Analysis Overview
SHA256
187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a
Threat Level: Known bad
The file 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Modifies Windows Firewall
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-28 19:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-28 19:05
Reported
2024-05-28 19:08
Platform
win7-20240215-en
Max time kernel
145s
Max time network
141s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1756 wrote to memory of 2752 | N/A | C:\Users\Admin\AppData\Local\Temp\187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe | C:\Windows\system32\netsh.exe |
| PID 1756 wrote to memory of 2752 | N/A | C:\Users\Admin\AppData\Local\Temp\187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe | C:\Windows\system32\netsh.exe |
| PID 1756 wrote to memory of 2752 | N/A | C:\Users\Admin\AppData\Local\Temp\187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe | C:\Windows\system32\netsh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe
"C:\Users\Admin\AppData\Local\Temp\187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe"
C:\Windows\system32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe" "187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | afr0j4ck.ddns.net | udp |
| DZ | 105.101.252.19:7000 | afr0j4ck.ddns.net | tcp |
| DZ | 105.101.252.19:7000 | afr0j4ck.ddns.net | tcp |
| DZ | 105.101.252.19:7000 | afr0j4ck.ddns.net | tcp |
| US | 8.8.8.8:53 | afr0j4ck.ddns.net | udp |
| DZ | 105.101.252.19:7000 | afr0j4ck.ddns.net | tcp |
| DZ | 105.101.252.19:7000 | afr0j4ck.ddns.net | tcp |
| DZ | 105.101.252.19:7000 | afr0j4ck.ddns.net | tcp |
Files
memory/1756-0-0x000007FEF5AA3000-0x000007FEF5AA4000-memory.dmp
memory/1756-1-0x0000000000D50000-0x0000000000D90000-memory.dmp
memory/1756-2-0x00000000002C0000-0x00000000002CC000-memory.dmp
memory/1756-3-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp
memory/1756-4-0x000007FEF5AA3000-0x000007FEF5AA4000-memory.dmp
memory/1756-5-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-28 19:05
Reported
2024-05-28 19:08
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2328 wrote to memory of 1488 | N/A | C:\Users\Admin\AppData\Local\Temp\187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe | C:\Windows\SYSTEM32\netsh.exe |
| PID 2328 wrote to memory of 1488 | N/A | C:\Users\Admin\AppData\Local\Temp\187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe | C:\Windows\SYSTEM32\netsh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe
"C:\Users\Admin\AppData\Local\Temp\187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe"
C:\Windows\SYSTEM32\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe" "187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | afr0j4ck.ddns.net | udp |
| DZ | 105.101.252.19:7000 | afr0j4ck.ddns.net | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.71.91.104.in-addr.arpa | udp |
| DZ | 105.101.252.19:7000 | afr0j4ck.ddns.net | tcp |
| DZ | 105.101.252.19:7000 | afr0j4ck.ddns.net | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | afr0j4ck.ddns.net | udp |
| DZ | 105.101.252.19:7000 | afr0j4ck.ddns.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| DZ | 105.101.252.19:7000 | afr0j4ck.ddns.net | tcp |
| DZ | 105.101.252.19:7000 | afr0j4ck.ddns.net | tcp |
Files
memory/2328-0-0x0000000000F20000-0x0000000000F60000-memory.dmp
memory/2328-1-0x00007FFE899C3000-0x00007FFE899C5000-memory.dmp
memory/2328-2-0x0000000001700000-0x000000000170C000-memory.dmp
memory/2328-3-0x00007FFE899C0000-0x00007FFE8A481000-memory.dmp
memory/2328-4-0x00007FFE899C0000-0x00007FFE8A481000-memory.dmp