njrat | 16dd470cb509378fa66178d54a2376f26c204a8d7742eeacd746106aa8fb43a2

General

Target

21a041665739c2c913f293f0d8085e0d_JaffaCakes118.exe
Size

6.9MB
MD5

21a041665739c2c913f293f0d8085e0d
SHA1

bfc0dcdab5efeb5cfc6ea38f2f7ad40a3e5e8d4e
SHA256

16dd470cb509378fa66178d54a2376f26c204a8d7742eeacd746106aa8fb43a2
SHA512

6b0e104e2f3826bf9300866a02b7249f2ed0cc111f76f8c786f84be8af7b647257e7ac542babfecbb6d8a702ae779d74821bcdf39db26b67622a77ce302d6100
SSDEEP

196608:mezqgNY2R7H8FCp3u1685Gkip0hyL0HV:mez/W2tcoN0guI0H

Score

10^/10

njrat ??????discovery persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

??????

C2

5.166.121.239:15

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	PHASMO~1.EXE

Executes dropped EXE 7 IoCs

pid	Process
4976	PHASMO~1.EXE
412	PHASMO~1.EXE
5028	svchost.exe
2504	PHASMO~2.EXE
4860	Launcher.exe
1500	Server.exe
3108	Server.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\ProgramData\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	21a041665739c2c913f293f0d8085e0d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	PHASMO~1.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\ProgramData\\svchost.exe\" .."	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2040	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
412	PHASMO~1.EXE
5028	svchost.exe
1500	Server.exe
3108	Server.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	4860	Launcher.exe
Token: SeDebugPrivilege	5028	svchost.exe
Token: 33	5028	svchost.exe
Token: SeIncBasePriorityPrivilege	5028	svchost.exe
Token: 33	5028	svchost.exe
Token: SeIncBasePriorityPrivilege	5028	svchost.exe
Token: 33	5028	svchost.exe
Token: SeIncBasePriorityPrivilege	5028	svchost.exe
Token: 33	5028	svchost.exe
Token: SeIncBasePriorityPrivilege	5028	svchost.exe
Token: 33	5028	svchost.exe
Token: SeIncBasePriorityPrivilege	5028	svchost.exe
Token: 33	5028	svchost.exe
Token: SeIncBasePriorityPrivilege	5028	svchost.exe
Token: 33	5028	svchost.exe
Token: SeIncBasePriorityPrivilege	5028	svchost.exe
Token: 33	5028	svchost.exe
Token: SeIncBasePriorityPrivilege	5028	svchost.exe
Token: 33	5028	svchost.exe
Token: SeIncBasePriorityPrivilege	5028	svchost.exe
Token: 33	5028	svchost.exe
Token: SeIncBasePriorityPrivilege	5028	svchost.exe
Token: 33	5028	svchost.exe
Token: SeIncBasePriorityPrivilege	5028	svchost.exe
Token: 33	5028	svchost.exe
Token: SeIncBasePriorityPrivilege	5028	svchost.exe
Token: 33	5028	svchost.exe
Token: SeIncBasePriorityPrivilege	5028	svchost.exe
Token: 33	5028	svchost.exe
Token: SeIncBasePriorityPrivilege	5028	svchost.exe
Token: 33	5028	svchost.exe
Token: SeIncBasePriorityPrivilege	5028	svchost.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 4976	468	21a041665739c2c913f293f0d8085e0d_JaffaCakes118.exe	84
PID 468 wrote to memory of 4976	468	21a041665739c2c913f293f0d8085e0d_JaffaCakes118.exe	84
PID 4976 wrote to memory of 412	4976	PHASMO~1.EXE	85
PID 4976 wrote to memory of 412	4976	PHASMO~1.EXE	85
PID 412 wrote to memory of 5028	412	PHASMO~1.EXE	88
PID 412 wrote to memory of 5028	412	PHASMO~1.EXE	88
PID 4976 wrote to memory of 2504	4976	PHASMO~1.EXE	89
PID 4976 wrote to memory of 2504	4976	PHASMO~1.EXE	89
PID 468 wrote to memory of 4860	468	21a041665739c2c913f293f0d8085e0d_JaffaCakes118.exe	90
PID 468 wrote to memory of 4860	468	21a041665739c2c913f293f0d8085e0d_JaffaCakes118.exe	90
PID 468 wrote to memory of 4860	468	21a041665739c2c913f293f0d8085e0d_JaffaCakes118.exe	90
PID 5028 wrote to memory of 2040	5028	svchost.exe	93
PID 5028 wrote to memory of 2040	5028	svchost.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\21a041665739c2c913f293f0d8085e0d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\21a041665739c2c913f293f0d8085e0d_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:468
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PHASMO~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PHASMO~1.EXE
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PHASMO~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PHASMO~1.EXE
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:412
  - - C:\ProgramData\svchost.exe
      "C:\ProgramData\svchost.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5028
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2040
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PHASMO~2.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PHASMO~2.EXE
    3⤵
    - Executes dropped EXE
    PID:2504
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Launcher.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Launcher.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4860

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:1500

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Server.exe.log

Filesize
1KB

MD5
a8a147915e3a996fdbe10b3a3f1e1bb2

SHA1
abc564c1be468d57e700913e7b6cf8f62d421263

SHA256
8b96a8557deea66696837af011843d6a82451ba57c8f9b5a2726a70818d6fc7e

SHA512
17b42f17ef60a9f625703172763f692e5ed2ca93564a97853dfa72bb0ac6305ef3267aea0b205938e3aa8eac10156d9d4f322b30d0329d92d647bcec6372731c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Launcher.exe

Filesize
6.6MB

MD5
3306c8ffe15fea29a0a59fac9805daf4

SHA1
980506195b477689a29f1e94a00ffb56808012dd

SHA256
2ad12bf130d62371e2eceb66955178e26d929899e8e49b84c18925068e867d7a

SHA512
41190e3c2e7d35b24f2dc799c5a10070672bd1e0ae8b369fd8a96bfae0ef9284372d28f94eea8c02dbdf96d2274f63ebd50591b387558a33548e9798c88ba4a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PHASMO~1.EXE

Filesize
401KB

MD5
f53476f256c6f3f8e79b1212e523f032

SHA1
d0196f71a32ea04bb14d9b43e2ef011f680c48b7

SHA256
bb5e5c54c9d99265f0bdbd337c038941102f84a2bc377a46a98870c3b35499a7

SHA512
8751f927aa2c82dd9e3e126cab5d10a98afb2b9adb7913e1bc3f894fc7334ceac617c652bda01519d03e40fdc031474e2d72a4c2e44c1132797824ea8957b83f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PHASMO~1.EXE

Filesize
230KB

MD5
d1745b02a7b1aba1101ca105825893ef

SHA1
157bc0fedad74d7437ddfa5d477b2f0f2f12d7a0

SHA256
b7328d0f8718dd4d84c2d2312f4fdc5f26ec62c01e952ddf0e7da0883efadc35

SHA512
fabfbd332d61a99055235a08a5dd771bac2d7f8884a45f9d02d744ccda8c73be14c82bc64b8760ab2b3ad7d225a60be1256bf70388e3b0cdf5b06075c350aeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\PHASMO~2.EXE

Filesize
635KB

MD5
a1a6483f6ae6725e323e4b39d034419b

SHA1
681b9992968713a09b61ae46b949c69907c511ae

SHA256
d8b00ecc3b4bde440a3978659bee45431d069ac7f817feab529b4fa88026d430

SHA512
5989da856d9b5836e0bdebf50be8c5b7fcc71eb719be9c1c6f312d54f9acf81d034f2b79a8fd61baee5f6d7eeb053746527db3ddef2e1d04550eae25f66784f6

Download Submit
memory/412-13-0x00007FF9DE0D3000-0x00007FF9DE0D5000-memory.dmp

Filesize
8KB

Download
memory/412-14-0x0000000000F30000-0x0000000000F6A000-memory.dmp

Filesize
232KB

Download
memory/412-15-0x0000000001710000-0x0000000001722000-memory.dmp

Filesize
72KB

Download
memory/412-16-0x00007FF9DE0D0000-0x00007FF9DEB91000-memory.dmp

Filesize
10.8MB

Download
memory/412-17-0x00007FF9DE0D3000-0x00007FF9DE0D5000-memory.dmp

Filesize
8KB

Download
memory/412-27-0x00007FF9DE0D0000-0x00007FF9DEB91000-memory.dmp

Filesize
10.8MB

Download
memory/4860-35-0x0000000000C80000-0x000000000247E000-memory.dmp

Filesize
24.0MB

Download
memory/4860-37-0x0000000006C80000-0x0000000006CD0000-memory.dmp

Filesize
320KB

Download
memory/4860-41-0x0000000007440000-0x00000000074F0000-memory.dmp

Filesize
704KB

Download
memory/4860-40-0x0000000006C20000-0x0000000006C30000-memory.dmp

Filesize
64KB

Download
memory/4860-39-0x0000000006C10000-0x0000000006C1A000-memory.dmp

Filesize
40KB

Download
memory/4860-38-0x0000000006CD0000-0x0000000007442000-memory.dmp

Filesize
7.4MB

Download
memory/4860-43-0x0000000007A90000-0x0000000007B4A000-memory.dmp

Filesize
744KB

Download
memory/4860-42-0x00000000079C0000-0x00000000079C8000-memory.dmp

Filesize
32KB

Download
memory/4860-44-0x000000000D8E0000-0x000000000D902000-memory.dmp

Filesize
136KB

Download
memory/4860-45-0x000000000D930000-0x000000000DC84000-memory.dmp

Filesize
3.3MB

Download
memory/4860-36-0x000000000B3C0000-0x000000000BC64000-memory.dmp

Filesize
8.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads