njrat | ab04fb658dad391322e1518d65e085ea34b4dba81db53520397c0b6e5ae7cff2

General

Target

ae9a90540d79b7aa7f86b73562b7ac5c_JaffaCakes118.exe
Size

1.1MB
MD5

ae9a90540d79b7aa7f86b73562b7ac5c
SHA1

c4bc6df18791d74eadabddaae5709244932987ee
SHA256

ab04fb658dad391322e1518d65e085ea34b4dba81db53520397c0b6e5ae7cff2
SHA512

d88c806e08250c3b8dd094a2f420a47e349adaec3ebc03159bdf3fa1af988dc9ffe749cd05406fb6333a24950573f006bb419e3f9ea7216cafa630c84318ee3f
SSDEEP

24576:teGpARnavJyU1m2IISC2PlP5kYDji6/AkzMYh7g6e:oGqkvJyLjmSlP5kYDpIOrh

Score

10^/10

njrat hacker evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKer

C2

91.232.111.212:7777

Mutex

4a3d67ee61b43118e4130164dec374f7

Attributes

reg_key
4a3d67ee61b43118e4130164dec374f7
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2660 netsh.exe

pid	process
2660	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ae9a90540d79b7aa7f86b73562b7ac5c_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	ae9a90540d79b7aa7f86b73562b7ac5c_JaffaCakes118.exe

Drops startup file 2 IoCs

Processes:

expler.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4a3d67ee61b43118e4130164dec374f7.exe	expler.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4a3d67ee61b43118e4130164dec374f7.exe	expler.exe

Executes dropped EXE 1 IoCs

Processes:

expler.exe

pid process

1968 expler.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

expler.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4a3d67ee61b43118e4130164dec374f7 = "\"C:\\Users\\Admin\\expler.exe\" .."	expler.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4a3d67ee61b43118e4130164dec374f7 = "\"C:\\Users\\Admin\\expler.exe\" .."	expler.exe

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

expler.exe

description	ioc	process
File created	C:\autorun.inf	expler.exe
File opened for modification	C:\autorun.inf	expler.exe
File created	D:\autorun.inf	expler.exe
File created	F:\autorun.inf	expler.exe
File opened for modification	F:\autorun.inf	expler.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

Processes:

ae9a90540d79b7aa7f86b73562b7ac5c_JaffaCakes118.exeexpler.exe

pid	process
2184	ae9a90540d79b7aa7f86b73562b7ac5c_JaffaCakes118.exe
2184	ae9a90540d79b7aa7f86b73562b7ac5c_JaffaCakes118.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1352 taskkill.exe

pid	process
1352	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

expler.exe

pid	process
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe
1968	expler.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

expler.exe

pid process

1968 expler.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

expler.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1968	expler.exe
Token: SeDebugPrivilege	1352	taskkill.exe
Token: 33	1968	expler.exe
Token: SeIncBasePriorityPrivilege	1968	expler.exe
Token: 33	1968	expler.exe
Token: SeIncBasePriorityPrivilege	1968	expler.exe
Token: 33	1968	expler.exe
Token: SeIncBasePriorityPrivilege	1968	expler.exe
Token: 33	1968	expler.exe
Token: SeIncBasePriorityPrivilege	1968	expler.exe
Token: 33	1968	expler.exe
Token: SeIncBasePriorityPrivilege	1968	expler.exe
Token: 33	1968	expler.exe
Token: SeIncBasePriorityPrivilege	1968	expler.exe
Token: 33	1968	expler.exe
Token: SeIncBasePriorityPrivilege	1968	expler.exe
Token: 33	1968	expler.exe
Token: SeIncBasePriorityPrivilege	1968	expler.exe
Token: 33	1968	expler.exe
Token: SeIncBasePriorityPrivilege	1968	expler.exe
Token: 33	1968	expler.exe
Token: SeIncBasePriorityPrivilege	1968	expler.exe
Token: 33	1968	expler.exe
Token: SeIncBasePriorityPrivilege	1968	expler.exe
Token: 33	1968	expler.exe
Token: SeIncBasePriorityPrivilege	1968	expler.exe
Token: 33	1968	expler.exe
Token: SeIncBasePriorityPrivilege	1968	expler.exe
Token: 33	1968	expler.exe
Token: SeIncBasePriorityPrivilege	1968	expler.exe
Token: 33	1968	expler.exe
Token: SeIncBasePriorityPrivilege	1968	expler.exe
Token: 33	1968	expler.exe
Token: SeIncBasePriorityPrivilege	1968	expler.exe
Token: 33	1968	expler.exe
Token: SeIncBasePriorityPrivilege	1968	expler.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ae9a90540d79b7aa7f86b73562b7ac5c_JaffaCakes118.exeexpler.exe

pid process

2184 ae9a90540d79b7aa7f86b73562b7ac5c_JaffaCakes118.exe
1968 expler.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ae9a90540d79b7aa7f86b73562b7ac5c_JaffaCakes118.exeexpler.exe

description	pid	process	target process
PID 2184 wrote to memory of 1968	2184	ae9a90540d79b7aa7f86b73562b7ac5c_JaffaCakes118.exe	expler.exe
PID 2184 wrote to memory of 1968	2184	ae9a90540d79b7aa7f86b73562b7ac5c_JaffaCakes118.exe	expler.exe
PID 2184 wrote to memory of 1968	2184	ae9a90540d79b7aa7f86b73562b7ac5c_JaffaCakes118.exe	expler.exe
PID 1968 wrote to memory of 2660	1968	expler.exe	netsh.exe
PID 1968 wrote to memory of 2660	1968	expler.exe	netsh.exe
PID 1968 wrote to memory of 2660	1968	expler.exe	netsh.exe
PID 1968 wrote to memory of 1352	1968	expler.exe	taskkill.exe
PID 1968 wrote to memory of 1352	1968	expler.exe	taskkill.exe
PID 1968 wrote to memory of 1352	1968	expler.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\ae9a90540d79b7aa7f86b73562b7ac5c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ae9a90540d79b7aa7f86b73562b7ac5c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184

C:\Users\Admin\expler.exe
"C:\Users\Admin\expler.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\expler.exe" "expler.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:2660

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM Exsample.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1352

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\expler.exe
Filesize
1.1MB

MD5
ae9a90540d79b7aa7f86b73562b7ac5c

SHA1
c4bc6df18791d74eadabddaae5709244932987ee

SHA256
ab04fb658dad391322e1518d65e085ea34b4dba81db53520397c0b6e5ae7cff2

SHA512
d88c806e08250c3b8dd094a2f420a47e349adaec3ebc03159bdf3fa1af988dc9ffe749cd05406fb6333a24950573f006bb419e3f9ea7216cafa630c84318ee3f

Download Submit
memory/1968-26-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/1968-41-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/1968-40-0x0000000000900000-0x0000000000C76000-memory.dmp

Filesize
3.5MB

Download
memory/1968-28-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/1968-22-0x0000000000900000-0x0000000000C76000-memory.dmp

Filesize
3.5MB

Download
memory/1968-25-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/2184-3-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/2184-27-0x00000000009F0000-0x0000000000D66000-memory.dmp

Filesize
3.5MB

Download
memory/2184-24-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/2184-0-0x00000000009F0000-0x0000000000D66000-memory.dmp

Filesize
3.5MB

Download
memory/2184-2-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/2184-1-0x00000000746C2000-0x00000000746C3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads