njrat | 86ebe1fa6a22476b626674e022b22fc47ff62d076ca224533952fd98e79da6aa

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-09-2024 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb208e0c16a9f0429f74790360279064_JaffaCakes118.exe
Size

317KB
MD5

fb208e0c16a9f0429f74790360279064
SHA1

f17b9c0d7761412ccf60f81ff6b6b93a2678a5b3
SHA256

86ebe1fa6a22476b626674e022b22fc47ff62d076ca224533952fd98e79da6aa
SHA512

183d360b2cf1935a7c31b942dd745f6e95f2c63e5872185ae47eb07e1aad3984d63630ae2f3e55dae5b9314a1d9341f261c24db7f22add37b10c970ec34685f9
SSDEEP

6144:zIIcrXQ4S33w614mazUBHfSdocWYD24O/X+tGfnDUQPmx7:9crNS33L10QdrXP/X+tGfnDUQPO7

Score

10^/10

njrat vk discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

popeyeth.mooo.com:27018

Mutex

87736a04cc0c0a483461bb74827da123

Attributes

reg_key
87736a04cc0c0a483461bb74827da123
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3064	netsh.exe
3020	netsh.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba4c12bee3027d94da5c81db2d196bfd.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba4c12bee3027d94da5c81db2d196bfd.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\87736a04cc0c0a483461bb74827da123.exe	Microsoft Corporation.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\87736a04cc0c0a483461bb74827da123.exe	Microsoft Corporation.exe

Executes dropped EXE 4 IoCs

pid	Process
2032	svchost.exe
2408	svchost.exe
3032	Microsoft Corporation.exe
2684	Microsoft Corporation.exe

Loads dropped DLL 8 IoCs

pid	Process
1016	fb208e0c16a9f0429f74790360279064_JaffaCakes118.exe
1016	fb208e0c16a9f0429f74790360279064_JaffaCakes118.exe
1016	fb208e0c16a9f0429f74790360279064_JaffaCakes118.exe
2032	svchost.exe
1016	fb208e0c16a9f0429f74790360279064_JaffaCakes118.exe
1016	fb208e0c16a9f0429f74790360279064_JaffaCakes118.exe
1016	fb208e0c16a9f0429f74790360279064_JaffaCakes118.exe
3032	Microsoft Corporation.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ba4c12bee3027d94da5c81db2d196bfd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ba4c12bee3027d94da5c81db2d196bfd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\87736a04cc0c0a483461bb74827da123 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Corporation.exe\" .."	Microsoft Corporation.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\87736a04cc0c0a483461bb74827da123 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft Corporation.exe\" .."	Microsoft Corporation.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb208e0c16a9f0429f74790360279064_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Microsoft Corporation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Microsoft Corporation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe
2408	svchost.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	2408	svchost.exe
Token: SeDebugPrivilege	2684	Microsoft Corporation.exe
Token: 33	2684	Microsoft Corporation.exe
Token: SeIncBasePriorityPrivilege	2684	Microsoft Corporation.exe
Token: 33	2684	Microsoft Corporation.exe
Token: SeIncBasePriorityPrivilege	2684	Microsoft Corporation.exe
Token: 33	2684	Microsoft Corporation.exe
Token: SeIncBasePriorityPrivilege	2684	Microsoft Corporation.exe
Token: 33	2684	Microsoft Corporation.exe
Token: SeIncBasePriorityPrivilege	2684	Microsoft Corporation.exe
Token: 33	2684	Microsoft Corporation.exe
Token: SeIncBasePriorityPrivilege	2684	Microsoft Corporation.exe
Token: 33	2684	Microsoft Corporation.exe
Token: SeIncBasePriorityPrivilege	2684	Microsoft Corporation.exe
Token: 33	2684	Microsoft Corporation.exe
Token: SeIncBasePriorityPrivilege	2684	Microsoft Corporation.exe
Token: 33	2684	Microsoft Corporation.exe
Token: SeIncBasePriorityPrivilege	2684	Microsoft Corporation.exe
Token: 33	2684	Microsoft Corporation.exe
Token: SeIncBasePriorityPrivilege	2684	Microsoft Corporation.exe
Token: 33	2684	Microsoft Corporation.exe
Token: SeIncBasePriorityPrivilege	2684	Microsoft Corporation.exe
Token: 33	2684	Microsoft Corporation.exe
Token: SeIncBasePriorityPrivilege	2684	Microsoft Corporation.exe
Token: 33	2684	Microsoft Corporation.exe
Token: SeIncBasePriorityPrivilege	2684	Microsoft Corporation.exe
Token: 33	2684	Microsoft Corporation.exe
Token: SeIncBasePriorityPrivilege	2684	Microsoft Corporation.exe
Token: 33	2684	Microsoft Corporation.exe
Token: SeIncBasePriorityPrivilege	2684	Microsoft Corporation.exe
Token: 33	2684	Microsoft Corporation.exe
Token: SeIncBasePriorityPrivilege	2684	Microsoft Corporation.exe
Token: 33	2684	Microsoft Corporation.exe
Token: SeIncBasePriorityPrivilege	2684	Microsoft Corporation.exe
Token: 33	2684	Microsoft Corporation.exe
Token: SeIncBasePriorityPrivilege	2684	Microsoft Corporation.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 2032	1016	fb208e0c16a9f0429f74790360279064_JaffaCakes118.exe	28
PID 1016 wrote to memory of 2032	1016	fb208e0c16a9f0429f74790360279064_JaffaCakes118.exe	28
PID 1016 wrote to memory of 2032	1016	fb208e0c16a9f0429f74790360279064_JaffaCakes118.exe	28
PID 1016 wrote to memory of 2032	1016	fb208e0c16a9f0429f74790360279064_JaffaCakes118.exe	28
PID 2032 wrote to memory of 2408	2032	svchost.exe	29
PID 2032 wrote to memory of 2408	2032	svchost.exe	29
PID 2032 wrote to memory of 2408	2032	svchost.exe	29
PID 2032 wrote to memory of 2408	2032	svchost.exe	29
PID 1016 wrote to memory of 3032	1016	fb208e0c16a9f0429f74790360279064_JaffaCakes118.exe	30
PID 1016 wrote to memory of 3032	1016	fb208e0c16a9f0429f74790360279064_JaffaCakes118.exe	30
PID 1016 wrote to memory of 3032	1016	fb208e0c16a9f0429f74790360279064_JaffaCakes118.exe	30
PID 1016 wrote to memory of 3032	1016	fb208e0c16a9f0429f74790360279064_JaffaCakes118.exe	30
PID 2408 wrote to memory of 3064	2408	svchost.exe	31
PID 2408 wrote to memory of 3064	2408	svchost.exe	31
PID 2408 wrote to memory of 3064	2408	svchost.exe	31
PID 2408 wrote to memory of 3064	2408	svchost.exe	31
PID 3032 wrote to memory of 2684	3032	Microsoft Corporation.exe	33
PID 3032 wrote to memory of 2684	3032	Microsoft Corporation.exe	33
PID 3032 wrote to memory of 2684	3032	Microsoft Corporation.exe	33
PID 3032 wrote to memory of 2684	3032	Microsoft Corporation.exe	33
PID 2684 wrote to memory of 3020	2684	Microsoft Corporation.exe	34
PID 2684 wrote to memory of 3020	2684	Microsoft Corporation.exe	34
PID 2684 wrote to memory of 3020	2684	Microsoft Corporation.exe	34
PID 2684 wrote to memory of 3020	2684	Microsoft Corporation.exe	34

C:\Users\Admin\AppData\Local\Temp\fb208e0c16a9f0429f74790360279064_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb208e0c16a9f0429f74790360279064_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:3064
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Microsoft Corporation.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Microsoft Corporation.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Users\Admin\AppData\Local\Temp\Microsoft Corporation.exe
    "C:\Users\Admin\AppData\Local\Temp\Microsoft Corporation.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Microsoft Corporation.exe" "Microsoft Corporation.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchost.exe

Filesize
28KB

MD5
848d65828d0da957b3befc3b70220e24

SHA1
2456713eab021bfdae6f7d034530dd224ef0ff7a

SHA256
02f471fa9783bc3982811ac076782bd2f468b3bb5dacbbbf6bb94a42f4e9631b

SHA512
5dfc2f89226785c8f50411a69a6c3e2a7737d0d5ea1ef9219a21ada8d34ed35a1e2408f9b8de7682593dca9c228273fa3daca6d286f4ed5664e9ee69d16e1936

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Microsoft Corporation.exe

Filesize
23KB

MD5
5f5ee5adb49c2819279740a4387539c2

SHA1
fc24f9f448c96625b7aad35dd99d5cda5087bb78

SHA256
ae21bab6821ce2c24fef1e07eda544ea4058a557f801038ebeeac695e3f098ce

SHA512
29bbcaf73d91ee31cb734af1e5afef70fdb08ae1b32c5d7e3954d87d765b46611635e5f711cdfb6f3c2e0af7da1493629103f707b2f2c00be79eb4a2cb98ed27

Download Submit
memory/2032-16-0x0000000073C11000-0x0000000073C12000-memory.dmp

Filesize
4KB

Download
memory/2032-17-0x0000000073C10000-0x00000000741BB000-memory.dmp

Filesize
5.7MB

Download
memory/2032-18-0x0000000073C10000-0x00000000741BB000-memory.dmp

Filesize
5.7MB

Download
memory/2032-26-0x0000000073C10000-0x00000000741BB000-memory.dmp

Filesize
5.7MB

Download