Resubmissions
03-06-2024 05:29
240603-f62bjadb7xAnalysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
03-06-2024 05:29
General
-
Target
90b0dacdb9974cb1f970960e3c082167_JaffaCakes118.exe
-
Size
211KB
-
MD5
90b0dacdb9974cb1f970960e3c082167
-
SHA1
921e17c1f9b6803ec6be7b4cde70e81e1163fd3d
-
SHA256
071fc19802f6780857fc4a516f64df6673cadba104828d7b2f11ed5fdf8e43c3
-
SHA512
798ab85ccb0be6e565552321feb3bb71e45d8de0028e2ce6a37c2411341ab8b036f60febcc1199eab4e645727498310ea6737e9d7eedf582aebc8173ea6f80b2
-
SSDEEP
6144:8+0qeo57l6zMm3CRT9qyfdiQgInzZOBT:8PqeMwzXC2+4Yd
Malware Config
Extracted
njrat
0.6.4
تم الاختراق من قبل دكتور الغربية #
Dr187.ddns.net:999
59e66e4fd01ed7a53bb65713760bdb7d
-
reg_key
59e66e4fd01ed7a53bb65713760bdb7d
-
splitter
|'|'|
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\90b0dacdb9974cb1f970960e3c082167_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\90b0dacdb9974cb1f970960e3c082167_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Google Root.exe"C:\Users\Admin\AppData\Local\Temp\Google Root.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Google Root.exe" "Google Root.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\Google Root.exeFilesize
211KB
MD590b0dacdb9974cb1f970960e3c082167
SHA1921e17c1f9b6803ec6be7b4cde70e81e1163fd3d
SHA256071fc19802f6780857fc4a516f64df6673cadba104828d7b2f11ed5fdf8e43c3
SHA512798ab85ccb0be6e565552321feb3bb71e45d8de0028e2ce6a37c2411341ab8b036f60febcc1199eab4e645727498310ea6737e9d7eedf582aebc8173ea6f80b2
-
memory/1508-0-0x000007FEF5ED3000-0x000007FEF5ED4000-memory.dmpFilesize
4KB
-
memory/1508-1-0x00000000001A0000-0x00000000001DA000-memory.dmpFilesize
232KB
-
memory/1508-2-0x0000000000210000-0x000000000021E000-memory.dmpFilesize
56KB
-
memory/1508-3-0x000007FEF5ED0000-0x000007FEF68BC000-memory.dmpFilesize
9.9MB
-
memory/1508-10-0x000007FEF5ED0000-0x000007FEF68BC000-memory.dmpFilesize
9.9MB
-
memory/3044-12-0x0000000001090000-0x00000000010CA000-memory.dmpFilesize
232KB
-
memory/3044-11-0x000007FEF5ED0000-0x000007FEF68BC000-memory.dmpFilesize
9.9MB
-
memory/3044-14-0x000007FEF5ED0000-0x000007FEF68BC000-memory.dmpFilesize
9.9MB
-
memory/3044-15-0x000007FEF5ED0000-0x000007FEF68BC000-memory.dmpFilesize
9.9MB
-
memory/3044-16-0x000007FEF5ED0000-0x000007FEF68BC000-memory.dmpFilesize
9.9MB