njrat | e8648c12edb71ba951b2306a7b235dbdc474f26e33319e8ba7219e4a50dd99bd

Analysis

max time kernel
149s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/11/2024, 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe
Size

2.7MB
MD5

aeaea6351755710c58f417cb3950fa2c
SHA1

f70dd0ef55453aab682d9e7e7efb87c690160a9d
SHA256

e8648c12edb71ba951b2306a7b235dbdc474f26e33319e8ba7219e4a50dd99bd
SHA512

8f25389fdf030c6e432fffb73920f7c00bb4343c5f96e7c14743b277edf34f94ee40001912837f268d7191f1b6918d6c21e44d34e95eb6bdf673fd81b95af6ee
SSDEEP

49152:dJZoQrbTFZY1iacKz58Fcw8uaFKnS3Ubv/Ukd1Zau86XwNjI+zJD9PEe7M:dtrbTA1jr8smMkdDd86XwJXdd7M

Score

10^/10

njrat jøoker ħäằäckèr discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

JØoker ĦäằäCkèr

hsn85.no-ip.biz:555

Mutex

8100c3226482ae95a43914b125e72414

Attributes

reg_key
8100c3226482ae95a43914b125e72414
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
308	netsh.exe

Executes dropped EXE 4 IoCs

pid	Process
2748	System.exe
2740	Setup_FacebookPasswordHack 2014.exe
2520	TempNajaf.exe
2280	Update.exe

Loads dropped DLL 8 IoCs

pid	Process
2124	aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe
2124	aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe
2740	Setup_FacebookPasswordHack 2014.exe
2740	Setup_FacebookPasswordHack 2014.exe
2740	Setup_FacebookPasswordHack 2014.exe
2740	Setup_FacebookPasswordHack 2014.exe
2748	System.exe
2520	TempNajaf.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\8100c3226482ae95a43914b125e72414 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.exe\" .."	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\8100c3226482ae95a43914b125e72414 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.exe\" .."	Update.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	System.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	System.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempNajaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	System.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup_FacebookPasswordHack 2014.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0004000000011ba1-10.dat	nsis_installer_1
behavioral1/files/0x0004000000011ba1-10.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe
2748	System.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2748	System.exe
2740	Setup_FacebookPasswordHack 2014.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	System.exe
Token: SeDebugPrivilege	2280	Update.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2748	2124	aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe	30
PID 2124 wrote to memory of 2748	2124	aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe	30
PID 2124 wrote to memory of 2748	2124	aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe	30
PID 2124 wrote to memory of 2748	2124	aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe	30
PID 2124 wrote to memory of 2740	2124	aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe	31
PID 2124 wrote to memory of 2740	2124	aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe	31
PID 2124 wrote to memory of 2740	2124	aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe	31
PID 2124 wrote to memory of 2740	2124	aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe	31
PID 2124 wrote to memory of 2740	2124	aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe	31
PID 2124 wrote to memory of 2740	2124	aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe	31
PID 2124 wrote to memory of 2740	2124	aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe	31
PID 2748 wrote to memory of 2520	2748	System.exe	32
PID 2748 wrote to memory of 2520	2748	System.exe	32
PID 2748 wrote to memory of 2520	2748	System.exe	32
PID 2748 wrote to memory of 2520	2748	System.exe	32
PID 2520 wrote to memory of 2280	2520	TempNajaf.exe	33
PID 2520 wrote to memory of 2280	2520	TempNajaf.exe	33
PID 2520 wrote to memory of 2280	2520	TempNajaf.exe	33
PID 2520 wrote to memory of 2280	2520	TempNajaf.exe	33
PID 2520 wrote to memory of 2280	2520	TempNajaf.exe	33
PID 2520 wrote to memory of 2280	2520	TempNajaf.exe	33
PID 2520 wrote to memory of 2280	2520	TempNajaf.exe	33
PID 2280 wrote to memory of 308	2280	Update.exe	34
PID 2280 wrote to memory of 308	2280	Update.exe	34
PID 2280 wrote to memory of 308	2280	Update.exe	34
PID 2280 wrote to memory of 308	2280	Update.exe	34

C:\Users\Admin\AppData\Local\Temp\aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\System.exe
  C:\Users\Admin\AppData\Local\Temp/System.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Users\Admin\AppData\Local\TempNajaf.exe
    "C:\Users\Admin\AppData\Local\TempNajaf.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Users\Admin\AppData\Local\Temp\Update.exe
      "C:\Users\Admin\AppData\Local\Temp\Update.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2280
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Update.exe" "Update.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:308
- C:\Users\Admin\AppData\Local\Temp\Setup_FacebookPasswordHack 2014.exe
  "C:\Users\Admin\AppData\Local\Temp/Setup_FacebookPasswordHack 2014.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Setup_FacebookPasswordHack 2014.exe

Filesize
1.9MB

MD5
ee3ea9d01b1202549d0ea19da285eb68

SHA1
721027a19f98e12ef3c3d851875bde3827f3c496

SHA256
83bdd3882cfd3d5ac6a08ea79dc0be51d301300e03b23b7200881d3b690de8d5

SHA512
39f77797bc6840ad835319224f3dcd7cc200eb79d4b6fa3f15b72e9ea790bc29f6c0b552810a156d602414e38f4be11ca110cfb6ea4ae009d4f818150bdb702e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF1F.tmp\isWelcome.ini

Filesize
411B

MD5
68eaa46eb15f8edece48b6d51eeed5df

SHA1
71daf56cf69f41bd2814d654c6d2595e0444925d

SHA256
fd80a9dbad3bd98c976cd6fda8fa834f66aa35af521385ded6c55de48c980d67

SHA512
8d329fb77ac98536653c6787c5756eff47ec2732b222b27f8a1d57345556b2c30536d849a0153fab3b7dd07e170b4ab69b45e3be8e9f8c71f21e316c72f5aad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseF1F.tmp\isWelcome.ini

Filesize
424B

MD5
9ddd03cf72bb3d6b73e5b5d160733482

SHA1
93a54958fa3f00ff0f0a5b281fb8e968767f5ebb

SHA256
3d48d3ad900f8a1be8a453975f659e2e5b948d3185621ae4ddad5b6fb89f577e

SHA512
8eb66127805a5a19e8115216fffc10f1fab8e3b123ee0083b1321b9c2acb1cb448df25360ad816db2abfa3090eaeb30d67f13f3b67bacd8332f8a05826d9463a

Download Submit
\Users\Admin\AppData\Local\TempNajaf.exe

Filesize
29KB

MD5
d9ed25466a77bc9106d5dedf76292e47

SHA1
ea583053caca2e0fa7187cab072dad3affa3a5d9

SHA256
755b1e8ec6fa24ffc9cd18dfca43dce46f05abd236e34b1cd16af9522b8a7989

SHA512
6de60891f5ae3ac2148b348c82d79b0d205cc7ed838616e5f73c2c25e9fd823d8b1475a87d688c895d27a02265dbe5b6053f54df73932455371997f00f50c485

Download Submit
\Users\Admin\AppData\Local\Temp\System.exe

Filesize
53KB

MD5
6cf518f1d8ad355c81a88efb28b69295

SHA1
661136e0c9b252f61d12f14d854fc32688ccce13

SHA256
3c8d24ac4e77862e89e74732d94b37b2bf776610b5ed26634256ea96dd0322fc

SHA512
cbd3522d154c05251e3930d4694ce8f34f7dfc2b72b032107850ab891912c114286dfa7d88224e217a3b1fb3f20aa2c857323b214feabb760e954b5f5be12366

Download Submit
\Users\Admin\AppData\Local\Temp\nseF1F.tmp\InstallOptions.dll

Filesize
14KB

MD5
325b008aec81e5aaa57096f05d4212b5

SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3

SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b

SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

Download Submit
memory/2748-18-0x0000000074A31000-0x0000000074A32000-memory.dmp

Filesize
4KB

Download
memory/2748-25-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download
memory/2748-26-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download
memory/2748-101-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download
memory/2748-102-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download
memory/2748-107-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download