njrat | 1788872a46f28d6e1593df23c4502bc5834b9f41f9e544b74848aea6913939ba

General

Target

c87001299a6b8f5e31816b5fe5689f77_JaffaCakes118.exe
Size

43KB
MD5

c87001299a6b8f5e31816b5fe5689f77
SHA1

0f9dd0039bd8e59f153b9fee598f97eb21e0677c
SHA256

1788872a46f28d6e1593df23c4502bc5834b9f41f9e544b74848aea6913939ba
SHA512

bcbd0f94f17f60a9ab894077f23afe165a423abcc046e6edcc58860b8fbe01b47f221749a6af630abdab06443388986667639075e724ace7f82a627078ee97ba
SSDEEP

384:2Zy0KNUst+3gUy6L7nCCCE8b9JszQIij+ZsNO3PlpJKkkjh/TzF7pWnL0greT0pe:s8wQh6PnlWbuuXQ/oCQ+L

Score

10^/10

njrat dolbaeb@discovery persistence trojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

dolbaeb@

C2

aronakich.ddns.net:5552

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	c87001299a6b8f5e31816b5fe5689f77_JaffaCakes118.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	lsm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	lsm.exe

Executes dropped EXE 3 IoCs

pid	Process
1984	lsm.exe
4764	Server.exe
4408	Server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Windows\\lsm.exe\" .."	lsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Windows\\lsm.exe\" .."	lsm.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\lsm.exe	c87001299a6b8f5e31816b5fe5689f77_JaffaCakes118.exe
File opened for modification	C:\Windows\lsm.exe	lsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c87001299a6b8f5e31816b5fe5689f77_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1868	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4600	c87001299a6b8f5e31816b5fe5689f77_JaffaCakes118.exe
1984	lsm.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	lsm.exe
Token: 33	1984	lsm.exe
Token: SeIncBasePriorityPrivilege	1984	lsm.exe
Token: 33	1984	lsm.exe
Token: SeIncBasePriorityPrivilege	1984	lsm.exe
Token: 33	1984	lsm.exe
Token: SeIncBasePriorityPrivilege	1984	lsm.exe
Token: 33	1984	lsm.exe
Token: SeIncBasePriorityPrivilege	1984	lsm.exe
Token: 33	1984	lsm.exe
Token: SeIncBasePriorityPrivilege	1984	lsm.exe
Token: 33	1984	lsm.exe
Token: SeIncBasePriorityPrivilege	1984	lsm.exe
Token: 33	1984	lsm.exe
Token: SeIncBasePriorityPrivilege	1984	lsm.exe
Token: 33	1984	lsm.exe
Token: SeIncBasePriorityPrivilege	1984	lsm.exe
Token: 33	1984	lsm.exe
Token: SeIncBasePriorityPrivilege	1984	lsm.exe
Token: 33	1984	lsm.exe
Token: SeIncBasePriorityPrivilege	1984	lsm.exe
Token: 33	1984	lsm.exe
Token: SeIncBasePriorityPrivilege	1984	lsm.exe
Token: 33	1984	lsm.exe
Token: SeIncBasePriorityPrivilege	1984	lsm.exe
Token: 33	1984	lsm.exe
Token: SeIncBasePriorityPrivilege	1984	lsm.exe
Token: 33	1984	lsm.exe
Token: SeIncBasePriorityPrivilege	1984	lsm.exe
Token: 33	1984	lsm.exe
Token: SeIncBasePriorityPrivilege	1984	lsm.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 1984	4600	c87001299a6b8f5e31816b5fe5689f77_JaffaCakes118.exe	84
PID 4600 wrote to memory of 1984	4600	c87001299a6b8f5e31816b5fe5689f77_JaffaCakes118.exe	84
PID 4600 wrote to memory of 1984	4600	c87001299a6b8f5e31816b5fe5689f77_JaffaCakes118.exe	84
PID 1984 wrote to memory of 1868	1984	lsm.exe	86
PID 1984 wrote to memory of 1868	1984	lsm.exe	86
PID 1984 wrote to memory of 1868	1984	lsm.exe	86

C:\Users\Admin\AppData\Local\Temp\c87001299a6b8f5e31816b5fe5689f77_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c87001299a6b8f5e31816b5fe5689f77_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Windows\lsm.exe
  "C:\Windows\lsm.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1868

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4764

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Server.exe.log

Filesize
507B

MD5
25d1b50e7c0d451f3d850eb54d27ca05

SHA1
a238807715c70a335f54e80d4855644b21a9e870

SHA256
650faa13e983c9046c9030f63a5fa1c33900432ec7cb3762e015da2e7c5b34a5

SHA512
4223a26b2fabefdf1c01443ccc7bd887464d27f02694379895a040c66db472d541218d501f1c01e1bd31012d079a31baf24e20882c32cf652a09a74e3bf385f5

Download Submit
C:\Windows\lsm.exe

Filesize
43KB

MD5
c87001299a6b8f5e31816b5fe5689f77

SHA1
0f9dd0039bd8e59f153b9fee598f97eb21e0677c

SHA256
1788872a46f28d6e1593df23c4502bc5834b9f41f9e544b74848aea6913939ba

SHA512
bcbd0f94f17f60a9ab894077f23afe165a423abcc046e6edcc58860b8fbe01b47f221749a6af630abdab06443388986667639075e724ace7f82a627078ee97ba

Download Submit
memory/1984-22-0x0000000005770000-0x000000000577A000-memory.dmp

Filesize
40KB

Download
memory/1984-16-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/1984-21-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/1984-20-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/1984-17-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/4600-2-0x0000000004D20000-0x0000000004DBC000-memory.dmp

Filesize
624KB

Download
memory/4600-15-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/4600-3-0x0000000005640000-0x0000000005BE4000-memory.dmp

Filesize
5.6MB

Download
memory/4600-5-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/4600-4-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/4600-0-0x00000000749DE000-0x00000000749DF000-memory.dmp

Filesize
4KB

Download
memory/4600-1-0x0000000000370000-0x0000000000382000-memory.dmp

Filesize
72KB

Download
memory/4764-25-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/4764-26-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/4764-28-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads