Analysis
-
max time kernel
148s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
13/07/2024, 17:02
General
-
Target
4292b1f50c211aa1c13bdcef3c4e9da1_JaffaCakes118.exe
-
Size
365KB
-
MD5
4292b1f50c211aa1c13bdcef3c4e9da1
-
SHA1
3e38c11ceb88c46782aa7398b7849bb50dfc07da
-
SHA256
806f81c2a9821e0a0b2112278eaa13a615360f5ec39bcdcab635bcb9a4fcebe7
-
SHA512
230545c6c44469b0620121fd3f3dbd4d63251545ad7522394666edd1b62f08e25fa58277e6c64b05d70782c0100f7f54b457bc65f5f99a87a1c3191a026e7013
-
SSDEEP
6144:OYVD4r0bVGfpk2LRWEQVRySTZBH/YXAHczKELLvaYkIGnm9fXBWyUHJVSrm:JVD4r0hwrcEQVRySVN/YX8cmOyVIGapK
Malware Config
Extracted
njrat
0.7d
HacKed
hakim32.ddns.net:2000
ЙЬ@@%#TI3LjAuЙЬ@@%#C4x:��<
f9c9cdacdb545863782da2b421f859d0
-
reg_key
f9c9cdacdb545863782da2b421f859d0
-
splitter
|'|'|
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 36 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4292b1f50c211aa1c13bdcef3c4e9da1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4292b1f50c211aa1c13bdcef3c4e9da1_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Settings\Windows Store.exe"C:\Users\Admin\AppData\Roaming\Settings\Windows Store.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Windows Store" /tr "'C:\Users\Admin\AppData\Roaming\Settings\Windows Store.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Settings\Windows Store.exe" "Windows Store.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
365KB
MD54292b1f50c211aa1c13bdcef3c4e9da1
SHA13e38c11ceb88c46782aa7398b7849bb50dfc07da
SHA256806f81c2a9821e0a0b2112278eaa13a615360f5ec39bcdcab635bcb9a4fcebe7
SHA512230545c6c44469b0620121fd3f3dbd4d63251545ad7522394666edd1b62f08e25fa58277e6c64b05d70782c0100f7f54b457bc65f5f99a87a1c3191a026e7013
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
56KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
32KB
-
Filesize
288KB
-
Filesize
10.8MB
-
Filesize
10.8MB