njrat | da6f282bda21ae7d7672b12038088c5683f4b6c05f651bb8bcce0e50330cd7f0

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e89734cb5f03a7205150c1dd2b63f482_JaffaCakes118.exe
Size

1.3MB
MD5

e89734cb5f03a7205150c1dd2b63f482
SHA1

e13bcecf89bd561fa0dee793c7768e7d905997b4
SHA256

da6f282bda21ae7d7672b12038088c5683f4b6c05f651bb8bcce0e50330cd7f0
SHA512

a43373f0d5ef35317f9ccbd4b5a3269c2fa4ae2247f509e148fe73fd8a0a6a36111b2286bd76553d63696878761a863c536f3b48d8e934953bd9f96a7c39d75c
SSDEEP

24576:9Lf44W9ESiWy9EFFTZdXTZdHXTZdXTZzyQHqVE008sWVmiXMf7OM4pWC7FdT59Dl:uiSTZdXTZdHXTZdXTZzyQKVE0zmDI

Score

10^/10

njrat hacked discovery persistence trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

62.227.124.106:5552

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	e89734cb5f03a7205150c1dd2b63f482_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	e89734cb5f03a7205150c1dd2b63f482_JaffaCakes118.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Payload.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	e89734cb5f03a7205150c1dd2b63f482_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Payload.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Payload.exe

Executes dropped EXE 3 IoCs

pid	Process
3188	Stub,.exe
1996	Payload.exe
1300	Payload.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe"	e89734cb5f03a7205150c1dd2b63f482_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Payload.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1116 set thread context of 628	1116	e89734cb5f03a7205150c1dd2b63f482_JaffaCakes118.exe	84
PID 1996 set thread context of 1300	1996	Payload.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e89734cb5f03a7205150c1dd2b63f482_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Stub,.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e89734cb5f03a7205150c1dd2b63f482_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	3188	Stub,.exe
Token: SeRestorePrivilege	3164	dw20.exe
Token: SeBackupPrivilege	3164	dw20.exe
Token: SeBackupPrivilege	3164	dw20.exe
Token: SeBackupPrivilege	3164	dw20.exe
Token: SeDebugPrivilege	1300	Payload.exe
Token: 33	1300	Payload.exe
Token: SeIncBasePriorityPrivilege	1300	Payload.exe
Token: 33	1300	Payload.exe
Token: SeIncBasePriorityPrivilege	1300	Payload.exe
Token: 33	1300	Payload.exe
Token: SeIncBasePriorityPrivilege	1300	Payload.exe
Token: 33	1300	Payload.exe
Token: SeIncBasePriorityPrivilege	1300	Payload.exe
Token: 33	1300	Payload.exe
Token: SeIncBasePriorityPrivilege	1300	Payload.exe
Token: 33	1300	Payload.exe
Token: SeIncBasePriorityPrivilege	1300	Payload.exe
Token: 33	1300	Payload.exe
Token: SeIncBasePriorityPrivilege	1300	Payload.exe
Token: 33	1300	Payload.exe
Token: SeIncBasePriorityPrivilege	1300	Payload.exe
Token: 33	1300	Payload.exe
Token: SeIncBasePriorityPrivilege	1300	Payload.exe
Token: 33	1300	Payload.exe
Token: SeIncBasePriorityPrivilege	1300	Payload.exe
Token: 33	1300	Payload.exe
Token: SeIncBasePriorityPrivilege	1300	Payload.exe
Token: 33	1300	Payload.exe
Token: SeIncBasePriorityPrivilege	1300	Payload.exe
Token: 33	1300	Payload.exe
Token: SeIncBasePriorityPrivilege	1300	Payload.exe
Token: 33	1300	Payload.exe
Token: SeIncBasePriorityPrivilege	1300	Payload.exe
Token: 33	1300	Payload.exe
Token: SeIncBasePriorityPrivilege	1300	Payload.exe
Token: 33	1300	Payload.exe
Token: SeIncBasePriorityPrivilege	1300	Payload.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 3188	1116	e89734cb5f03a7205150c1dd2b63f482_JaffaCakes118.exe	82
PID 1116 wrote to memory of 3188	1116	e89734cb5f03a7205150c1dd2b63f482_JaffaCakes118.exe	82
PID 1116 wrote to memory of 3188	1116	e89734cb5f03a7205150c1dd2b63f482_JaffaCakes118.exe	82
PID 3188 wrote to memory of 3164	3188	Stub,.exe	83
PID 3188 wrote to memory of 3164	3188	Stub,.exe	83
PID 3188 wrote to memory of 3164	3188	Stub,.exe	83
PID 1116 wrote to memory of 628	1116	e89734cb5f03a7205150c1dd2b63f482_JaffaCakes118.exe	84
PID 1116 wrote to memory of 628	1116	e89734cb5f03a7205150c1dd2b63f482_JaffaCakes118.exe	84
PID 1116 wrote to memory of 628	1116	e89734cb5f03a7205150c1dd2b63f482_JaffaCakes118.exe	84
PID 1116 wrote to memory of 628	1116	e89734cb5f03a7205150c1dd2b63f482_JaffaCakes118.exe	84
PID 1116 wrote to memory of 628	1116	e89734cb5f03a7205150c1dd2b63f482_JaffaCakes118.exe	84
PID 1116 wrote to memory of 628	1116	e89734cb5f03a7205150c1dd2b63f482_JaffaCakes118.exe	84
PID 1116 wrote to memory of 628	1116	e89734cb5f03a7205150c1dd2b63f482_JaffaCakes118.exe	84
PID 1116 wrote to memory of 628	1116	e89734cb5f03a7205150c1dd2b63f482_JaffaCakes118.exe	84
PID 628 wrote to memory of 1996	628	e89734cb5f03a7205150c1dd2b63f482_JaffaCakes118.exe	90
PID 628 wrote to memory of 1996	628	e89734cb5f03a7205150c1dd2b63f482_JaffaCakes118.exe	90
PID 628 wrote to memory of 1996	628	e89734cb5f03a7205150c1dd2b63f482_JaffaCakes118.exe	90
PID 628 wrote to memory of 4576	628	e89734cb5f03a7205150c1dd2b63f482_JaffaCakes118.exe	91
PID 628 wrote to memory of 4576	628	e89734cb5f03a7205150c1dd2b63f482_JaffaCakes118.exe	91
PID 628 wrote to memory of 4576	628	e89734cb5f03a7205150c1dd2b63f482_JaffaCakes118.exe	91
PID 1996 wrote to memory of 1300	1996	Payload.exe	94
PID 1996 wrote to memory of 1300	1996	Payload.exe	94
PID 1996 wrote to memory of 1300	1996	Payload.exe	94
PID 1996 wrote to memory of 1300	1996	Payload.exe	94
PID 1996 wrote to memory of 1300	1996	Payload.exe	94
PID 1996 wrote to memory of 1300	1996	Payload.exe	94
PID 1996 wrote to memory of 1300	1996	Payload.exe	94
PID 1996 wrote to memory of 1300	1996	Payload.exe	94

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4576	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e89734cb5f03a7205150c1dd2b63f482_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e89734cb5f03a7205150c1dd2b63f482_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Users\Admin\AppData\Local\Temp\Stub,.exe
  "C:\Users\Admin\AppData\Local\Temp\Stub,.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3188
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 888
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:3164
- C:\Users\Admin\AppData\Local\Temp\e89734cb5f03a7205150c1dd2b63f482_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\e89734cb5f03a7205150c1dd2b63f482_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Users\Admin\AppData\Local\Temp\Payload.exe
    "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Users\Admin\AppData\Local\Temp\Payload.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1300
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e89734cb5f03a7205150c1dd2b63f482_JaffaCakes118.exe.log

Filesize
617B

MD5
e07efe3f1e4fcc39483a46d0644e1750

SHA1
083566e513d8090982a8f2d2c57864f7e5eea721

SHA256
d35da5dbc639e94852448d93722de5260388abf8a0a6b80d947d8acf02209617

SHA512
e29fac6efce55130598dd9ca0be18e2934d8ed417087848f4c80c1754312f1dae2eb0fc3e85e58aa11abde23a221bdf8f6b80df3a9acad4891626f667f05b474

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payload.exe

Filesize
1.3MB

MD5
e89734cb5f03a7205150c1dd2b63f482

SHA1
e13bcecf89bd561fa0dee793c7768e7d905997b4

SHA256
da6f282bda21ae7d7672b12038088c5683f4b6c05f651bb8bcce0e50330cd7f0

SHA512
a43373f0d5ef35317f9ccbd4b5a3269c2fa4ae2247f509e148fe73fd8a0a6a36111b2286bd76553d63696878761a863c536f3b48d8e934953bd9f96a7c39d75c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stub,.exe

Filesize
669KB

MD5
5e2c1a42cd6d66b10f49371a712a554c

SHA1
a29e99551f4bd77aafaf24ab07144426a6324d38

SHA256
9e3619a9774f78d06757bd69784863fd9eceecfccc847c9de0f6783568864749

SHA512
1dc0ce574427f5b5abc80225601c4fa3b6486e9609c95ae08c304efd4c52354c2e122fce47c52688a9e8052a79e0370103343ba9f1fcf1a063bdada274bde0ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Filesize
1KB

MD5
9d8feb2f0d0f90f04f25b8006be83fdc

SHA1
c35b889767be595af5d69417a6253cb0d0a1af0e

SHA256
50610114ae6b7ac7ee1c6bb520e567f656f4bac43245e336f511f46126ac3ff7

SHA512
7479d710887029fa2b3a46e9aeecda1e8b21dbabef5bf7626d86e4ace729ffd562b9d52452dbc2ebc893a530a54775c64cde74f52f9d5bcb4484899ef6c3f8f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Filesize
1KB

MD5
4b9d1668d2734e11056f2535324845c2

SHA1
3d3a09118b50bd01f6445c24d483ea25baebb918

SHA256
8e0fef9aeb3af819fb5ccfdcfdf937f254ba4b5e26d96c1d0e37b0873ae524c0

SHA512
708d27792ebc73edcc6d53b44dd66eadf074aca1a05ff0690b7bad134b0afd1654fd450015b64695364fddd7bcc99626a416025b6ff55b50c616e0b9fa71bb25

Download Submit
memory/628-23-0x000000007440E000-0x000000007440F000-memory.dmp

Filesize
4KB

Download
memory/628-20-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1116-19-0x0000000006580000-0x0000000006598000-memory.dmp

Filesize
96KB

Download
memory/1116-18-0x0000000005A50000-0x0000000005A60000-memory.dmp

Filesize
64KB

Download
memory/1116-15-0x0000000006AD0000-0x0000000007074000-memory.dmp

Filesize
5.6MB

Download
memory/1116-0-0x000000007440E000-0x000000007440F000-memory.dmp

Filesize
4KB

Download
memory/1116-2-0x0000000005AA0000-0x0000000005B3C000-memory.dmp

Filesize
624KB

Download
memory/1116-1-0x0000000000F70000-0x00000000010CC000-memory.dmp

Filesize
1.4MB

Download
memory/1300-53-0x0000000006020000-0x00000000060B2000-memory.dmp

Filesize
584KB

Download
memory/1300-54-0x0000000006010000-0x000000000601A000-memory.dmp

Filesize
40KB

Download
memory/3188-14-0x0000000070902000-0x0000000070903000-memory.dmp

Filesize
4KB

Download
memory/3188-32-0x0000000070900000-0x0000000070EB1000-memory.dmp

Filesize
5.7MB

Download
memory/3188-17-0x0000000070900000-0x0000000070EB1000-memory.dmp

Filesize
5.7MB

Download
memory/3188-16-0x0000000070900000-0x0000000070EB1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads