Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
08-09-2024 21:51
General
-
Target
d525eed9de6f27fbfc78c36e8b87c991_JaffaCakes118.exe
-
Size
100KB
-
MD5
d525eed9de6f27fbfc78c36e8b87c991
-
SHA1
60ff41b814fe1ce493461d93ea91018c3ba55c20
-
SHA256
5a20ec2cf7dabd8ee61f66abde54323db48b43052f9b6bf8c654484b15a28d1d
-
SHA512
ecb76fc9e2c60a05010533f1d7246b148610803e21be63cd1eec913bb9e5ae58046032fd42bb4ae255248eaed605c35035606f7834500c5ef451fb371d74df64
-
SSDEEP
1536:2NPZK0XxGZKg5k/L2V5j8bR+LY9dF3JbMRisSxHjPZngFM3n/RX:2K0Bm5kT2Vl8bIU9hbMRHS5dgK3n/RX
Malware Config
Extracted
njrat
0.6.4
تم الاختراق من قبل دكتور الغربية #
Dr187.ddns.net:999
59e66e4fd01ed7a53bb65713760bdb7d
-
reg_key
59e66e4fd01ed7a53bb65713760bdb7d
-
splitter
|'|'|
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d525eed9de6f27fbfc78c36e8b87c991_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d525eed9de6f27fbfc78c36e8b87c991_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Google Root.exe"C:\Users\Admin\AppData\Local\Temp\Google Root.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Google Root.exe" "Google Root.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD5d525eed9de6f27fbfc78c36e8b87c991
SHA160ff41b814fe1ce493461d93ea91018c3ba55c20
SHA2565a20ec2cf7dabd8ee61f66abde54323db48b43052f9b6bf8c654484b15a28d1d
SHA512ecb76fc9e2c60a05010533f1d7246b148610803e21be63cd1eec913bb9e5ae58046032fd42bb4ae255248eaed605c35035606f7834500c5ef451fb371d74df64
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
56KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
88KB
-
Filesize
6.9MB
-
Filesize
6.9MB