njrat | abc444525d3ca6b1679ea160738b663052cb64fb4bdd0fb1903bac23d3eae919

Analysis

max time kernel
148s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2024 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe
Size

557KB
MD5

d7041ca0e3829f211b2bd1698c98aeb6
SHA1

50d14c9dcc8d883abf40155414bf09c98a2ae5c5
SHA256

abc444525d3ca6b1679ea160738b663052cb64fb4bdd0fb1903bac23d3eae919
SHA512

363d060d3547fa465f961928a2314495593560b6ace3741f151156bf5fa172c4d6001223576b52eecc3801ae1a3bcb49a2d2c3f4cd1799d406896ab57ec2fedf
SSDEEP

6144:jh3bZqgIYTbsFsUI1cnLOftd+PmhK2F0h3lr6VIyb39:jtZqgIYLUI1mktd+PgK3lr4I43

Score

10^/10

njrat hacked defense_evasion discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

comettest.ddns.net:1337

Mutex

001235189d37eb700b8caeaaee506d6a

Attributes

reg_key
001235189d37eb700b8caeaaee506d6a
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4632	netsh.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3800	svhost.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4512 set thread context of 3800	4512	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe	89

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\FolderN\name.exe:Zone.Identifier	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4512	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe
4512	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe
4512	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe
4512	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe
4512	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe
4512	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe
4512	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe
4512	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe
4512	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe
4512	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe
4512	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe
4512	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe
4512	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe
4512	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	4512	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe
Token: SeDebugPrivilege	3800	svhost.exe
Token: 33	3800	svhost.exe
Token: SeIncBasePriorityPrivilege	3800	svhost.exe
Token: 33	3800	svhost.exe
Token: SeIncBasePriorityPrivilege	3800	svhost.exe
Token: 33	3800	svhost.exe
Token: SeIncBasePriorityPrivilege	3800	svhost.exe
Token: 33	3800	svhost.exe
Token: SeIncBasePriorityPrivilege	3800	svhost.exe
Token: 33	3800	svhost.exe
Token: SeIncBasePriorityPrivilege	3800	svhost.exe
Token: 33	3800	svhost.exe
Token: SeIncBasePriorityPrivilege	3800	svhost.exe
Token: 33	3800	svhost.exe
Token: SeIncBasePriorityPrivilege	3800	svhost.exe
Token: 33	3800	svhost.exe
Token: SeIncBasePriorityPrivilege	3800	svhost.exe
Token: 33	3800	svhost.exe
Token: SeIncBasePriorityPrivilege	3800	svhost.exe
Token: 33	3800	svhost.exe
Token: SeIncBasePriorityPrivilege	3800	svhost.exe
Token: 33	3800	svhost.exe
Token: SeIncBasePriorityPrivilege	3800	svhost.exe
Token: 33	3800	svhost.exe
Token: SeIncBasePriorityPrivilege	3800	svhost.exe
Token: 33	3800	svhost.exe
Token: SeIncBasePriorityPrivilege	3800	svhost.exe
Token: 33	3800	svhost.exe
Token: SeIncBasePriorityPrivilege	3800	svhost.exe
Token: 33	3800	svhost.exe
Token: SeIncBasePriorityPrivilege	3800	svhost.exe
Token: 33	3800	svhost.exe
Token: SeIncBasePriorityPrivilege	3800	svhost.exe
Token: 33	3800	svhost.exe
Token: SeIncBasePriorityPrivilege	3800	svhost.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 4516	4512	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe	86
PID 4512 wrote to memory of 4516	4512	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe	86
PID 4512 wrote to memory of 4516	4512	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe	86
PID 4516 wrote to memory of 2916	4516	cmd.exe	88
PID 4516 wrote to memory of 2916	4516	cmd.exe	88
PID 4516 wrote to memory of 2916	4516	cmd.exe	88
PID 4512 wrote to memory of 3800	4512	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe	89
PID 4512 wrote to memory of 3800	4512	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe	89
PID 4512 wrote to memory of 3800	4512	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe	89
PID 4512 wrote to memory of 3800	4512	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe	89
PID 4512 wrote to memory of 3800	4512	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe	89
PID 4512 wrote to memory of 3800	4512	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe	89
PID 4512 wrote to memory of 3800	4512	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe	89
PID 4512 wrote to memory of 3800	4512	d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe	89
PID 3800 wrote to memory of 4632	3800	svhost.exe	91
PID 3800 wrote to memory of 4632	3800	svhost.exe	91
PID 3800 wrote to memory of 4632	3800	svhost.exe	91

C:\Users\Admin\AppData\Local\Temp\d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d7041ca0e3829f211b2bd1698c98aeb6_JaffaCakes118.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderN\name.exe.lnk" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2916
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3800
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svhost.exe" "svhost.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
89KB

MD5
84c42d0f2c1ae761bef884638bc1eacd

SHA1
4353881e7f4e9c7610f4e0489183b55bb58bb574

SHA256
331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3

SHA512
43c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87

Download Submit
C:\Users\Admin\AppData\Roaming\FolderN\name.exe

Filesize
557KB

MD5
d7041ca0e3829f211b2bd1698c98aeb6

SHA1
50d14c9dcc8d883abf40155414bf09c98a2ae5c5

SHA256
abc444525d3ca6b1679ea160738b663052cb64fb4bdd0fb1903bac23d3eae919

SHA512
363d060d3547fa465f961928a2314495593560b6ace3741f151156bf5fa172c4d6001223576b52eecc3801ae1a3bcb49a2d2c3f4cd1799d406896ab57ec2fedf

Download Submit
memory/3800-15-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/3800-12-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3800-16-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/3800-20-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/3800-23-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/4512-2-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/4512-0-0x0000000074722000-0x0000000074723000-memory.dmp

Filesize
4KB

Download
memory/4512-1-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/4512-17-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/4512-18-0x0000000074722000-0x0000000074723000-memory.dmp

Filesize
4KB

Download
memory/4512-19-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download
memory/4512-22-0x0000000074720000-0x0000000074CD1000-memory.dmp

Filesize
5.7MB

Download