njrat | 391ba9bd95b1804e47db8c8c115f1268173824ebd1111c190ea1ee4f26dfd67b

General

Target

9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe
Size

26KB
MD5

9bb86c8073900283af53b3f55d5fedf3
SHA1

73596fcaafdc6c178816c918d35a5b0167011435
SHA256

391ba9bd95b1804e47db8c8c115f1268173824ebd1111c190ea1ee4f26dfd67b
SHA512

1d972b1180dee6b566641ca662ecb27a2ff96294833d32b2d97d40fb3435d65e0c781207dab088f50deb10a41eba6da8020358a807aa4d151e22a04d42fc5a38
SSDEEP

384:qLJCnWzGgqhZArwvaGGuPh5BrM0AQk93vmhm7UMKmIEecKdbXTzm9bVhcalS6prZ:04vMAi0A/vMHTi9bDl

Score

10^/10

njrat super discovery persistence trojan

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

Super

C2

favioserver.ddns.net:8081

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	chrome.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	chrome.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	chrome.exe

Executes dropped EXE 1 IoCs

pid	Process
2144	chrome.exe

Loads dropped DLL 2 IoCs

pid	Process
1224	9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe
1224	9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome.exe"	9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	chrome.exe
Token: 33	2144	chrome.exe
Token: SeIncBasePriorityPrivilege	2144	chrome.exe
Token: 33	2144	chrome.exe
Token: SeIncBasePriorityPrivilege	2144	chrome.exe
Token: 33	2144	chrome.exe
Token: SeIncBasePriorityPrivilege	2144	chrome.exe
Token: 33	2144	chrome.exe
Token: SeIncBasePriorityPrivilege	2144	chrome.exe
Token: 33	2144	chrome.exe
Token: SeIncBasePriorityPrivilege	2144	chrome.exe
Token: 33	2144	chrome.exe
Token: SeIncBasePriorityPrivilege	2144	chrome.exe
Token: 33	2144	chrome.exe
Token: SeIncBasePriorityPrivilege	2144	chrome.exe
Token: 33	2144	chrome.exe
Token: SeIncBasePriorityPrivilege	2144	chrome.exe
Token: 33	2144	chrome.exe
Token: SeIncBasePriorityPrivilege	2144	chrome.exe
Token: 33	2144	chrome.exe
Token: SeIncBasePriorityPrivilege	2144	chrome.exe
Token: 33	2144	chrome.exe
Token: SeIncBasePriorityPrivilege	2144	chrome.exe
Token: 33	2144	chrome.exe
Token: SeIncBasePriorityPrivilege	2144	chrome.exe
Token: 33	2144	chrome.exe
Token: SeIncBasePriorityPrivilege	2144	chrome.exe
Token: 33	2144	chrome.exe
Token: SeIncBasePriorityPrivilege	2144	chrome.exe
Token: 33	2144	chrome.exe
Token: SeIncBasePriorityPrivilege	2144	chrome.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 2144	1224	9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe	31
PID 1224 wrote to memory of 2144	1224	9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe	31
PID 1224 wrote to memory of 2144	1224	9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe	31
PID 1224 wrote to memory of 2144	1224	9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe	31
PID 1224 wrote to memory of 2668	1224	9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe	32
PID 1224 wrote to memory of 2668	1224	9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe	32
PID 1224 wrote to memory of 2668	1224	9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe	32
PID 1224 wrote to memory of 2668	1224	9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe	32
PID 2144 wrote to memory of 2608	2144	chrome.exe	34
PID 2144 wrote to memory of 2608	2144	chrome.exe	34
PID 2144 wrote to memory of 2608	2144	chrome.exe	34
PID 2144 wrote to memory of 2608	2144	chrome.exe	34
PID 2144 wrote to memory of 2820	2144	chrome.exe	35
PID 2144 wrote to memory of 2820	2144	chrome.exe	35
PID 2144 wrote to memory of 2820	2144	chrome.exe	35
PID 2144 wrote to memory of 2820	2144	chrome.exe	35

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2668	attrib.exe
2608	attrib.exe
2820	attrib.exe

C:\Users\Admin\AppData\Local\Temp\9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\chrome.exe
  "C:\Users\Admin\AppData\Local\Temp\chrome.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
    3⤵
    - Drops startup file
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2608
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2820
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\chrome.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Filesize
1KB

MD5
c7bacc12f165ab5dbbd5a2ae9f2dfca3

SHA1
b5017a1d4edee7765391990b42e58043e84b5914

SHA256
824baa52042f45bb6bf540719d4635dda57d85989086686e4cf765970847b90e

SHA512
acc855362f306368ccbca867f73525e4f2f6cec6c8114e9a706766fdfbe58edcb7b3821b174ab0f22a820e79ecc6ea6a93e1508617745e17015807c2610a4cb7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Filesize
1018B

MD5
5ee8b0aaba1bbc7650be293e7ba97e38

SHA1
fecdfe9bc6eb3dd1648d11d954fcd7222a2c8e05

SHA256
3931dc1e16b459204b7301391b08fb84190b1bbe5721bb8b2d3a24fa2b37d474

SHA512
a3c9ba8c5bebd4a9cddc2b43429a2d5824870e17288939d9bfa333ab35601f78da80405c34bde9a215f88ec5ca01ca4c6ee0d4af69bee4b0c130a1ac8be311ac

Download Submit
\Users\Admin\AppData\Local\Temp\chrome.exe

Filesize
26KB

MD5
9bb86c8073900283af53b3f55d5fedf3

SHA1
73596fcaafdc6c178816c918d35a5b0167011435

SHA256
391ba9bd95b1804e47db8c8c115f1268173824ebd1111c190ea1ee4f26dfd67b

SHA512
1d972b1180dee6b566641ca662ecb27a2ff96294833d32b2d97d40fb3435d65e0c781207dab088f50deb10a41eba6da8020358a807aa4d151e22a04d42fc5a38

Download Submit
memory/1224-0-0x000000007424E000-0x000000007424F000-memory.dmp

Filesize
4KB

Download
memory/1224-1-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download
memory/1224-4-0x000000007424E000-0x000000007424F000-memory.dmp

Filesize
4KB

Download
memory/2144-15-0x0000000001340000-0x000000000134C000-memory.dmp

Filesize
48KB

Download
memory/2144-20-0x0000000074240000-0x000000007492E000-memory.dmp

Filesize
6.9MB

Download
memory/2144-21-0x0000000074240000-0x000000007492E000-memory.dmp

Filesize
6.9MB

Download
memory/2144-24-0x0000000074240000-0x000000007492E000-memory.dmp

Filesize
6.9MB

Download
memory/2144-25-0x0000000074240000-0x000000007492E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads