1070 | www.fb.linkpc.net | tcp |
Files
memory/1000-0-0x00007FFA45CF5000-0x00007FFA45CF6000-memory.dmp
memory/1000-1-0x00007FFA45A40000-0x00007FFA463E1000-memory.dmp
memory/1000-2-0x000000001BE10000-0x000000001BEB6000-memory.dmp
memory/1000-3-0x00007FFA45A40000-0x00007FFA463E1000-memory.dmp
memory/1000-4-0x0000000001530000-0x000000000153E000-memory.dmp
memory/1000-5-0x000000001CA60000-0x000000001CF2E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Kerneldll32.exe
| MD5 | 7d10d67d9f7590e5eff4c9818c6db8e2 |
| SHA1 | 21051468dfffc8065b12f82e53aa83c9edfe9049 |
| SHA256 | 7ed6db0961936f9c11762d1b06ae4918719c38906cb556ad9005383ffcb6b715 |
| SHA512 | b0e0f077dbb464c738044b379f337e3e5ffcfc7a5237a4195fe37b7a2504484cd876c96ead916dc027a9360acd16c61dd56ee9548b3053fcd564c45ee81f2c2c |
memory/1000-19-0x00007FFA45A40000-0x00007FFA463E1000-memory.dmp
memory/2788-20-0x00007FFA45A40000-0x00007FFA463E1000-memory.dmp
memory/2788-21-0x00007FFA45A40000-0x00007FFA463E1000-memory.dmp
memory/2788-18-0x00007FFA45A40000-0x00007FFA463E1000-memory.dmp
memory/2788-22-0x000000001C0D0000-0x000000001C16C000-memory.dmp
memory/2788-23-0x000000001BEE0000-0x000000001BEE8000-memory.dmp
memory/2788-24-0x00007FFA45A40000-0x00007FFA463E1000-memory.dmp