Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-09-2024 15:53

General

  • Target

    d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe

  • Size

    184KB

  • MD5

    d4b8a82a729cdf72567046b7555a0922

  • SHA1

    3f64f0fe9528075fd128d9a4d4591f15d095e268

  • SHA256

    66a12501efa03a9f5963f7b5bef2a4062e0e534ecc1a496cdc00cf60470d2e16

  • SHA512

    22304948535d84940b3f2aaf9ad6553865c3328c3ba897cc1c36928ec813127e41395a44dc5f2db3799bdeb7ae2491eeb6ffba8eff18d065860570839e19fb10

  • SSDEEP

    3072:BrSXkyxAljyuORbYlpy6bTH32GhNvtTw3LXdKkFq:xSkuAljyutpyCX2GhN1mLP

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

anunankis1.duckdns.org:1515

Mutex

Windows

Attributes
  • reg_key

    Windows

  • splitter

    |-F-|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3600
    • C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1280
      • C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
        "C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4244
        • C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe
          "C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe"
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:880
          • C:\Windows\SysWOW64\attrib.exe
            attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:4976
          • C:\Windows\SysWOW64\attrib.exe
            attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:1416
      • C:\Windows\SysWOW64\attrib.exe
        attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2060

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe.log

    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

  • C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe

    Filesize

    184KB

    MD5

    d4b8a82a729cdf72567046b7555a0922

    SHA1

    3f64f0fe9528075fd128d9a4d4591f15d095e268

    SHA256

    66a12501efa03a9f5963f7b5bef2a4062e0e534ecc1a496cdc00cf60470d2e16

    SHA512

    22304948535d84940b3f2aaf9ad6553865c3328c3ba897cc1c36928ec813127e41395a44dc5f2db3799bdeb7ae2491eeb6ffba8eff18d065860570839e19fb10

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

    Filesize

    1KB

    MD5

    a17b27701b4d3b5b39d174f9f3c17841

    SHA1

    4d98b658d09730704e6eb03ebd0b51a8d811c5ef

    SHA256

    7bd2938ce6d76d4948188221641210ea9aa9110ea3318cdadab3c87d8f7d16d1

    SHA512

    a6888617bb82d5d4c343975f46087b2b639aa26b546ceba4f2009be3f55ba1fe3b122d76b08c24c3df9b605251b2dbc6d50e2de602d1e346b035fe1eb301fc63

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

    Filesize

    1KB

    MD5

    2641fd48c1124a998eaa69132458026a

    SHA1

    494e0e3624a2c4020d575d1786c97dcebd5fafa4

    SHA256

    f5bf3bd1b542b36da83bec822bbfabb6ccb0176e47ec869719b18d0cbfc65dbb

    SHA512

    fc4411e7b12ef8ffa2edc6b751352b13a64ababb19830d773cf6bdac05b3e23de15d88ac80c842c4da2ca4194a953b4d342a14dc2f8a357cb3b243a55c3d15c4

  • memory/880-40-0x0000000005840000-0x00000000058A6000-memory.dmp

    Filesize

    408KB

  • memory/880-39-0x00000000055E0000-0x00000000055EA000-memory.dmp

    Filesize

    40KB

  • memory/880-38-0x00000000055F0000-0x0000000005682000-memory.dmp

    Filesize

    584KB

  • memory/880-37-0x0000000074D60000-0x0000000075510000-memory.dmp

    Filesize

    7.7MB

  • memory/880-32-0x0000000074D60000-0x0000000075510000-memory.dmp

    Filesize

    7.7MB

  • memory/1280-8-0x0000000000340000-0x000000000034E000-memory.dmp

    Filesize

    56KB

  • memory/1280-7-0x0000000074D60000-0x0000000075510000-memory.dmp

    Filesize

    7.7MB

  • memory/1280-9-0x0000000004B20000-0x0000000004BBC000-memory.dmp

    Filesize

    624KB

  • memory/1280-13-0x00000000058B0000-0x0000000005E54000-memory.dmp

    Filesize

    5.6MB

  • memory/1280-25-0x0000000074D60000-0x0000000075510000-memory.dmp

    Filesize

    7.7MB

  • memory/3600-10-0x0000000074D60000-0x0000000075510000-memory.dmp

    Filesize

    7.7MB

  • memory/3600-0-0x0000000074D6E000-0x0000000074D6F000-memory.dmp

    Filesize

    4KB

  • memory/3600-1-0x0000000000920000-0x0000000000954000-memory.dmp

    Filesize

    208KB

  • memory/3600-3-0x0000000005230000-0x0000000005238000-memory.dmp

    Filesize

    32KB

  • memory/3600-2-0x0000000074D60000-0x0000000075510000-memory.dmp

    Filesize

    7.7MB

  • memory/4244-31-0x0000000074D60000-0x0000000075510000-memory.dmp

    Filesize

    7.7MB

  • memory/4244-30-0x0000000074D60000-0x0000000075510000-memory.dmp

    Filesize

    7.7MB