Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-10-2024 22:40
General
-
Target
372af030e33e6326192782579c0160dc_JaffaCakes118.exe
-
Size
69KB
-
MD5
372af030e33e6326192782579c0160dc
-
SHA1
44059731a3fa1e990698fa09935cfa7ab79dca49
-
SHA256
9dcf50d314d9541efbfd3b519fe5bc619478d8fcd116ab21ada07c4da2786088
-
SHA512
cd0aa59c889e9a8933ffda4a33bdf175c318a0c1c3258c88d83a77e2356c06cb5cc7dac7bce03459376a213620caee587061a38e406efe57d520c503ee2d6b8f
-
SSDEEP
1536:cWD1ciNrSVTR1cQHUeq/6YThUoUyPspdA4GSuw1+:vD+JR1cQ0eqCYThU5yPedv+
Malware Config
Signatures
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\372af030e33e6326192782579c0160dc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\372af030e33e6326192782579c0160dc_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\[Mr.Abu Hani].exe"C:\Users\Admin\AppData\Local\Temp\[Mr.Abu Hani].exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Audio Device Graph Isolation .exe"C:\Users\Admin\AppData\Roaming\Windows Audio Device Graph Isolation .exe"3⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Windows Audio Device Graph Isolation .exe" "Windows Audio Device Graph Isolation .exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD51b6071dc1c6ca35c780dc5dcf5392ba3
SHA1c331def6c09f8c82bc71826b9df035e8fcc5059d
SHA25689a5182594c48407f4588d196d1a22dbed83f4a01023a9e5f6730f5b318ff721
SHA5127b5d03b817025b423d0331a73bd32bb5ec2b5a6fa16bbf40c58695ee193c7dad66187b1574cadd59259799a6c80eabe4031e7d2ea9b22c9333c772d6e4b47c56
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
96KB