njrat | 391ba9bd95b1804e47db8c8c115f1268173824ebd1111c190ea1ee4f26dfd67b

General

Target

9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe
Size

26KB
MD5

9bb86c8073900283af53b3f55d5fedf3
SHA1

73596fcaafdc6c178816c918d35a5b0167011435
SHA256

391ba9bd95b1804e47db8c8c115f1268173824ebd1111c190ea1ee4f26dfd67b
SHA512

1d972b1180dee6b566641ca662ecb27a2ff96294833d32b2d97d40fb3435d65e0c781207dab088f50deb10a41eba6da8020358a807aa4d151e22a04d42fc5a38
SSDEEP

384:qLJCnWzGgqhZArwvaGGuPh5BrM0AQk93vmhm7UMKmIEecKdbXTzm9bVhcalS6prZ:04vMAi0A/vMHTi9bDl

Score

10^/10

njrat super discovery persistence trojan

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

Super

C2

favioserver.ddns.net:8081

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe

Drops startup file 5 IoCs

Processes:

9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exechrome.exeattrib.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	chrome.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	chrome.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	chrome.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	attrib.exe

Executes dropped EXE 1 IoCs

Processes:

chrome.exe

pid	Process
5096	chrome.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exechrome.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome.exe"	9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exechrome.exeattrib.exeattrib.exeattrib.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeDebugPrivilege	5096	chrome.exe
Token: 33	5096	chrome.exe
Token: SeIncBasePriorityPrivilege	5096	chrome.exe
Token: 33	5096	chrome.exe
Token: SeIncBasePriorityPrivilege	5096	chrome.exe
Token: 33	5096	chrome.exe
Token: SeIncBasePriorityPrivilege	5096	chrome.exe
Token: 33	5096	chrome.exe
Token: SeIncBasePriorityPrivilege	5096	chrome.exe
Token: 33	5096	chrome.exe
Token: SeIncBasePriorityPrivilege	5096	chrome.exe
Token: 33	5096	chrome.exe
Token: SeIncBasePriorityPrivilege	5096	chrome.exe
Token: 33	5096	chrome.exe
Token: SeIncBasePriorityPrivilege	5096	chrome.exe
Token: 33	5096	chrome.exe
Token: SeIncBasePriorityPrivilege	5096	chrome.exe
Token: 33	5096	chrome.exe
Token: SeIncBasePriorityPrivilege	5096	chrome.exe
Token: 33	5096	chrome.exe
Token: SeIncBasePriorityPrivilege	5096	chrome.exe
Token: 33	5096	chrome.exe
Token: SeIncBasePriorityPrivilege	5096	chrome.exe
Token: 33	5096	chrome.exe
Token: SeIncBasePriorityPrivilege	5096	chrome.exe
Token: 33	5096	chrome.exe
Token: SeIncBasePriorityPrivilege	5096	chrome.exe
Token: 33	5096	chrome.exe
Token: SeIncBasePriorityPrivilege	5096	chrome.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exechrome.exe

description	pid	Process	procid_target
PID 344 wrote to memory of 5096	344	9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe	89
PID 344 wrote to memory of 5096	344	9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe	89
PID 344 wrote to memory of 5096	344	9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe	89
PID 344 wrote to memory of 4452	344	9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe	90
PID 344 wrote to memory of 4452	344	9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe	90
PID 344 wrote to memory of 4452	344	9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe	90
PID 5096 wrote to memory of 3892	5096	chrome.exe	93
PID 5096 wrote to memory of 3892	5096	chrome.exe	93
PID 5096 wrote to memory of 3892	5096	chrome.exe	93
PID 5096 wrote to memory of 3816	5096	chrome.exe	94
PID 5096 wrote to memory of 3816	5096	chrome.exe	94
PID 5096 wrote to memory of 3816	5096	chrome.exe	94

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid	Process
4452	attrib.exe
3892	attrib.exe
3816	attrib.exe

C:\Users\Admin\AppData\Local\Temp\9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:344
- C:\Users\Admin\AppData\Local\Temp\chrome.exe
  "C:\Users\Admin\AppData\Local\Temp\chrome.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
    3⤵
    - Drops startup file
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:3892
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:3816
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\chrome.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\chrome.exe

Filesize
26KB

MD5
9bb86c8073900283af53b3f55d5fedf3

SHA1
73596fcaafdc6c178816c918d35a5b0167011435

SHA256
391ba9bd95b1804e47db8c8c115f1268173824ebd1111c190ea1ee4f26dfd67b

SHA512
1d972b1180dee6b566641ca662ecb27a2ff96294833d32b2d97d40fb3435d65e0c781207dab088f50deb10a41eba6da8020358a807aa4d151e22a04d42fc5a38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Filesize
1KB

MD5
c93c9cb631e70617ef969bf10ec6a947

SHA1
5c2c61522527bdaafeaf376e17f4286d715be292

SHA256
c79d96f9ff9635ae78c444031cfb70b7aa1fc1f653096455bf9e49e0df5763ba

SHA512
2506e6bad6d859529b4060c4ad681e72ea3f172fd7e6fad1e5276d8d91363655abf43bd28d1aeb20b87ad5abb19ffce990cc1543929078105d8e6987e4e27a92

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Filesize
1KB

MD5
466108acaac9cbd368b9e12b3f05d314

SHA1
4b9c3c327627a38b380604c7cb3129c02f289a48

SHA256
c3dd8622bff4aec6474d9001f569e7f41b39c0d10efa2ebdd25f136da5ba7c4d

SHA512
bf6798f5b7549259a21de1f7442fd728bc191c6b4cef11e47bdd85b8fb7d6f9cb2936120707542da141c8080f50f5c0e89a50c1d11829dc58f7106ff6e0ba5c5

Download Submit
memory/344-1-0x0000000000810000-0x000000000081C000-memory.dmp

Filesize
48KB

Download
memory/344-2-0x00000000051C0000-0x000000000525C000-memory.dmp

Filesize
624KB

Download
memory/344-5-0x0000000005F30000-0x00000000064D4000-memory.dmp

Filesize
5.6MB

Download
memory/344-6-0x00000000752CE000-0x00000000752CF000-memory.dmp

Filesize
4KB

Download
memory/344-0-0x00000000752CE000-0x00000000752CF000-memory.dmp

Filesize
4KB

Download
memory/5096-16-0x00000000752C0000-0x0000000075A70000-memory.dmp

Filesize
7.7MB

Download
memory/5096-21-0x00000000752C0000-0x0000000075A70000-memory.dmp

Filesize
7.7MB

Download
memory/5096-23-0x00000000752C0000-0x0000000075A70000-memory.dmp

Filesize
7.7MB

Download
memory/5096-25-0x00000000055D0000-0x0000000005662000-memory.dmp

Filesize
584KB

Download
memory/5096-26-0x00000000055B0000-0x00000000055BA000-memory.dmp

Filesize
40KB

Download
memory/5096-27-0x00000000752C0000-0x0000000075A70000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads