Analysis Overview
SHA256
91b52e45e992cc925b40f0b2d020a7538453b00239db9c2fc06264163298823d
Threat Level: Known bad
The file 31fd3a719613cb40b4cf2ab083af6497_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Modifies Windows Firewall
Loads dropped DLL
Drops startup file
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-29 01:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-29 01:57
Reported
2024-07-31 01:09
Platform
win7-20240708-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59e66e4fd01ed7a53bb65713760bdb7d.exe | C:\Users\Admin\AppData\Local\Temp\Google Root.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59e66e4fd01ed7a53bb65713760bdb7d.exe | C:\Users\Admin\AppData\Local\Temp\Google Root.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Google Root.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\31fd3a719613cb40b4cf2ab083af6497_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\59e66e4fd01ed7a53bb65713760bdb7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Root.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Google Root.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\59e66e4fd01ed7a53bb65713760bdb7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Root.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Google Root.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\31fd3a719613cb40b4cf2ab083af6497_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Google Root.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Google Root.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\31fd3a719613cb40b4cf2ab083af6497_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\31fd3a719613cb40b4cf2ab083af6497_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\Google Root.exe
"C:\Users\Admin\AppData\Local\Temp\Google Root.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Google Root.exe" "Google Root.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | Dr187.ddns.net | udp |
Files
memory/1676-0-0x0000000073F7E000-0x0000000073F7F000-memory.dmp
memory/1676-1-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1676-2-0x00000000043D0000-0x00000000043DE000-memory.dmp
\Users\Admin\AppData\Local\Temp\Google Root.exe
| MD5 | 31fd3a719613cb40b4cf2ab083af6497 |
| SHA1 | 6f2f9b91c7179189819a418d64521a620421538e |
| SHA256 | 91b52e45e992cc925b40f0b2d020a7538453b00239db9c2fc06264163298823d |
| SHA512 | de841f8c28ee0cc56a6966cf69e1db744c19a9c365b64ac0b3767fe029e46593bff81edbd0eaebb11da24eb7397ee112e6e8c3f303a5e54d45f8e5562b46264c |
memory/2864-10-0x0000000073F70000-0x000000007465E000-memory.dmp
memory/2864-12-0x0000000073F70000-0x000000007465E000-memory.dmp
memory/2864-13-0x0000000073F70000-0x000000007465E000-memory.dmp
memory/2864-14-0x0000000073F70000-0x000000007465E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-29 01:57
Reported
2024-07-31 01:08
Platform
win10v2004-20240730-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3774859476-2260090144-3466365324-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\31fd3a719613cb40b4cf2ab083af6497_JaffaCakes118.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59e66e4fd01ed7a53bb65713760bdb7d.exe | C:\Users\Admin\AppData\Local\Temp\Google Root.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59e66e4fd01ed7a53bb65713760bdb7d.exe | C:\Users\Admin\AppData\Local\Temp\Google Root.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Google Root.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\59e66e4fd01ed7a53bb65713760bdb7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Root.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Google Root.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3774859476-2260090144-3466365324-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\59e66e4fd01ed7a53bb65713760bdb7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Root.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Google Root.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\31fd3a719613cb40b4cf2ab083af6497_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Google Root.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Google Root.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2852 wrote to memory of 2384 | N/A | C:\Users\Admin\AppData\Local\Temp\31fd3a719613cb40b4cf2ab083af6497_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\Google Root.exe |
| PID 2852 wrote to memory of 2384 | N/A | C:\Users\Admin\AppData\Local\Temp\31fd3a719613cb40b4cf2ab083af6497_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\Google Root.exe |
| PID 2852 wrote to memory of 2384 | N/A | C:\Users\Admin\AppData\Local\Temp\31fd3a719613cb40b4cf2ab083af6497_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\Google Root.exe |
| PID 2384 wrote to memory of 4500 | N/A | C:\Users\Admin\AppData\Local\Temp\Google Root.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 2384 wrote to memory of 4500 | N/A | C:\Users\Admin\AppData\Local\Temp\Google Root.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 2384 wrote to memory of 4500 | N/A | C:\Users\Admin\AppData\Local\Temp\Google Root.exe | C:\Windows\SysWOW64\netsh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\31fd3a719613cb40b4cf2ab083af6497_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\31fd3a719613cb40b4cf2ab083af6497_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\Google Root.exe
"C:\Users\Admin\AppData\Local\Temp\Google Root.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Google Root.exe" "Google Root.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | Dr187.ddns.net | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/2852-0-0x0000000074A6E000-0x0000000074A6F000-memory.dmp
memory/2852-1-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2852-2-0x0000000004980000-0x0000000004A1C000-memory.dmp
memory/2852-3-0x0000000002400000-0x000000000240E000-memory.dmp
memory/2852-4-0x0000000004A20000-0x0000000004FC4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Google Root.exe
| MD5 | 31fd3a719613cb40b4cf2ab083af6497 |
| SHA1 | 6f2f9b91c7179189819a418d64521a620421538e |
| SHA256 | 91b52e45e992cc925b40f0b2d020a7538453b00239db9c2fc06264163298823d |
| SHA512 | de841f8c28ee0cc56a6966cf69e1db744c19a9c365b64ac0b3767fe029e46593bff81edbd0eaebb11da24eb7397ee112e6e8c3f303a5e54d45f8e5562b46264c |
memory/2384-17-0x0000000074A60000-0x0000000075210000-memory.dmp
memory/2384-19-0x0000000074A60000-0x0000000075210000-memory.dmp
memory/2384-20-0x0000000005070000-0x0000000005102000-memory.dmp
memory/2384-21-0x0000000005200000-0x000000000520A000-memory.dmp
memory/2384-22-0x0000000074A60000-0x0000000075210000-memory.dmp
memory/2384-23-0x0000000074A60000-0x0000000075210000-memory.dmp