njrat | 3c90f7e66714f9cf7b2912e62a5772d0b47d0548bfa92376ebc5fa08cbc21a4e

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/09/2024, 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f12d0d690b86148cce1f7d01911b5359_JaffaCakes118.exe
Size

760KB
MD5

f12d0d690b86148cce1f7d01911b5359
SHA1

34cba5dc1de74d656c2b6e52789779689ff5d967
SHA256

3c90f7e66714f9cf7b2912e62a5772d0b47d0548bfa92376ebc5fa08cbc21a4e
SHA512

95405496452b02225c2c292f53382e762adc0ea2a9cb9c07b9cd00a34d1405f27a5c3e4f928810b6b887dff71ff0a95faa09e41292078f1609dea5a9cdae1ab5
SSDEEP

12288:JcrNS33L10QdrXZT+tcWn0s6tKWOj4f1cfS4yWr9ousp1oRUr5jjo/:0NA3R5drX/W9tWqWSSSvU1oi4

Score

10^/10

njrat hacked discovery persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

2.tcp.ngrok.io:18729

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.exe	svhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.exe	svhost.exe

Executes dropped EXE 7 IoCs

pid	Process
2760	Photo.exe
2996	Server.sfx.exe
1912	Server.exe
1620	svhost.exe
992	Server.exe
2264	Server.exe
292	Server.exe

Loads dropped DLL 7 IoCs

pid	Process
2948	f12d0d690b86148cce1f7d01911b5359_JaffaCakes118.exe
2948	f12d0d690b86148cce1f7d01911b5359_JaffaCakes118.exe
2948	f12d0d690b86148cce1f7d01911b5359_JaffaCakes118.exe
2604	cmd.exe
2996	Server.sfx.exe
2996	Server.sfx.exe
2996	Server.sfx.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe\" .."	svhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe\" .."	svhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	2.tcp.ngrok.io
17	2.tcp.ngrok.io
27	2.tcp.ngrok.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f12d0d690b86148cce1f7d01911b5359_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Photo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1140	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1912	Server.exe
1620	svhost.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	1620	svhost.exe
Token: 33	1620	svhost.exe
Token: SeIncBasePriorityPrivilege	1620	svhost.exe
Token: 33	1620	svhost.exe
Token: SeIncBasePriorityPrivilege	1620	svhost.exe
Token: 33	1620	svhost.exe
Token: SeIncBasePriorityPrivilege	1620	svhost.exe
Token: 33	1620	svhost.exe
Token: SeIncBasePriorityPrivilege	1620	svhost.exe
Token: 33	1620	svhost.exe
Token: SeIncBasePriorityPrivilege	1620	svhost.exe
Token: 33	1620	svhost.exe
Token: SeIncBasePriorityPrivilege	1620	svhost.exe
Token: 33	1620	svhost.exe
Token: SeIncBasePriorityPrivilege	1620	svhost.exe
Token: 33	1620	svhost.exe
Token: SeIncBasePriorityPrivilege	1620	svhost.exe
Token: 33	1620	svhost.exe
Token: SeIncBasePriorityPrivilege	1620	svhost.exe
Token: 33	1620	svhost.exe
Token: SeIncBasePriorityPrivilege	1620	svhost.exe
Token: 33	1620	svhost.exe
Token: SeIncBasePriorityPrivilege	1620	svhost.exe
Token: 33	1620	svhost.exe
Token: SeIncBasePriorityPrivilege	1620	svhost.exe
Token: 33	1620	svhost.exe
Token: SeIncBasePriorityPrivilege	1620	svhost.exe
Token: 33	1620	svhost.exe
Token: SeIncBasePriorityPrivilege	1620	svhost.exe
Token: 33	1620	svhost.exe
Token: SeIncBasePriorityPrivilege	1620	svhost.exe
Token: 33	1620	svhost.exe
Token: SeIncBasePriorityPrivilege	1620	svhost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2868	DllHost.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 2760	2948	f12d0d690b86148cce1f7d01911b5359_JaffaCakes118.exe	31
PID 2948 wrote to memory of 2760	2948	f12d0d690b86148cce1f7d01911b5359_JaffaCakes118.exe	31
PID 2948 wrote to memory of 2760	2948	f12d0d690b86148cce1f7d01911b5359_JaffaCakes118.exe	31
PID 2948 wrote to memory of 2760	2948	f12d0d690b86148cce1f7d01911b5359_JaffaCakes118.exe	31
PID 2760 wrote to memory of 2604	2760	Photo.exe	32
PID 2760 wrote to memory of 2604	2760	Photo.exe	32
PID 2760 wrote to memory of 2604	2760	Photo.exe	32
PID 2760 wrote to memory of 2604	2760	Photo.exe	32
PID 2604 wrote to memory of 2996	2604	cmd.exe	34
PID 2604 wrote to memory of 2996	2604	cmd.exe	34
PID 2604 wrote to memory of 2996	2604	cmd.exe	34
PID 2604 wrote to memory of 2996	2604	cmd.exe	34
PID 2996 wrote to memory of 1912	2996	Server.sfx.exe	35
PID 2996 wrote to memory of 1912	2996	Server.sfx.exe	35
PID 2996 wrote to memory of 1912	2996	Server.sfx.exe	35
PID 2996 wrote to memory of 1912	2996	Server.sfx.exe	35
PID 1912 wrote to memory of 1620	1912	Server.exe	36
PID 1912 wrote to memory of 1620	1912	Server.exe	36
PID 1912 wrote to memory of 1620	1912	Server.exe	36
PID 1620 wrote to memory of 1140	1620	svhost.exe	38
PID 1620 wrote to memory of 1140	1620	svhost.exe	38
PID 1620 wrote to memory of 1140	1620	svhost.exe	38
PID 2828 wrote to memory of 992	2828	taskeng.exe	41
PID 2828 wrote to memory of 992	2828	taskeng.exe	41
PID 2828 wrote to memory of 992	2828	taskeng.exe	41
PID 2828 wrote to memory of 2264	2828	taskeng.exe	42
PID 2828 wrote to memory of 2264	2828	taskeng.exe	42
PID 2828 wrote to memory of 2264	2828	taskeng.exe	42
PID 2828 wrote to memory of 292	2828	taskeng.exe	43
PID 2828 wrote to memory of 292	2828	taskeng.exe	43
PID 2828 wrote to memory of 292	2828	taskeng.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f12d0d690b86148cce1f7d01911b5359_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f12d0d690b86148cce1f7d01911b5359_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Photo.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Photo.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX1\1.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Server.sfx.exe
      Server.sfx.exe -pqazwsx123
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2996
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Server.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of WriteProcessMemory
        
