Analysis

  • max time kernel
    145s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    13-12-2024 18:25

General

  • Target

    eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe

  • Size

    127KB

  • MD5

    eccd8b676bdc00e2bca6837225d0de82

  • SHA1

    fcd9d9f947250d807d25e47f71b1e4d33a722c94

  • SHA256

    4a16f3b48425de38d03e4c5f0d902ade1310b6f4ae413354b5a9949e7a895472

  • SHA512

    702621e4aee8f0fac1535798abdc1d8e3c731f8449ce2b6c14657fddeecafb8ca17d9fd587e7c7ac0c4668dba40b98a8b77508981d6f30c2d8478396131a19ff

  • SSDEEP

    3072:jn9ZdSp05IdUts+n+mI8/EUWnBLeQiv04/LvN6OdA/b1M5X:jZQ0FtsM8UkL8vJLpdy2X

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

110821

C2

185.222.57.203:3333

Mutex

f30d07865704fc19fcdc80f3519e44b8

Attributes
  • reg_key

    f30d07865704fc19fcdc80f3519e44b8

  • splitter

    |'|'|

Signatures

  • Njrat family
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Drops startup file 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2192
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "RegSvcs.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2556

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2192-2-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2192-3-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2192-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2192-11-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2192-10-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2192-12-0x00000000741CE000-0x00000000741CF000-memory.dmp

    Filesize

    4KB

  • memory/2192-13-0x00000000002F0000-0x00000000002FC000-memory.dmp

    Filesize

    48KB

  • memory/2192-14-0x00000000741C0000-0x00000000748AE000-memory.dmp

    Filesize

    6.9MB

  • memory/2192-15-0x00000000741CE000-0x00000000741CF000-memory.dmp

    Filesize

    4KB

  • memory/2192-16-0x00000000741C0000-0x00000000748AE000-memory.dmp

    Filesize

    6.9MB

  • memory/2220-1-0x0000000001269000-0x000000000126B000-memory.dmp

    Filesize

    8KB