Analysis

  • max time kernel
    148s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-12-2024 02:36

General

  • Target

    c06aa970bd19848b1e30d7ef29b96db9_JaffaCakes118.exe

  • Size

    118KB

  • MD5

    c06aa970bd19848b1e30d7ef29b96db9

  • SHA1

    d00136054593fd2866a708ab0747a906a9329ddc

  • SHA256

    a6f6e5c3c97c144017680125611d208180a11cbede998b814eccc003d19958c9

  • SHA512

    e89b997a3c3c2209b27413a4d91e8e85832bfb8b0a5732194d92f6e7f0d3b17c2b3835bc00d54d2851ecaaee7c6dceb09c6263bdeba9f8865f775ab341afe655

  • SSDEEP

    1536:u7f65g9OX2CLGAApICdOk/dYLAZXdlItBGTjeIOlnToIfqwqHTTarAW9ctzqmg1I:knlVICUkLrGGTINTBfqHHYcFqmaI

Malware Config

Signatures

  • Njrat family
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c06aa970bd19848b1e30d7ef29b96db9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c06aa970bd19848b1e30d7ef29b96db9_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Windows\system32\cscript.exe
      "C:\Windows\sysnative\cscript" C:\Users\Admin\AppData\Local\Temp\A7E8.tmp\A7E9.tmp\A7EA.vbs //Nologo
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3436
      • C:\Users\Admin\AppData\Roaming\ServerName.exe
        "C:\Users\Admin\AppData\Roaming\ServerName.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2336
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\ServerName.exe" "ServerName.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\A7E8.tmp\A7E9.tmp\A7EA.vbs

    Filesize

    64KB

    MD5

    b2cca365214a78a41e520385fe38ca6d

    SHA1

    cc35acfe65dd34e10981a8a1b826d075ab73e558

    SHA256

    5e3416c1f4df20a75410f322edacb3247fe2e270a6abd13765f243f9f82cdb5a

    SHA512

    3c35f92f43e5a2cce29be8dd6d42a84a7436390224114c572c71dc4258b2beb35a1aea6ff4c9c82a60dc0ab3554da88fd880b5931204f450da30e6ac4ae3e384

  • C:\Users\Admin\AppData\Roaming\ServerName.exe

    Filesize

    23KB

    MD5

    41131e8adc7272f892a2c93ef32a1c60

    SHA1

    fe49f5293e0ec55720e9f1bb48666e513d16b81d

    SHA256

    81fa732787973ee56d454a5b438b6495a1c855c47f6e86c4d44b1f35f163546b

    SHA512

    006c21afcefaea738ab46939edbfb5c18fbf16e62afa2f2ff9d667a184a8f1eceeb65ae4c222245452fd1e016ce5849f4e1f5d2734f6684e9e9e8de59adc76ae

  • memory/2336-10-0x0000000074772000-0x0000000074773000-memory.dmp

    Filesize

    4KB

  • memory/2336-11-0x0000000074770000-0x0000000074D21000-memory.dmp

    Filesize

    5.7MB

  • memory/2336-12-0x0000000074770000-0x0000000074D21000-memory.dmp

    Filesize

    5.7MB

  • memory/2336-13-0x0000000074772000-0x0000000074773000-memory.dmp

    Filesize

    4KB

  • memory/2336-14-0x0000000074770000-0x0000000074D21000-memory.dmp

    Filesize

    5.7MB

  • memory/2336-15-0x0000000074770000-0x0000000074D21000-memory.dmp

    Filesize

    5.7MB