njrat | 01fdfc314bfab5c7d0cf774aba4dfabc0b503b7e7d91eb1016d8b5a7fcbc83f6

General

Target

dc1d0319a87205834977c9193840bdbf_JaffaCakes118.exe
Size

93KB
MD5

dc1d0319a87205834977c9193840bdbf
SHA1

70784a051b32b34a71e73762bdd03f77186143d4
SHA256

01fdfc314bfab5c7d0cf774aba4dfabc0b503b7e7d91eb1016d8b5a7fcbc83f6
SHA512

efd137d0eeb1dd5c1709ab220b9f446ec76897ffdda12d884e708275751e2c5c67f7f9041bb54778307a8d0c025e8456c0bbaf3b08474e7ad27c39eb3a809dca
SSDEEP

768:3Da0mkspJtyZA/vMHTi9bD5NjHmLRpbZG3bV/aPfQpFx:za0mkSbnYi9bFlUfQpf

Score

10^/10

njrat hacked discovery persistence trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

4.tcp.ngrok.io:15315

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	dc1d0319a87205834977c9193840bdbf_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe

Executes dropped EXE 1 IoCs

pid	Process
3064	Payload.exe

Loads dropped DLL 1 IoCs

pid	Process
1756	dc1d0319a87205834977c9193840bdbf_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Payload.exe"	dc1d0319a87205834977c9193840bdbf_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
2	4.tcp.ngrok.io
7	4.tcp.ngrok.io
20	4.tcp.ngrok.io
38	4.tcp.ngrok.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc1d0319a87205834977c9193840bdbf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	Payload.exe
Token: 33	3064	Payload.exe
Token: SeIncBasePriorityPrivilege	3064	Payload.exe
Token: 33	3064	Payload.exe
Token: SeIncBasePriorityPrivilege	3064	Payload.exe
Token: 33	3064	Payload.exe
Token: SeIncBasePriorityPrivilege	3064	Payload.exe
Token: 33	3064	Payload.exe
Token: SeIncBasePriorityPrivilege	3064	Payload.exe
Token: 33	3064	Payload.exe
Token: SeIncBasePriorityPrivilege	3064	Payload.exe
Token: 33	3064	Payload.exe
Token: SeIncBasePriorityPrivilege	3064	Payload.exe
Token: 33	3064	Payload.exe
Token: SeIncBasePriorityPrivilege	3064	Payload.exe
Token: 33	3064	Payload.exe
Token: SeIncBasePriorityPrivilege	3064	Payload.exe
Token: 33	3064	Payload.exe
Token: SeIncBasePriorityPrivilege	3064	Payload.exe
Token: 33	3064	Payload.exe
Token: SeIncBasePriorityPrivilege	3064	Payload.exe
Token: 33	3064	Payload.exe
Token: SeIncBasePriorityPrivilege	3064	Payload.exe
Token: 33	3064	Payload.exe
Token: SeIncBasePriorityPrivilege	3064	Payload.exe
Token: 33	3064	Payload.exe
Token: SeIncBasePriorityPrivilege	3064	Payload.exe
Token: 33	3064	Payload.exe
Token: SeIncBasePriorityPrivilege	3064	Payload.exe
Token: 33	3064	Payload.exe
Token: SeIncBasePriorityPrivilege	3064	Payload.exe
Token: 33	3064	Payload.exe
Token: SeIncBasePriorityPrivilege	3064	Payload.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 3064	1756	dc1d0319a87205834977c9193840bdbf_JaffaCakes118.exe	29
PID 1756 wrote to memory of 3064	1756	dc1d0319a87205834977c9193840bdbf_JaffaCakes118.exe	29
PID 1756 wrote to memory of 3064	1756	dc1d0319a87205834977c9193840bdbf_JaffaCakes118.exe	29
PID 1756 wrote to memory of 3064	1756	dc1d0319a87205834977c9193840bdbf_JaffaCakes118.exe	29
PID 1756 wrote to memory of 936	1756	dc1d0319a87205834977c9193840bdbf_JaffaCakes118.exe	30
PID 1756 wrote to memory of 936	1756	dc1d0319a87205834977c9193840bdbf_JaffaCakes118.exe	30
PID 1756 wrote to memory of 936	1756	dc1d0319a87205834977c9193840bdbf_JaffaCakes118.exe	30
PID 1756 wrote to memory of 936	1756	dc1d0319a87205834977c9193840bdbf_JaffaCakes118.exe	30

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
936	attrib.exe

C:\Users\Admin\AppData\Local\Temp\dc1d0319a87205834977c9193840bdbf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc1d0319a87205834977c9193840bdbf_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Users\Admin\AppData\Roaming\Payload.exe
  "C:\Users\Admin\AppData\Roaming\Payload.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Payload.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Filesize
1KB

MD5
ab8bda25bb33bc4e1b0fb838182310ee

SHA1
3d5019c29dc25b75a0895c1cfbddbc1b82f65564

SHA256
61876eace51bdcb316ccd5ab578199d0047e5613aa1e6b74de14510dfdf32899

SHA512
1372d6246158b69ca5f13628e92cc01e5f2789a7c3d27a9b60dd7e05140be90c55aba20a6ad1f623d457d3971b0a5c8a99e521da974653384d257462ab8ba133

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Filesize
1018B

MD5
a1f1aa45f3be732c8413aa8e836c795f

SHA1
0a92925bc77cce64632163970bbbba77447b7ac0

SHA256
049096a7457a01d3b22e8b9fea5e3e882b1e8b006445c8779785110bdd9f175e

SHA512
31cf6319c3f481081266b0b1893acee702baccaa7d9618b19984505fd757cf08bdad59a2d7d103851b4aec570da193c768ef6d8a416af7cb2b44a9e7b154ea15

Download Submit
\Users\Admin\AppData\Roaming\Payload.exe

Filesize
93KB

MD5
dc1d0319a87205834977c9193840bdbf

SHA1
70784a051b32b34a71e73762bdd03f77186143d4

SHA256
01fdfc314bfab5c7d0cf774aba4dfabc0b503b7e7d91eb1016d8b5a7fcbc83f6

SHA512
efd137d0eeb1dd5c1709ab220b9f446ec76897ffdda12d884e708275751e2c5c67f7f9041bb54778307a8d0c025e8456c0bbaf3b08474e7ad27c39eb3a809dca

Download Submit
memory/1756-0-0x0000000074851000-0x0000000074852000-memory.dmp

Filesize
4KB

Download
memory/1756-1-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1756-2-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1756-5-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1756-15-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/3064-13-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/3064-14-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/3064-20-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads