njrat | 39a33f73741118aa05511c1524ad3da573d7fe94a929cc0660c7719a13d335b0

General

Target

efc0cbb158d388b5d778f876b7bf63ef_JaffaCakes118.exe
Size

27.6MB
MD5

efc0cbb158d388b5d778f876b7bf63ef
SHA1

a4a0f15afeb62a68917dfc4f0d974b0d69ccdaaa
SHA256

39a33f73741118aa05511c1524ad3da573d7fe94a929cc0660c7719a13d335b0
SHA512

14db18dc1ba4a22369090726cbb932c642b7711135aa0279f038b94a09e53041b09482e5a098dfa450813ebb1df0c75fe3615452118398010e5d3a0a1873f432
SSDEEP

786432:CvYUcHwRXkRVTSAfvQftVmv9lMPKosqJ4:LPQRXAVfyr+lhHl

Score

10^/10

njrat agilenet discovery trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	efc0cbb158d388b5d778f876b7bf63ef_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2732	Tool qM6wr Private v1.exe
3576	llk2.exe

Loads dropped DLL 4 IoCs

pid	Process
2732	Tool qM6wr Private v1.exe
2732	Tool qM6wr Private v1.exe
2732	Tool qM6wr Private v1.exe
2732	Tool qM6wr Private v1.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/2732-41-0x0000000007E70000-0x0000000007EF0000-memory.dmp	agile_net
behavioral2/files/0x0007000000023473-40.dat	agile_net

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efc0cbb158d388b5d778f876b7bf63ef_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tool qM6wr Private v1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	llk2.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2732	Tool qM6wr Private v1.exe
2732	Tool qM6wr Private v1.exe
2732	Tool qM6wr Private v1.exe
2732	Tool qM6wr Private v1.exe
2732	Tool qM6wr Private v1.exe
2732	Tool qM6wr Private v1.exe
2732	Tool qM6wr Private v1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	Tool qM6wr Private v1.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 2732	4992	efc0cbb158d388b5d778f876b7bf63ef_JaffaCakes118.exe	85
PID 4992 wrote to memory of 2732	4992	efc0cbb158d388b5d778f876b7bf63ef_JaffaCakes118.exe	85
PID 4992 wrote to memory of 2732	4992	efc0cbb158d388b5d778f876b7bf63ef_JaffaCakes118.exe	85
PID 4992 wrote to memory of 3576	4992	efc0cbb158d388b5d778f876b7bf63ef_JaffaCakes118.exe	86
PID 4992 wrote to memory of 3576	4992	efc0cbb158d388b5d778f876b7bf63ef_JaffaCakes118.exe	86
PID 4992 wrote to memory of 3576	4992	efc0cbb158d388b5d778f876b7bf63ef_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\efc0cbb158d388b5d778f876b7bf63ef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\efc0cbb158d388b5d778f876b7bf63ef_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Users\Admin\AppData\Local\Temp\Adobe\Updates\Tool qM6wr Private v1.exe
  "C:\Users\Admin\AppData\Local\Temp\Adobe\Updates\Tool qM6wr Private v1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Users\Admin\AppData\Local\Temp\Adobe\Updates\llk2.exe
  "C:\Users\Admin\AppData\Local\Temp\Adobe\Updates\llk2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Adobe\Updates\MetroFramework.dll

Filesize
133KB

MD5
a3a380676711eac89f67e0043c21b5d6

SHA1
587c765dc3ca8d3ea2fa55b9f227cef284287522

SHA256
c23cdacb0de78c5c6e8a1dde085cca1bf8261d3b90dac39379a4ac4518d212d1

SHA512
98a8a6741fce19d7817e412d0d2fbe772d8fbda527a3f3a56ddce8dec0bcd23c6e0755402ad816af089f50fdd7b33bd8d834f3af6beb85dbff53830b5c130697

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe\Updates\PS3Lib.dll

Filesize
475KB

MD5
e2591c9be92cd8f098027885306833aa

SHA1
99f4bef5ab9d4034cfa5e4d3f2eba83c8038eba4

SHA256
f7e015454587c29aff65c82569e629955eb5e52a3a85b4f3677f9f1bc8ab7500

SHA512
68c55f8d07d1aa15f8216b2c2c7512cb88d4f92666295a8a84db46b30ac40cb6c4e774650bf41885aff31cc8d49709a05eb5dde2503864354d9c8b0e57f375b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe\Updates\Tool qM6wr Private v1.exe

Filesize
28.9MB

MD5
90ca79ee599a1b09eb943920f3082c20

SHA1
0cc10d064322b98adcd51dad213c19d4f9098b15

SHA256
fa61d4fd3f67c8d1683a5690cf4b7a32aa45bb972fb72a16f8e8795fba9b408b

SHA512
2d8a6705416d83636210aa5995c4da698aa236657a3362f3ae0cb5a769a0fd952105d4e5925c7f8996a3bad9e157c128ee3cb8714470f51e72c9d7616122f204

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe\Updates\llk2.exe

Filesize
197KB

MD5
0e0cfb1529bbf556f107967c4ebae5ee

SHA1
c8764f32d617224951c191d8a7624cb6f4a6fc35

SHA256
2b838fa014c5dc66cc5f787ec57d6ea89b2700a70d60644e721fcb68d9df4b69

SHA512
f4194d0d117674be83e0ba29a9bd49292f744f68ba839697fe98c23d1244839c6e83a8ceadcfd0db43ff997af4879ec692620e7c0ca976516315e456a29bc185

Download Submit
memory/2732-45-0x0000000008F30000-0x0000000008F52000-memory.dmp

Filesize
136KB

Download
memory/2732-27-0x0000000073570000-0x0000000073D20000-memory.dmp

Filesize
7.7MB

Download
memory/2732-44-0x00000000095E0000-0x0000000009934000-memory.dmp

Filesize
3.3MB

Download
memory/2732-43-0x0000000073570000-0x0000000073D20000-memory.dmp

Filesize
7.7MB

Download
memory/2732-30-0x0000000000D40000-0x0000000002A32000-memory.dmp

Filesize
28.9MB

Download
memory/2732-42-0x00000000077D0000-0x00000000077DA000-memory.dmp

Filesize
40KB

Download
memory/2732-41-0x0000000007E70000-0x0000000007EF0000-memory.dmp

Filesize
512KB

Download
memory/2732-37-0x0000000007380000-0x00000000073A8000-memory.dmp

Filesize
160KB

Download
memory/2732-48-0x0000000073570000-0x0000000073D20000-memory.dmp

Filesize
7.7MB

Download
memory/3576-28-0x0000000005220000-0x00000000057C4000-memory.dmp

Filesize
5.6MB

Download
memory/3576-31-0x0000000073570000-0x0000000073D20000-memory.dmp

Filesize
7.7MB

Download
memory/3576-32-0x0000000004CA0000-0x0000000004CAA000-memory.dmp

Filesize
40KB

Download
memory/3576-33-0x0000000004DB0000-0x0000000004E06000-memory.dmp

Filesize
344KB

Download
memory/3576-29-0x0000000004D10000-0x0000000004DA2000-memory.dmp

Filesize
584KB

Download
memory/3576-25-0x00000000001D0000-0x0000000000208000-memory.dmp

Filesize
224KB

Download
memory/3576-26-0x0000000004BA0000-0x0000000004C3C000-memory.dmp

Filesize
624KB

Download
memory/3576-46-0x0000000005A10000-0x0000000005A1C000-memory.dmp

Filesize
48KB

Download
memory/3576-47-0x000000007357E000-0x000000007357F000-memory.dmp

Filesize
4KB

Download
memory/3576-24-0x000000007357E000-0x000000007357F000-memory.dmp

Filesize
4KB

Download
memory/3576-49-0x0000000073570000-0x0000000073D20000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing