Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-12-2024 18:25

General

  • Target

    eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe

  • Size

    127KB

  • MD5

    eccd8b676bdc00e2bca6837225d0de82

  • SHA1

    fcd9d9f947250d807d25e47f71b1e4d33a722c94

  • SHA256

    4a16f3b48425de38d03e4c5f0d902ade1310b6f4ae413354b5a9949e7a895472

  • SHA512

    702621e4aee8f0fac1535798abdc1d8e3c731f8449ce2b6c14657fddeecafb8ca17d9fd587e7c7ac0c4668dba40b98a8b77508981d6f30c2d8478396131a19ff

  • SSDEEP

    3072:jn9ZdSp05IdUts+n+mI8/EUWnBLeQiv04/LvN6OdA/b1M5X:jZQ0FtsM8UkL8vJLpdy2X

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

110821

C2

185.222.57.203:3333

Mutex

f30d07865704fc19fcdc80f3519e44b8

Attributes
  • reg_key

    f30d07865704fc19fcdc80f3519e44b8

  • splitter

    |'|'|

Signatures

  • Njrat family
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Drops startup file 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1896
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "RegSvcs.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:3452
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 220
      2⤵
      • Program crash
      PID:2268
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1668 -ip 1668
    1⤵
      PID:1992

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1668-1-0x00000000007B9000-0x00000000007BB000-memory.dmp

      Filesize

      8KB

    • memory/1896-3-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

    • memory/1896-7-0x000000007467E000-0x000000007467F000-memory.dmp

      Filesize

      4KB

    • memory/1896-8-0x0000000002B20000-0x0000000002B2C000-memory.dmp

      Filesize

      48KB

    • memory/1896-9-0x0000000007D50000-0x00000000082F4000-memory.dmp

      Filesize

      5.6MB

    • memory/1896-10-0x0000000007840000-0x00000000078DC000-memory.dmp

      Filesize

      624KB

    • memory/1896-11-0x0000000007A00000-0x0000000007A92000-memory.dmp

      Filesize

      584KB

    • memory/1896-12-0x0000000074670000-0x0000000074E20000-memory.dmp

      Filesize

      7.7MB

    • memory/1896-13-0x0000000004D30000-0x0000000004D3A000-memory.dmp

      Filesize

      40KB

    • memory/1896-14-0x000000007467E000-0x000000007467F000-memory.dmp

      Filesize

      4KB

    • memory/1896-15-0x0000000074670000-0x0000000074E20000-memory.dmp

      Filesize

      7.7MB