Analysis Overview
SHA256
2d9a00c61807ea0eb013feda7d2f7d95e5248bbf8e433c83a18e4ecec0a3e1f1
Threat Level: Known bad
The file d211887dcc729a782b236236c69ccd81_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
njRAT/Bladabindi
Modifies Windows Firewall
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-07 13:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-07 13:44
Reported
2024-09-07 13:47
Platform
win7-20240903-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d211887dcc729a782b236236c69ccd81_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\a9cf687f880c397b4c0251aa6523248c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\a9cf687f880c397b4c0251aa6523248c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d211887dcc729a782b236236c69ccd81_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d211887dcc729a782b236236c69ccd81_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d211887dcc729a782b236236c69ccd81_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | vanto1o1m000.hopto.org | udp |
Files
memory/628-0-0x000000007442E000-0x000000007442F000-memory.dmp
memory/628-1-0x00000000002C0000-0x00000000002EC000-memory.dmp
memory/628-2-0x0000000074420000-0x0000000074B0E000-memory.dmp
memory/628-3-0x0000000000500000-0x000000000051C000-memory.dmp
memory/628-4-0x00000000003D0000-0x00000000003DC000-memory.dmp
\Users\Admin\AppData\Local\Temp\server.exe
| MD5 | d211887dcc729a782b236236c69ccd81 |
| SHA1 | b6726f66a09b60e18f621423bb04c7cce0590968 |
| SHA256 | 2d9a00c61807ea0eb013feda7d2f7d95e5248bbf8e433c83a18e4ecec0a3e1f1 |
| SHA512 | fac76c52a18d89594e278d58cf5529d95f62e2c8150d0bcbac45f67aa48a939524803e75a12c92ed245e0563da575504836b07ca4e2e1976a9cf4dc49a0079bb |
memory/2776-14-0x0000000074420000-0x0000000074B0E000-memory.dmp
memory/2776-13-0x0000000000E50000-0x0000000000E7C000-memory.dmp
memory/2776-15-0x0000000074420000-0x0000000074B0E000-memory.dmp
memory/628-12-0x0000000074420000-0x0000000074B0E000-memory.dmp
memory/2776-16-0x0000000074420000-0x0000000074B0E000-memory.dmp
memory/2776-17-0x0000000074420000-0x0000000074B0E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-07 13:44
Reported
2024-09-07 13:47
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
njRAT/Bladabindi
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d211887dcc729a782b236236c69ccd81_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a9cf687f880c397b4c0251aa6523248c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\a9cf687f880c397b4c0251aa6523248c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d211887dcc729a782b236236c69ccd81_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1896 wrote to memory of 2480 | N/A | C:\Users\Admin\AppData\Local\Temp\d211887dcc729a782b236236c69ccd81_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\server.exe |
| PID 1896 wrote to memory of 2480 | N/A | C:\Users\Admin\AppData\Local\Temp\d211887dcc729a782b236236c69ccd81_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\server.exe |
| PID 1896 wrote to memory of 2480 | N/A | C:\Users\Admin\AppData\Local\Temp\d211887dcc729a782b236236c69ccd81_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\server.exe |
| PID 2480 wrote to memory of 1776 | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 2480 wrote to memory of 1776 | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 2480 wrote to memory of 1776 | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | C:\Windows\SysWOW64\netsh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\d211887dcc729a782b236236c69ccd81_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d211887dcc729a782b236236c69ccd81_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vanto1o1m000.hopto.org | udp |
| US | 8.8.8.8:53 | vanto1o1m000.hopto.org | udp |
| US | 8.8.8.8:53 | vanto1o1m000.hopto.org | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vanto1o1m000.hopto.org | udp |
| US | 8.8.8.8:53 | vanto1o1m000.hopto.org | udp |
| US | 8.8.8.8:53 | vanto1o1m000.hopto.org | udp |
| US | 8.8.8.8:53 | vanto1o1m000.hopto.org | udp |
| US | 8.8.8.8:53 | vanto1o1m000.hopto.org | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vanto1o1m000.hopto.org | udp |
| US | 8.8.8.8:53 | vanto1o1m000.hopto.org | udp |
| US | 8.8.8.8:53 | vanto1o1m000.hopto.org | udp |
| US | 8.8.8.8:53 | vanto1o1m000.hopto.org | udp |
| US | 8.8.8.8:53 | vanto1o1m000.hopto.org | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vanto1o1m000.hopto.org | udp |
| US | 8.8.8.8:53 | vanto1o1m000.hopto.org | udp |
| US | 8.8.8.8:53 | vanto1o1m000.hopto.org | udp |
| US | 8.8.8.8:53 | vanto1o1m000.hopto.org | udp |
| US | 8.8.8.8:53 | vanto1o1m000.hopto.org | udp |
| US | 8.8.8.8:53 | vanto1o1m000.hopto.org | udp |
| US | 8.8.8.8:53 | vanto1o1m000.hopto.org | udp |
| US | 8.8.8.8:53 | vanto1o1m000.hopto.org | udp |
Files
memory/1896-0-0x00000000748AE000-0x00000000748AF000-memory.dmp
memory/1896-1-0x0000000000420000-0x000000000044C000-memory.dmp
memory/1896-2-0x0000000005430000-0x00000000059D4000-memory.dmp
memory/1896-3-0x0000000004E80000-0x0000000004F12000-memory.dmp
memory/1896-4-0x0000000004F20000-0x0000000004FBC000-memory.dmp
memory/1896-5-0x0000000004E00000-0x0000000004E0A000-memory.dmp
memory/1896-6-0x0000000005150000-0x00000000051A6000-memory.dmp
memory/1896-7-0x00000000748A0000-0x0000000075050000-memory.dmp
memory/1896-8-0x0000000007940000-0x000000000795C000-memory.dmp
memory/1896-9-0x0000000005290000-0x000000000529C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\server.exe
| MD5 | d211887dcc729a782b236236c69ccd81 |
| SHA1 | b6726f66a09b60e18f621423bb04c7cce0590968 |
| SHA256 | 2d9a00c61807ea0eb013feda7d2f7d95e5248bbf8e433c83a18e4ecec0a3e1f1 |
| SHA512 | fac76c52a18d89594e278d58cf5529d95f62e2c8150d0bcbac45f67aa48a939524803e75a12c92ed245e0563da575504836b07ca4e2e1976a9cf4dc49a0079bb |
memory/1896-22-0x00000000748A0000-0x0000000075050000-memory.dmp
memory/2480-23-0x00000000748A0000-0x0000000075050000-memory.dmp
memory/2480-24-0x00000000748A0000-0x0000000075050000-memory.dmp
memory/2480-25-0x00000000748A0000-0x0000000075050000-memory.dmp
memory/2480-26-0x00000000748A0000-0x0000000075050000-memory.dmp