njrat | 72788c659f7186370af95bed8037137ccaa982649707a4a34fde81ba24c66384

General

Target

e17d019f39e42adfecd6ae98ff6f99c7_JaffaCakes118.exe
Size

168KB
MD5

e17d019f39e42adfecd6ae98ff6f99c7
SHA1

316119a476c9c10c0aa7ac347eeba40fa3a9ce79
SHA256

72788c659f7186370af95bed8037137ccaa982649707a4a34fde81ba24c66384
SHA512

56bfda25c6025237625024e72029f58223f304fbb619580e7d41d2862d8f58955b64af47e77fbbdc7fe68ef381c96916bfde7a967dcb0668098565fc70ade753
SSDEEP

3072:lvGygixsiq1I5GWp1icKAArDZz4N9GhbkrNEkee3i5aiPw2IyCxxt:HvTp0yN90QEVtMyU

Score

10^/10

njrat hacked discovery execution persistence trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

C2

maximazorreguieta.no-ip.info:3406

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4128	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	1648110957.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	1648110957.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe

Executes dropped EXE 2 IoCs

pid	Process
4760	1648110957.exe
2400	Payload.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e17d019f39e42adfecd6ae98ff6f99c7_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe"	1648110957.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1648110957.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4128	powershell.exe
4128	powershell.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeDebugPrivilege	2400	Payload.exe
Token: 33	2400	Payload.exe
Token: SeIncBasePriorityPrivilege	2400	Payload.exe
Token: 33	2400	Payload.exe
Token: SeIncBasePriorityPrivilege	2400	Payload.exe
Token: 33	2400	Payload.exe
Token: SeIncBasePriorityPrivilege	2400	Payload.exe
Token: 33	2400	Payload.exe
Token: SeIncBasePriorityPrivilege	2400	Payload.exe
Token: 33	2400	Payload.exe
Token: SeIncBasePriorityPrivilege	2400	Payload.exe
Token: 33	2400	Payload.exe
Token: SeIncBasePriorityPrivilege	2400	Payload.exe
Token: 33	2400	Payload.exe
Token: SeIncBasePriorityPrivilege	2400	Payload.exe
Token: 33	2400	Payload.exe
Token: SeIncBasePriorityPrivilege	2400	Payload.exe
Token: 33	2400	Payload.exe
Token: SeIncBasePriorityPrivilege	2400	Payload.exe
Token: 33	2400	Payload.exe
Token: SeIncBasePriorityPrivilege	2400	Payload.exe
Token: 33	2400	Payload.exe
Token: SeIncBasePriorityPrivilege	2400	Payload.exe
Token: 33	2400	Payload.exe
Token: SeIncBasePriorityPrivilege	2400	Payload.exe
Token: 33	2400	Payload.exe
Token: SeIncBasePriorityPrivilege	2400	Payload.exe
Token: 33	2400	Payload.exe
Token: SeIncBasePriorityPrivilege	2400	Payload.exe
Token: 33	2400	Payload.exe
Token: SeIncBasePriorityPrivilege	2400	Payload.exe
Token: 33	2400	Payload.exe
Token: SeIncBasePriorityPrivilege	2400	Payload.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 4660	1328	e17d019f39e42adfecd6ae98ff6f99c7_JaffaCakes118.exe	83
PID 1328 wrote to memory of 4660	1328	e17d019f39e42adfecd6ae98ff6f99c7_JaffaCakes118.exe	83
PID 1328 wrote to memory of 3132	1328	e17d019f39e42adfecd6ae98ff6f99c7_JaffaCakes118.exe	85
PID 1328 wrote to memory of 3132	1328	e17d019f39e42adfecd6ae98ff6f99c7_JaffaCakes118.exe	85
PID 3132 wrote to memory of 4128	3132	cmd.exe	87
PID 3132 wrote to memory of 4128	3132	cmd.exe	87
PID 4128 wrote to memory of 4760	4128	powershell.exe	91
PID 4128 wrote to memory of 4760	4128	powershell.exe	91
PID 4128 wrote to memory of 4760	4128	powershell.exe	91
PID 4760 wrote to memory of 2400	4760	1648110957.exe	99
PID 4760 wrote to memory of 2400	4760	1648110957.exe	99
PID 4760 wrote to memory of 2400	4760	1648110957.exe	99
PID 4760 wrote to memory of 4528	4760	1648110957.exe	100
PID 4760 wrote to memory of 4528	4760	1648110957.exe	100
PID 4760 wrote to memory of 4528	4760	1648110957.exe	100
PID 2400 wrote to memory of 3764	2400	Payload.exe	102
PID 2400 wrote to memory of 3764	2400	Payload.exe	102
PID 2400 wrote to memory of 3764	2400	Payload.exe	102
PID 2400 wrote to memory of 3592	2400	Payload.exe	103
PID 2400 wrote to memory of 3592	2400	Payload.exe	103
PID 2400 wrote to memory of 3592	2400	Payload.exe	103

