njrat | 0cb0967013154e7b7b77ebb1eaef5540c4c9e8d5c5cdf48470e102551fee9b50

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2024, 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9dd417d204ae1284bd84604b69c2d166_JaffaCakes118.exe
Size

533KB
MD5

9dd417d204ae1284bd84604b69c2d166
SHA1

9291654d54e587061cecf41513e361a3e70ae3db
SHA256

0cb0967013154e7b7b77ebb1eaef5540c4c9e8d5c5cdf48470e102551fee9b50
SHA512

8c898e5b0459aea7c92fb2958ad5dcb5fd244e31ebddae82e9916ce09ab16650cb9ff05603419d90c1993bf36affe6cbca00c78cfb91a54e87efa7a18fb4b045
SSDEEP

12288:Autr2CcB3L0q4pcAN3QiLb8Jy4lspfblqadl5deLY:Akr69b4p7QabOLepDlb5F

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan upx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

surebox.ddns.net:5552

Mutex

96da6daf5c20026edbb7f9fbf43bfe30

Attributes

reg_key
96da6daf5c20026edbb7f9fbf43bfe30
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1944	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	M.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	M.exe

Executes dropped EXE 7 IoCs

pid	Process
3176	M.exe
3912	M.exe
3716	FB_A0B4.tmp.exe
2868	M.exe
2704	M.exe
388	server.exe
924	server.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9dd417d204ae1284bd84604b69c2d166_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	FB_A0B4.tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\96da6daf5c20026edbb7f9fbf43bfe30 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\96da6daf5c20026edbb7f9fbf43bfe30 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3176 set thread context of 3912	3176	M.exe	85
PID 2868 set thread context of 2704	2868	M.exe	88
PID 388 set thread context of 924	388	server.exe	99

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023cbe-6.dat	upx
behavioral2/memory/3176-7-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/3176-24-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/2868-45-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/2868-57-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/388-76-0x0000000000400000-0x000000000045C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9dd417d204ae1284bd84604b69c2d166_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB_A0B4.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3176	M.exe
3176	M.exe
3176	M.exe
3176	M.exe
2868	M.exe
2868	M.exe
2868	M.exe
2868	M.exe
388	server.exe
388	server.exe
388	server.exe
388	server.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	924	server.exe
Token: 33	924	server.exe
Token: SeIncBasePriorityPrivilege	924	server.exe
Token: 33	924	server.exe
Token: SeIncBasePriorityPrivilege	924	server.exe
Token: 33	924	server.exe
Token: SeIncBasePriorityPrivilege	924	server.exe
Token: 33	924	server.exe
Token: SeIncBasePriorityPrivilege	924	server.exe
Token: 33	924	server.exe
Token: SeIncBasePriorityPrivilege	924	server.exe
Token: 33	924	server.exe
Token: SeIncBasePriorityPrivilege	924	server.exe
Token: 33	924	server.exe
Token: SeIncBasePriorityPrivilege	924	server.exe
Token: 33	924	server.exe
Token: SeIncBasePriorityPrivilege	924	server.exe
Token: 33	924	server.exe
Token: SeIncBasePriorityPrivilege	924	server.exe
Token: 33	924	server.exe
Token: SeIncBasePriorityPrivilege	924	server.exe
Token: 33	924	server.exe
Token: SeIncBasePriorityPrivilege	924	server.exe
Token: 33	924	server.exe
Token: SeIncBasePriorityPrivilege	924	server.exe
Token: 33	924	server.exe
Token: SeIncBasePriorityPrivilege	924	server.exe
Token: 33	924	server.exe
Token: SeIncBasePriorityPrivilege	924	server.exe
Token: 33	924	server.exe
Token: SeIncBasePriorityPrivilege	924	server.exe
Token: 33	924	server.exe
Token: SeIncBasePriorityPrivilege	924	server.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3176	M.exe
3176	M.exe
2868	M.exe
2868	M.exe
388	server.exe
388	server.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 3176	228	9dd417d204ae1284bd84604b69c2d166_JaffaCakes118.exe	84
PID 228 wrote to memory of 3176	228	9dd417d204ae1284bd84604b69c2d166_JaffaCakes118.exe	84
PID 228 wrote to memory of 3176	228	9dd417d204ae1284bd84604b69c2d166_JaffaCakes118.exe	84
PID 3176 wrote to memory of 3912	3176	M.exe	85
PID 3176 wrote to memory of 3912	3176	M.exe	85
PID 3176 wrote to memory of 3912	3176	M.exe	85
PID 3176 wrote to memory of 3912	3176	M.exe	85
PID 3176 wrote to memory of 3912	3176	M.exe	85
PID 3176 wrote to memory of 3912	3176	M.exe	85
PID 3176 wrote to memory of 3912	3176	M.exe	85
PID 3176 wrote to memory of 3912	3176	M.exe	85
PID 3176 wrote to memory of 3912	3176	M.exe	85
PID 3176 wrote to memory of 3912	3176	M.exe	85
PID 3176 wrote to memory of 3912	3176	M.exe	85
PID 3176 wrote to memory of 3912	3176	M.exe	85
PID 3176 wrote to memory of 3912	3176	M.exe	85
PID 3912 wrote to memory of 3716	3912	M.exe	86
PID 3912 wrote to memory of 3716	3912	M.exe	86
PID 3912 wrote to memory of 3716	3912	M.exe	86
PID 3716 wrote to memory of 2868	3716	FB_A0B4.tmp.exe	87
PID 3716 wrote to memory of 2868	3716	FB_A0B4.tmp.exe	87
PID 3716 wrote to memory of 2868	3716	FB_A0B4.tmp.exe	87
PID 2868 wrote to memory of 2704	2868	M.exe	88
PID 2868 wrote to memory of 2704	2868	M.exe	88
PID 2868 wrote to memory of 2704	2868	M.exe	88
PID 2868 wrote to memory of 2704	2868	M.exe	88
PID 2868 wrote to memory of 2704	2868	M.exe	88
PID 2868 wrote to memory of 2704	2868	M.exe	88
PID 2868 wrote to memory of 2704	2868	M.exe	88
PID 2868 wrote to memory of 2704	2868	M.exe	88
PID 2868 wrote to memory of 2704	2868	M.exe	88
PID 2868 wrote to memory of 2704	2868	M.exe	88
PID 2868 wrote to memory of 2704	2868	M.exe	88
PID 2704 wrote to memory of 388	2704	M.exe	98
PID 2704 wrote to memory of 388	2704	M.exe	98
PID 2704 wrote to memory of 388	2704	M.exe	98
PID 388 wrote to memory of 924	388	server.exe	99
PID 388 wrote to memory of 924	388	server.exe	99
PID 388 wrote to memory of 924	388	server.exe	99
PID 388 wrote to memory of 924	388	server.exe	99
PID 388 wrote to memory of 924	388	server.exe	99
PID 388 wrote to memory of 924	388	server.exe	99
PID 388 wrote to memory of 924	388	server.exe	99
PID 388 wrote to memory of 924	388	server.exe	99
PID 388 wrote to memory of 924	388	server.exe	99
PID 388 wrote to memory of 924	388	server.exe	99
PID 388 wrote to memory of 924	388	server.exe	99
PID 924 wrote to memory of 1944	924	server.exe	104
PID 924 wrote to memory of 1944	924	server.exe	104
PID 924 wrote to memory of 1944	924	server.exe	104

C:\Users\Admin\AppData\Local\Temp\9dd417d204ae1284bd84604b69c2d166_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9dd417d204ae1284bd84604b69c2d166_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:228
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3912
  - - C:\Users\Admin\AppData\Local\Temp\FB_A0B4.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\FB_A0B4.tmp.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3716
    - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2868
      - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        9⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FB_A0B4.tmp.exe

Filesize
268KB

MD5
3a20b6a658471d2eee1b0e6cd2ecd71f

SHA1
2c44c7a6d62c3dfa6bb3d4dfcc3e5d58343cfbcb

SHA256
806a6f2869a960febc62965716326795fc2762bed485276398e0404159dfd2f9

SHA512
86fdbd05b76e933142ef8e7258f2902fdd857ac08314b75336a88c272afd7ca0c2423979d1cdede98072f5cfdb00f35ceaf31bbe990ff2bbc01973c736ba6334

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.ex_

Filesize
331KB

MD5
2d0867020d6352c827c75cbec33a0acc

SHA1
241fbe04597034c5232f29ae8c065c84e30bedc0

SHA256
6d9c9c4ac589447ac5503c03429d42a8b486ec05d3f8808b6d1f9a5d0856b4eb

SHA512
36bbf283f63fad86f99311641453147a770538b94e032c4081eca4e57e88075cc9b89ab6c858f0abe006cc14842fb90a42caadbfe0f22b6370688cd083fd08dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe

Filesize
140KB

MD5
bc9932d562808f046db8cf2d225b317e

SHA1
50827e282cb74b846b8ef79ccd3f5887e3a941f2

SHA256
49a50d91166a62cb0c1454d015af0b5b98ea86702c9e88c21f6e5775517571b7

SHA512
d46153b9d0260a076fd6247de14325b2f76d7537139677af927427fab23852258634b525a1e3e31e19456a04a5c58527ac351f44b475c2eb984294b30b0efa22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M.ex_

Filesize
67KB

MD5
b285a30da59bc109e8250e16810d8a22

SHA1
97ab0b288e4b390e63a4adedd39c7f0e03bcd669

SHA256
2f7f3225955c6cf3d39b01601e7bc50475f1bc3914c93d8ea2a4ad743e544715

SHA512
3c65940452d11098a25c131e3c34e36a03b4620717a70da47a7847c050c6e1bd64e48d7844eee89852a2ff1a3929f1201388b0f1931124fdfc13bcf076062d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M.exe

Filesize
104KB

MD5
7bae06cbe364bb42b8c34fcfb90e3ebd

SHA1
79129af7efa46244da0676607242f0a6b7e12e78

SHA256
6ceaebd55b4a542ef64be1d6971fcfe802e67e2027366c52faacc8a8d325ec7a

SHA512
c599b72500a5c17cd5c4a81fcf220a95925aa0e5ad72aa92dd1a469fe6e3c23590c548a0be7ec2c4dbd737511a0a79c1c46436867cf7f0c4df21f8dcea9686cf

Download Submit
memory/388-76-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2704-53-0x0000000000400000-0x00000000008B0000-memory.dmp

Filesize
4.7MB

Download
memory/2868-45-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2868-57-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3176-24-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3176-15-0x0000000000840000-0x0000000000845000-memory.dmp

Filesize
20KB

Download
memory/3176-7-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3912-35-0x0000000000400000-0x0000000002020000-memory.dmp

Filesize
28.1MB

Download
memory/3912-37-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3912-20-0x0000000000400000-0x0000000002020000-memory.dmp

Filesize
28.1MB

Download
memory/3912-22-0x0000000000400000-0x0000000002020000-memory.dmp

Filesize
28.1MB

Download
memory/3912-17-0x0000000000400000-0x0000000002020000-memory.dmp

Filesize
28.1MB

Download