Overview

overview

10

Static

static

10

CROCODILEJFDHJRTA.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    11s
  • max time network
    10s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2024 19:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CROCODILEJFDHJRTA.exe

  • Size

    2.1MB

  • MD5

    149f649f898409182fcad1ef424ca4cf

  • SHA1

    89098a69e94ed941385bc2ebf00cd8d3c4e47450

  • SHA256

    f5df17fe1d42b1bcb04578bc05f1ae9787d12ebb5c18cf4df18c861120be0532

  • SHA512

    3dbba29127add72bf5e4f3c7ef5e24d4f693d67b28b2650b0a2364a17274fc0967387ca860ec5d619e40c884b54af41fb9c54425e2aaaa4e3e7555d998ce9a06

  • SSDEEP

    49152:6XtCE3Q3PNxLtxcpMLtxcpVLtxcpNCCjAli9LrLtxcF6+zI:UCl1cpkcpxcpNCdCXcF6+U

Score
10/10
njratdiscoverytrojan

Malware Config

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CROCODILEJFDHJRTA.exe
    "C:\Users\Admin\AppData\Local\Temp\CROCODILEJFDHJRTA.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2616
    • C:\Users\Admin\AppData\Local\Temp\Gaming.exe
      "C:\Users\Admin\AppData\Local\Temp\Gaming.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4872
    • C:\Users\Admin\AppData\Local\Temp\GameHarroer.exe
      "C:\Users\Admin\AppData\Local\Temp\GameHarroer.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4788
      • C:\Users\Admin\AppData\Local\Temp\3.EXE
        "C:\Users\Admin\AppData\Local\Temp\3.EXE"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3560
        • C:\Users\Admin\AppData\Local\Temp\wincheon64.exe
          "C:\Users\Admin\AppData\Local\Temp\wincheon64.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2164
      • C:\Users\Admin\AppData\Local\Temp\4.EXE
        "C:\Users\Admin\AppData\Local\Temp\4.EXE"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3176
        • C:\Users\Admin\AppData\Local\Temp\1.EXE
          "C:\Users\Admin\AppData\Local\Temp\1.EXE"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3380
          • C:\Users\Admin\AppData\Local\Temp\svchots.exe
            "C:\Users\Admin\AppData\Local\Temp\svchots.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:4800
        • C:\Users\Admin\AppData\Local\Temp\2.EXE
          "C:\Users\Admin\AppData\Local\Temp\2.EXE"
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:348

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1.EXE
    Filesize

    37KB

    MD5

    c6a973c4f6ea4969cae1c41d25c5d78c

    SHA1

    12efa1281e57437119df3c8488cd4daadabc80c3

    SHA256

    5a93d1082d4fa0b442f3bf42066a22cdba8f32f2d50dbc1dd9f4db81fa73b496

    SHA512

    4d03fb5bdf9cf340b0a6809858f8da2d0e834f58cfb2182828e16b9a5faae5aeae154c5f7643298e54b3f0e1b8f33265bad82191b9a58bc3dadf3d4f99adb25e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\2.EXE
    Filesize

    27KB

    MD5

    a5d943b57ae77aab0788d29333ab1227

    SHA1

    4d94e5d4ec4822f4562042216e614c3dddf447c1

    SHA256

    2b7eb9a069471b3547adbfcb21c0d76424ba07b5a556693e377bd72223447b6f

    SHA512

    d46dc2c74679c33d0a981b297e24a142393ce06e063cd2a859b375beb0d5b0fa134ca3241bdbc01f77f02ad85ac3cf697bed640cb708449051c855412b9fce0b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3.EXE
    Filesize

    32KB

    MD5

    4f5d50f723896266e70dbb5a0e72ff21

    SHA1

    d3b1fe30f1baaf9e1d34baeb3eaf75619129e490

    SHA256

    83ed6bee9f71403ad9f43b467b99205230e043833a3d014964e79e603613879d

    SHA512

    a8e7ae8aa0a03ccf82be1a58595a17642c8045cf9886266f74ca72b8a23485e9e011ec2018fc9ebd6a9f5c69c5583cc6951ef3320d87037d5f2a8ebc2e6a16e6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\4.EXE
    Filesize

    117KB

    MD5

    89514d6d4e78ab9f33f24f99ea3b1361

    SHA1

    5e055754b253e2814a1d081a66236b583d982a8b

    SHA256

    8da8b662e1e221793959653c7fb940e2313e5cab2325a3dd7392380924f6129a

    SHA512

    c81f102c4579ad0f27dfcb60aacd22f351f13f988e4a8080092edb64cef9b4006298e94ce55f6d5cff0aef07e5eb7fa2a6c981b8023f9f1827df387d497f7fb9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\GameHarroer.exe
    Filesize

    202KB

    MD5

    90de032c5bc78043531d08ed1bf8ec19

    SHA1

    edd41ecf58e32c3f57ba90ee2fcf3d0e4a9c2cf1

    SHA256

    98df5e2377549819b17759d05406f3c97711a76836aa2bf427ef08045b5ef80d

    SHA512

    5ec5e7a4c35312bf7be5a3353aab857e98c7c0d68188a0b488574027236d1c14118924d500d82d11814c59f85d572226da71620d818d1df49eac95dac080ed8c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Gaming.exe
    Filesize

    1.5MB

    MD5

    205604c1ca8e135124962cd5a04b3ca9

    SHA1

    1d4816032549ad0d2e64d95a873034a80ef3744b

    SHA256

    b95b972f8212de7598ec32e544b5689c6f9b4beef8c2fdc41b5ca5a7b11e3ce8

    SHA512

    69c189b597ce3ad37aad873f224faa439c085cb7af3594cedcdbe0100d41ec4f61c2eb161e698cacdacb5d198e388b1896a5f4b8250ee910690c6cc53f14cdf6

    Download Submit

  • memory/2616-24-0x0000000075450000-0x0000000075A01000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2616-2-0x0000000075450000-0x0000000075A01000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2616-1-0x0000000075450000-0x0000000075A01000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2616-0-0x0000000075452000-0x0000000075453000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3560-83-0x00000000743E0000-0x0000000074991000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3560-48-0x00000000743E0000-0x0000000074991000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3560-44-0x00000000743E2000-0x00000000743E3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3560-49-0x00000000743E0000-0x0000000074991000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4872-45-0x0000000005530000-0x00000000055CC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4872-52-0x00000000055D0000-0x0000000005662000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4872-53-0x00000000054E0000-0x00000000054EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4872-54-0x00000000057E0000-0x0000000005836000-memory.dmp

    Filesize

    344KB

    Download

  • memory/4872-50-0x0000000005B80000-0x0000000006124000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4872-27-0x0000000000AA0000-0x0000000000C28000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4872-25-0x00000000721DE000-0x00000000721DF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4872-93-0x00000000721DE000-0x00000000721DF000-memory.dmp

    Filesize

    4KB

    Download