        PID:1912
      - C:\Users\Admin\AppData\Roaming\svhost.exe
        
        "C:\Users\Admin\AppData\Roaming\svhost.exe"
        6⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1140

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2868

C:\Windows\system32\taskeng.exe
taskeng.exe {9565D415-C3FD-452C-98E6-4B2632AA02A6} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp/Server.exe
  2⤵
  - Executes dropped EXE
  PID:992
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp/Server.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp/Server.exe
  2⤵
  - Executes dropped EXE
  PID:292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\pacany-na-avu-062.jpg

Filesize
125KB

MD5
ce3b56f909573914bddf3f394267ca8d

SHA1
10d8e3fb17186a72a7c6d51ec516bb1de4c92f06

SHA256
ec7e1208eeb666b260df7458d4a2a602ea9c9aede53b35e2445006e42d013796

SHA512
b876e5e85cc16ccbb8ec61ffe706eb5ab8f422d33bc28c10e2a10f86f4f197a0ce62a9f87cd599d3ee441ea07667e7e03a8be739ec404504cb7669bbd89f9b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\1.bat

Filesize
43B

MD5
6866420d995e05262a2d6e02f2d9dea6

SHA1
a2ccaf31a9728d7c8307c6ee9f1727f4145d7a0b

SHA256
5a82c2b52897e92236163397494bad624d863292185fc1efb738450814bebea8

SHA512
7cdfec8d01427b3da23e6206843d54d63bba6b8027e445bc60327e57c04e20c458109bc19f7fd5d6b08ad7b26aa8ba9c562fea62910237f08fcbce589acb31d4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Photo.exe

Filesize
474KB

MD5
21a94b17436a53c51b8705d0c6236720

SHA1
8fb2efe966bbb75e73b1321a0060d859e4915217

SHA256
f0ed866b66b889b68ee56274562d16d4b688608aecb05e5447ca9084a5677413

SHA512
97952c63d19378d717d2a3a67863776108d3b963673e46a65a0448c872dc781d09d9afa8e812e392f0b6a8f43615d5e57784ea57bb28e185b38ad10cd9595fbe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Server.sfx.exe

Filesize
316KB

MD5
71b2beecb42585ff4eb1cc5b4dfc92a0

SHA1
2a3d0bae170df989ffa9fc7fc5589e5f659c609b

SHA256
1f33425db77d57beda8f6b7aa42960ca445d51728453450320013c47188a71d8

SHA512
94e2b8027796eb9f0cfda15968b4331f5b7069285f3680b0d14aab42fcd7971e80fcaaeff20ec0a92101439338192eb4e4b3b8496ff8825ca1e6182859496a28

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX2\Server.exe

Filesize
25KB

MD5
8480b324283fc52353afb327fe10028e

SHA1
471dd43a66dbad1be2cb51502b022be6647c7f6b

SHA256
2abceec17e6367a28b201c9222b813ae053ff62605e8d8a5c9a3f96f6d5b5db5

SHA512
3cb6a445935948a8d4e47a57ba06b0ba1e74f3b0844f69ef80ebbbf127aaa5424ba0d26861a0ef681bfe019dbced842f947ae6d521e9050b619a343f17b1437e

Download Submit
memory/992-66-0x0000000001380000-0x0000000001388000-memory.dmp

Filesize
32KB

Download
memory/1620-57-0x0000000000A90000-0x0000000000A98000-memory.dmp

Filesize
32KB

Download
memory/1912-50-0x0000000000D00000-0x0000000000D08000-memory.dmp

Filesize
32KB

Download
memory/1912-51-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2868-59-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/2948-58-0x0000000000DE0000-0x0000000000DE2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads