Malware Analysis Report

2025-04-13 23:32

Sample ID 240729-cdklja1gng
Target 31fd3a719613cb40b4cf2ab083af6497_JaffaCakes118
SHA256 91b52e45e992cc925b40f0b2d020a7538453b00239db9c2fc06264163298823d
Tags
njrat تم الاختراق من قبل دكتور الغربية # discovery evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

91b52e45e992cc925b40f0b2d020a7538453b00239db9c2fc06264163298823d

Threat Level: Known bad

The file 31fd3a719613cb40b4cf2ab083af6497_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

njrat تم الاختراق من قبل دكتور الغربية # discovery evasion persistence privilege_escalation trojan

njRAT/Bladabindi

Modifies Windows Firewall

Loads dropped DLL

Drops startup file

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-29 01:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-29 01:57

Reported

2024-07-31 01:09

Platform

win7-20240708-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\31fd3a719613cb40b4cf2ab083af6497_JaffaCakes118.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59e66e4fd01ed7a53bb65713760bdb7d.exe C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59e66e4fd01ed7a53bb65713760bdb7d.exe C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\31fd3a719613cb40b4cf2ab083af6497_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\59e66e4fd01ed7a53bb65713760bdb7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Root.exe\" .." C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\59e66e4fd01ed7a53bb65713760bdb7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Root.exe\" .." C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\31fd3a719613cb40b4cf2ab083af6497_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\31fd3a719613cb40b4cf2ab083af6497_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\31fd3a719613cb40b4cf2ab083af6497_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\Google Root.exe

"C:\Users\Admin\AppData\Local\Temp\Google Root.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Google Root.exe" "Google Root.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 Dr187.ddns.net udp

Files

memory/1676-0-0x0000000073F7E000-0x0000000073F7F000-memory.dmp

memory/1676-1-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1676-2-0x00000000043D0000-0x00000000043DE000-memory.dmp

\Users\Admin\AppData\Local\Temp\Google Root.exe

MD5 31fd3a719613cb40b4cf2ab083af6497
SHA1 6f2f9b91c7179189819a418d64521a620421538e
SHA256 91b52e45e992cc925b40f0b2d020a7538453b00239db9c2fc06264163298823d
SHA512 de841f8c28ee0cc56a6966cf69e1db744c19a9c365b64ac0b3767fe029e46593bff81edbd0eaebb11da24eb7397ee112e6e8c3f303a5e54d45f8e5562b46264c

memory/2864-10-0x0000000073F70000-0x000000007465E000-memory.dmp

memory/2864-12-0x0000000073F70000-0x000000007465E000-memory.dmp

memory/2864-13-0x0000000073F70000-0x000000007465E000-memory.dmp

memory/2864-14-0x0000000073F70000-0x000000007465E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-29 01:57

Reported

2024-07-31 01:08

Platform

win10v2004-20240730-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\31fd3a719613cb40b4cf2ab083af6497_JaffaCakes118.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3774859476-2260090144-3466365324-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\31fd3a719613cb40b4cf2ab083af6497_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59e66e4fd01ed7a53bb65713760bdb7d.exe C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59e66e4fd01ed7a53bb65713760bdb7d.exe C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\59e66e4fd01ed7a53bb65713760bdb7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Root.exe\" .." C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3774859476-2260090144-3466365324-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\59e66e4fd01ed7a53bb65713760bdb7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Root.exe\" .." C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\31fd3a719613cb40b4cf2ab083af6497_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Google Root.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\31fd3a719613cb40b4cf2ab083af6497_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\31fd3a719613cb40b4cf2ab083af6497_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\Google Root.exe

"C:\Users\Admin\AppData\Local\Temp\Google Root.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Google Root.exe" "Google Root.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 Dr187.ddns.net udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/2852-0-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

memory/2852-1-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2852-2-0x0000000004980000-0x0000000004A1C000-memory.dmp

memory/2852-3-0x0000000002400000-0x000000000240E000-memory.dmp

memory/2852-4-0x0000000004A20000-0x0000000004FC4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Google Root.exe

MD5 31fd3a719613cb40b4cf2ab083af6497
SHA1 6f2f9b91c7179189819a418d64521a620421538e
SHA256 91b52e45e992cc925b40f0b2d020a7538453b00239db9c2fc06264163298823d
SHA512 de841f8c28ee0cc56a6966cf69e1db744c19a9c365b64ac0b3767fe029e46593bff81edbd0eaebb11da24eb7397ee112e6e8c3f303a5e54d45f8e5562b46264c

memory/2384-17-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/2384-19-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/2384-20-0x0000000005070000-0x0000000005102000-memory.dmp

memory/2384-21-0x0000000005200000-0x000000000520A000-memory.dmp

memory/2384-22-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/2384-23-0x0000000074A60000-0x0000000075210000-memory.dmp