Overview

overview

10

Static

static

3

5022d0bbd3...18.exe

windows7-x64

10

5022d0bbd3...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-10-2024 01:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5022d0bbd3bc79e688f26ab39736a180_JaffaCakes118.exe

  • Size

    368KB

  • MD5

    5022d0bbd3bc79e688f26ab39736a180

  • SHA1

    2ff4398f048b9cfb5adb80b37672f33eea695d39

  • SHA256

    4d7f60f5f9cd63e753868459d0468b2925cdad0dc9dd53f889e662aa428efebf

  • SHA512

    93dd1c76d0579233817af20f495f836eb40e14253ccc048eccc932edc8731ab47443941b4d0fb66e6ef20f0e3ae8f7899d699a0b5a164d4f96b333d6d5c91524

  • SSDEEP

    6144:JgRHAU4b69faujFyMM3mH1FE+yBFSDhvKHpuEskuTpUSZT3c:Jg12H3mH14BFSDhZEBuTpUw3

Score
10/10
njratdiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5022d0bbd3bc79e688f26ab39736a180_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5022d0bbd3bc79e688f26ab39736a180_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4524
      • C:\Users\Admin\AppData\Local\Temp\skype.exe
        "C:\Users\Admin\AppData\Local\Temp\skype.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4376
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\skype.exe" "skype.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:4520
    • C:\Users\Admin\AppData\Local\Temp\Crypter.exe
      "C:\Users\Admin\AppData\Local\Temp\Crypter.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Crypter.exe
    Filesize

    884KB

    MD5

    dcfb7a85ade58b4541c18ca6e2acfc60

    SHA1

    f8fb98bbf730487d233e4d1e45a056db48b3067e

    SHA256

    c35b90eb66cc4c546ce2c373fe01679911576565a596bae16058bcb1bb8c020f

    SHA512

    439c42825c60366650e6bd6a811cac7bbaeac107c95f00d2e8190273a3cb9a971b7f3d9194f13fdc1f049ff34d1fbcdc9cac49f1fedc79a71c00913e1330ee14

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Server.exe
    Filesize

    28KB

    MD5

    333530806a51f2b7148063bbfc5fde0c

    SHA1

    471f3277d3734b5ab733cc191e7ce93a894f7ff9

    SHA256

    68b5ba555c551ccbcefb405dd5baf00f186f50c8678c0f389ba39506319f3c0f

    SHA512

    54117f2047b8b3c34c123dbc3ce6982da672d674b6240e3a8e71c04fc31b8e5c34bc3eb310c245098fa14b398507e7ceaf50d8043a048a333a3c2bcd532a2813

    Download Submit

  • memory/1724-30-0x00007FFDD3620000-0x00007FFDD3FC1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1724-1-0x00007FFDD3620000-0x00007FFDD3FC1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1724-2-0x00007FFDD3620000-0x00007FFDD3FC1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1724-3-0x000000001C430000-0x000000001C8FE000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/1724-4-0x000000001C9B0000-0x000000001CA9E000-memory.dmp

    Filesize

    952KB

    Download

  • memory/1724-13-0x00007FFDD3620000-0x00007FFDD3FC1000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1724-0-0x00007FFDD38D5000-0x00007FFDD38D6000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4252-28-0x0000000074CD2000-0x0000000074CD3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4252-31-0x0000000074CD0000-0x0000000075281000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4252-34-0x0000000074CD0000-0x0000000075281000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4252-46-0x0000000074CD2000-0x0000000074CD3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4252-47-0x0000000074CD0000-0x0000000075281000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4524-29-0x0000000074CD0000-0x0000000075281000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4524-32-0x0000000074CD0000-0x0000000075281000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4524-35-0x0000000074CD0000-0x0000000075281000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4524-44-0x0000000074CD0000-0x0000000075281000-memory.dmp

    Filesize

    5.7MB

    Download