Overview

overview

10

Static

static

3

cab394f76d...18.exe

windows7-x64

10

cab394f76d...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06/12/2024, 02:55

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    cab394f76dc7daa2a8548a9d1bd0f699_JaffaCakes118.exe

  • Size

    355KB

  • MD5

    cab394f76dc7daa2a8548a9d1bd0f699

  • SHA1

    fe4266bc4c82102e7cbae80f1d0b5ed73aa73c8c

  • SHA256

    f6d048de00d043dc334d6e6bcc558b86b00c589dcf54f0ea2b1423cd3ded25bb

  • SHA512

    e960bc345e7d9a83bf20f2e4067d72d0464e28bc07b31addc34f8f5e57eafb55b4e1a12fdf5a48d5428585f72e6cae2328c2a44ebfaa1aa6c5acb1f48cc75736

  • SSDEEP

    6144:z8JsLcpjzTDDmHayakLkrb4NSarQW82X+t40XO+5m4iU:IzxzTDWikLSb4NS7t2X+t40XO+5iU

Score
10/10
njrathackeado by ~shadowndiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

hackeado by ~Shadown

C2

opaeae201.zapto.org:1177

Mutex

216f293b3310c600be4683b77133b908

Attributes
  • reg_key

    216f293b3310c600be4683b77133b908

  • splitter

    |'|'|

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cab394f76dc7daa2a8548a9d1bd0f699_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\cab394f76dc7daa2a8548a9d1bd0f699_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1624
    • C:\Users\Admin\AppData\Local\Temp\BetterDiscordSetup.EXE
      "C:\Users\Admin\AppData\Local\Temp\BetterDiscordSetup.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2420
      • C:\Users\Admin\AppData\Local\Temp\betterdiscord.exe
        "C:\Users\Admin\AppData\Local\Temp\betterdiscord.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:320
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\betterdiscord.exe" "betterdiscord.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:2892
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2596

Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Event Triggered Execution

        1
        T1546

        Netsh Helper DLL

        1
        T1546.007

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Event Triggered Execution

        1
        T1546

        Netsh Helper DLL

        1
        T1546.007

        Defense Evasion

        Impair Defenses

        1
        T1562

        Disable or Modify System Firewall

        1
        T1562.004

        Modify Registry

        2
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\thumb-350-1073931.JPG
          Filesize

          14KB

          MD5

          081ed679153d1b6f8a5d837bf6eddf88

          SHA1

          67fde1346d626326117c439bf9aab48157dde1bd

          SHA256

          712513085dd636b3d1f4aa32915a699bfbdfcfd29abec23cbd0cb1a48038dbef

          SHA512

          b7863831de0fd82011d19fee47dfb3c01e03b028b9db3579cb6b67529f6110e08f77a26e7cc0d66ab46fe66f47524bc262b15dfd26bb039806860f6c7743dd0c

          Download Submit

        • \Users\Admin\AppData\Local\Temp\BetterDiscordSetup.exe
          Filesize

          23KB

          MD5

          251a4dc06bc28fb1806b6b346c34ecc7

          SHA1

          d65d8a9f57ac2a2bd96932cee7305a3b6c450b0d

          SHA256

          0a299b9f282c9d8d77c85d4898ec705c4a5337f9de0c476693f50039c072145e

          SHA512

          3dc9efae2625672ef54bb26f784fbe27d9e795802e48a7a8525d0c4d476f8b18306d30a10c6268a420d0a5b24a6b840ffabf8b9848fe0389952bf8df6fe3d7ed

          Download Submit

        • memory/1624-25-0x0000000003670000-0x0000000003672000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2596-26-0x0000000000220000-0x0000000000222000-memory.dmp

          Filesize

          8KB

          Download