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4528	attrib.exe
3764	attrib.exe
3592	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e17d019f39e42adfecd6ae98ff6f99c7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e17d019f39e42adfecd6ae98ff6f99c7_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c echo.
  2⤵
  PID:4660
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c exec.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3132
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File ".\bits.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4128
  - - C:\Users\Admin\AppData\Local\Temp\1648110957\1648110957.exe
      "C:\Users\Admin\AppData\Local\Temp\1648110957\1648110957.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4760
    - - C:\Users\Admin\AppData\Local\Temp\Payload.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2400
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3764
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3592
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1648110957\1648110957.exe

Filesize
27KB

MD5
480e13d5529143ca6e831df5b6deafbd

SHA1
e1911bf9e2dd63ff574bec00b9015299af5d120b

SHA256
b77da83a63ca5f47ee2494c8c144cbed0a792c477ae47f0904edddcd2b16331a

SHA512
831a0bf055168df256235f9b32501e579ba9b791b83d045bf06e91688b233703d777c012a544e11ce05ddaa5a0a95be5094bcb3a3dbec49c9618b448222de802

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bits.ps1

Filesize
36KB

MD5
09b434b8d3e6a5fb3b81dc72d2cb464b

SHA1
2e1473999f79fb21a8a528e3eda61d76ae858722

SHA256
6e5557295739e38adb3454a3069a8e47e041c5ca6ad80951a41a30f0e301bb0d

SHA512
c8f412c5cbc3573b4f1b940df148bebdbed25fa244ced10358e1703771adeb31ba81a1c3b4f64436b0d75f505b3adc55d73e9c6ce28100ef5efbec8387950a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\exec.bat

Filesize
95B

MD5
368e0f2c003376d3bdae1c71dd85ec70

SHA1
e5fa7b58cad7f5df6e3a7c2abeec16365ae17827

SHA256
84ab0b7013c706781f6839235d7d59cfad0874e4cc415aeaa4bf86a8dd99b0d9

SHA512
e3e2c9035fca632d04fd411c394301598e6b964d2ebd79db4fcf19816dd876ed23c51831382202d8f5335a0e4a8721d683c377bb1706e4faa4001387f843d553

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ncz3v0xb.ex1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Filesize
1KB

MD5
4c043c220c7f4e6644b7c14ba0838b6c

SHA1
82ded92825367771b189620d165aaf2a17df3418

SHA256
789a45c46c7274c6c06129eef56e0b43c9bc7a62f92ce490b6ccfb92dd4b875f

SHA512
140b445376db80bcef55e02b9023c2a0cb5e3b59bae2b359f71f856128860bac6369c1283fae9f69ebd25fc064471f2a949ae382785faa020204da729eec1cb7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Filesize
1KB

MD5
ffcf265f87aa73be08dc0fd8d192a9d9

SHA1
c94973d9c141054887c5a840efd43645dad81ec3

SHA256
4abb41ea7e9b6f2452827d25787e216d1dc631165940512c09ae0e314db86285

SHA512
c586770b0241031eb3cbd13dbc3c00f8320a70e2d1150297c37a7161f267d9c21c0cc7e32db0a151bf7518d38b0f0cb30ca1d1bcff42c8cecc1faa318b5ab725

Download Submit
memory/4128-29-0x00007FFAAAC60000-0x00007FFAAB721000-memory.dmp

Filesize
10.8MB

Download
memory/4128-8-0x000002787EE30000-0x000002787EE52000-memory.dmp

Filesize
136KB

Download
memory/4128-20-0x00007FFAAAC60000-0x00007FFAAB721000-memory.dmp

Filesize
10.8MB

Download
memory/4128-19-0x00007FFAAAC60000-0x00007FFAAB721000-memory.dmp

Filesize
10.8MB

Download
memory/4128-7-0x00007FFAAAC63000-0x00007FFAAAC65000-memory.dmp

Filesize
8KB

Download
memory/4760-30-0x00000000752C2000-0x00000000752C3000-memory.dmp

Filesize
4KB

Download
memory/4760-31-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/4760-36-0x00000000752C2000-0x00000000752C3000-memory.dmp

Filesize
4KB

Download
memory/4760-37-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download
memory/4760-47-0x00000000752C0000-0x0000000075871000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads