Analysis
-
max time kernel
149s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
20-09-2024 23:09
General
-
Target
ee9c59ed661de901b23475e7b6af8c5c_JaffaCakes118.exe
-
Size
252KB
-
MD5
ee9c59ed661de901b23475e7b6af8c5c
-
SHA1
34a9f7397cbac20c422067683b1bb87659d4c3c6
-
SHA256
25e5c94e59845bf8f4096d2eee10ab131e31096b957e1034c1fc0fd1164c1927
-
SHA512
d3d2d301f6a81005a7134ba756bf91765b311f992cb882cc94501c2ecd494a80666ce6f4a6a07bfa16ea5b15d523fa2c7917906b3a4c7deff38ddfd55ae753a6
-
SSDEEP
3072:bYs03EcckEmNoSsmfYgaKSRye29MXHPJ+TBVPRvdlDrwpxaZb8ywfxs54xoWav4M:s0Ss75S9cJ+503g8/0QO
Malware Config
Extracted
njrat
0.6.4
تم الاختراق من قبل دكتور الغربية #
Dr187.ddns.net:999
59e66e4fd01ed7a53bb65713760bdb7d
-
reg_key
59e66e4fd01ed7a53bb65713760bdb7d
-
splitter
|'|'|
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee9c59ed661de901b23475e7b6af8c5c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ee9c59ed661de901b23475e7b6af8c5c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Google Root.exe"C:\Users\Admin\AppData\Local\Temp\Google Root.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Google Root.exe" "Google Root.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252KB
MD5ee9c59ed661de901b23475e7b6af8c5c
SHA134a9f7397cbac20c422067683b1bb87659d4c3c6
SHA25625e5c94e59845bf8f4096d2eee10ab131e31096b957e1034c1fc0fd1164c1927
SHA512d3d2d301f6a81005a7134ba756bf91765b311f992cb882cc94501c2ecd494a80666ce6f4a6a07bfa16ea5b15d523fa2c7917906b3a4c7deff38ddfd55ae753a6
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
272KB
-
Filesize
56KB
-
Filesize
10.8MB
-
Filesize
10.8MB