Overview

overview

10

Static

static

1

3b293d7482...18.vbs

windows7-x64

10

3b293d7482...18.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2024 17:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3b293d74827ff906a5ca3a4e4439e98f_JaffaCakes118.vbs

  • Size

    188KB

  • MD5

    3b293d74827ff906a5ca3a4e4439e98f

  • SHA1

    76d14a79e2be1543ab79873e7b87f0deee8aad17

  • SHA256

    3f330d95bd8bf7c71809189a1aa5285fea9d63fc7d193cda4b827e04bfa16bb3

  • SHA512

    255295a70314398b0b96d4408f0606d385773accd0d5811cb697ff4f80b58c15f600ef9f18e17b09edfab9879541e6104fc759343cd36e1ed609899598a62d8a

  • SSDEEP

    3072:GJOgUyL6Msee8JZo34CTmlXbvMnSIRLMH8eOtWejCOGXeAYgFwnHBKLg209BY:GFXO8JZi4CTmlXbUn3FuODCRXeUwKG6

Score
10/10
njrat|erica|discoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

|Erica|

C2

drpc.duckdns.org:1414

Mutex

48d74fcafbfa01ee33743b0d0ea39495

Attributes
  • reg_key

    48d74fcafbfa01ee33743b0d0ea39495

  • splitter

    TOP

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b293d74827ff906a5ca3a4e4439e98f_JaffaCakes118.vbs"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1512
    • C:\Windows\SYSWOW64\WSCRIPT.EXE
      "C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Admin\AppData\Local\Temp\3b293d74827ff906a5ca3a4e4439e98f_JaffaCakes118.vbs"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3956
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\google.vbs.BIN"
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:1500
      • C:\Windows\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSBUILD.EXE
        "C:\Windows\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSBUILD.EXE"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5004
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Windows\MICROSOFT.NET\FRAMEWORK\V2.0.50727\MSBUILD.EXE" "MSBUILD.EXE" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:4136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\google.vbs.BIN
    Filesize

    13KB

    MD5

    e0b8dfd17b8e7de760b273d18e58b142

    SHA1

    801509fb6783c9e57edc67a72dde3c62080ffbaf

    SHA256

    4ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379

    SHA512

    443359da27b3c87e81ae4f4b9a2ab7e7bf6abfa93551fc62347a0b79b36d79635131abc14d4deddab3ace12fdf973496518f67e1be8dc4903b35fd465835556b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\google.vbs.vbs
    Filesize

    188KB

    MD5

    3b293d74827ff906a5ca3a4e4439e98f

    SHA1

    76d14a79e2be1543ab79873e7b87f0deee8aad17

    SHA256

    3f330d95bd8bf7c71809189a1aa5285fea9d63fc7d193cda4b827e04bfa16bb3

    SHA512

    255295a70314398b0b96d4408f0606d385773accd0d5811cb697ff4f80b58c15f600ef9f18e17b09edfab9879541e6104fc759343cd36e1ed609899598a62d8a

    Download Submit

  • memory/3956-10-0x00000000037F0000-0x00000000037F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5004-11-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/5004-12-0x0000000001570000-0x0000000001580000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5004-13-0x0000000001570000-0x0000000001580000-memory.dmp

    Filesize

    64KB

    Download