Overview

overview

10

Static

static

5

KMSpico 11...ce.cmd

windows7-x64

8

KMSpico 11...ce.cmd

windows10-2004-x64

8

KMSpico 11...ms.exe

windows7-x64

10

KMSpico 11...ms.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    eae17604bdd156736fc111bf02de5f2d_JaffaCakes118

  • Size

    3.4MB

  • Sample

    240919-jmkffsybjn

  • MD5

    eae17604bdd156736fc111bf02de5f2d

  • SHA1

    5c8b9bb5c9543749ff8292b7d8d20c26a6b4f826

  • SHA256

    4a74ba5be8f473d9dc09e9981524cff15967ea57db52348ccaffa29ffc301ca0

  • SHA512

    0625f96f5dea51e2e8c2e19ee0a254ca5f138c720b0c492a299ed57b543b7776c69d6e86650208b2845c57afa43042b691daa0aac2912dcd3b176d2d2095435c

  • SSDEEP

    98304:9koJu5D2nxN6N1ykdY1fLWHk+yORoaVeC0:r6aWakdYpLyknORhkC0

Score
10/10
njratdiscoveryevasionexecutionpersistenceprivilege_escalationtrojan

Malware Config

Targets

    • Target

      KMSpico 11 FINAL (Office and Windows 10+8+7 Activator)/UnInstall_Service.cmd

    • Size

      146B

    • MD5

      d228137b7b77d7ef3fcdc06ddabebeef

    • SHA1

      9415587011a75484fce405287a548d488973fd09

    • SHA256

      0552a48861a2c9825d51eeb0197a959dc85e4e960fb00cee89ccc4806eaadba8

    • SHA512

      7ca92a5b8bb303adfe4281db23c65eb2e1b22434411c0cae02aa688cfa3091edfd315cc816cd6d5a37cf8f6e647b1931329c1051df45b6135e75d0c023224ef9

    Score
    8/10
    evasionexecution
    behavioral1behavioral2

    • Target

      KMSpico 11 FINAL (Office and Windows 10+8+7 Activator)/kms.exe

    • Size

      3.9MB

    • MD5

      0195356c4e2cdb1a5cb126393c4c5b91

    • SHA1

      b1cf7eef95ecca52743f4f343c50fc695dc8d727

    • SHA256

      f02c8a3de425dff5150def46766e249f7886ed507c2f78a0f8c01ca23ee8a33d

    • SHA512

      bbcc8f89be3111eaf1db0b1db3b9ebbd9254fbce3ab0694eef003b380138640d520a2bc1a7d7e741db15de55a7e67ba1e9a545d31c509e742545e954a4adb8a3

    • SSDEEP

      98304:qHmoZt7u59aVbR8tZgcj+/XRmVKyyAtk47ew6:qH3t6gk4cj+PROKDAtZaw6

    Score
    10/10
    njratdiscoveryevasionpersistenceprivilege_escalationtrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks