Extracted

• • Target

    e76822be6e7bf60c617c8d49133f444d_JaffaCakes118

  • Size

    337KB

  • MD5

    e76822be6e7bf60c617c8d49133f444d

  • SHA1

    5f45037213112c91ad51efda01930adf9748f56f

  • SHA256

    2aaf93a1bc4f18d8f7eff1bcd204f0b1ec348e6f2d438a8f80b4934338903ee4

  • SHA512

    224e9ddb781230ef3838a78489f195b0323dab8ce8ad20819eb6b87f4a5f8b4129a6abce44fefe367db41466cc5d2af9f07fb106a548312d2dc8fd3a2c0af865

  • SSDEEP

    6144:hcpAt1E0QEkNM/HEgk0U0PCgSbZ//r5qwlgN:hcpAE0QEkNWkXgQ

  Score

  10^/10

  defense_evasiondiscoveryevasionexecutionprivilege_escalationtrojannjrathackedpersistence

  • Disables service(s)

    evasionexecution

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Njrat family

    njrat

  • Turns off Windows Defender SpyNet reporting

    evasion

  • UAC bypass

    evasiontrojan

  • Windows security bypass

    evasiontrojan

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Stops running service(s)

    evasionexecution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2