njrat | bc39b35fe49d2d8ffbfdbeb9f99c138919b2dc8acbfa8ee089c959b1270f1239

General

Target

JaffaCakes118_3d5d5001a558f06c8013f35d0708817c.exe
Size

100KB
MD5

3d5d5001a558f06c8013f35d0708817c
SHA1

41642aec0b7ea7010c71ed512e952de75745112b
SHA256

bc39b35fe49d2d8ffbfdbeb9f99c138919b2dc8acbfa8ee089c959b1270f1239
SHA512

a69346e463a6bee2ac84b6596d3faa74d3d527c53a52759d61c5a80bead05ae8a4fd49533807e54ffa518c09ca8937424ceb6604797225de35133ab3f2fd6724
SSDEEP

1536:WAp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4eP:d5eznsjsguGDFqG

Score

10^/10

njrat neuf discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes

reg_key
e1a87040f2026369a233f9ae76301b7b
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2712	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
2288	chargeable.exe
2252	chargeable.exe

Loads dropped DLL 2 IoCs

pid	Process
2328	JaffaCakes118_3d5d5001a558f06c8013f35d0708817c.exe
2328	JaffaCakes118_3d5d5001a558f06c8013f35d0708817c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\confuse = "C:\\Users\\Admin\\AppData\\Roaming\\confuse\\chargeable.exe"	JaffaCakes118_3d5d5001a558f06c8013f35d0708817c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysMain = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_3d5d5001a558f06c8013f35d0708817c.exe"	JaffaCakes118_3d5d5001a558f06c8013f35d0708817c.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2288 set thread context of 2252	2288	chargeable.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3d5d5001a558f06c8013f35d0708817c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chargeable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chargeable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2252	chargeable.exe
Token: 33	2252	chargeable.exe
Token: SeIncBasePriorityPrivilege	2252	chargeable.exe
Token: 33	2252	chargeable.exe
Token: SeIncBasePriorityPrivilege	2252	chargeable.exe
Token: 33	2252	chargeable.exe
Token: SeIncBasePriorityPrivilege	2252	chargeable.exe
Token: 33	2252	chargeable.exe
Token: SeIncBasePriorityPrivilege	2252	chargeable.exe
Token: 33	2252	chargeable.exe
Token: SeIncBasePriorityPrivilege	2252	chargeable.exe
Token: 33	2252	chargeable.exe
Token: SeIncBasePriorityPrivilege	2252	chargeable.exe
Token: 33	2252	chargeable.exe
Token: SeIncBasePriorityPrivilege	2252	chargeable.exe
Token: 33	2252	chargeable.exe
Token: SeIncBasePriorityPrivilege	2252	chargeable.exe
Token: 33	2252	chargeable.exe
Token: SeIncBasePriorityPrivilege	2252	chargeable.exe
Token: 33	2252	chargeable.exe
Token: SeIncBasePriorityPrivilege	2252	chargeable.exe
Token: 33	2252	chargeable.exe
Token: SeIncBasePriorityPrivilege	2252	chargeable.exe
Token: 33	2252	chargeable.exe
Token: SeIncBasePriorityPrivilege	2252	chargeable.exe
Token: 33	2252	chargeable.exe
Token: SeIncBasePriorityPrivilege	2252	chargeable.exe
Token: 33	2252	chargeable.exe
Token: SeIncBasePriorityPrivilege	2252	chargeable.exe
Token: 33	2252	chargeable.exe
Token: SeIncBasePriorityPrivilege	2252	chargeable.exe
Token: 33	2252	chargeable.exe
Token: SeIncBasePriorityPrivilege	2252	chargeable.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2288	2328	JaffaCakes118_3d5d5001a558f06c8013f35d0708817c.exe	31
PID 2328 wrote to memory of 2288	2328	JaffaCakes118_3d5d5001a558f06c8013f35d0708817c.exe	31
PID 2328 wrote to memory of 2288	2328	JaffaCakes118_3d5d5001a558f06c8013f35d0708817c.exe	31
PID 2328 wrote to memory of 2288	2328	JaffaCakes118_3d5d5001a558f06c8013f35d0708817c.exe	31
PID 2288 wrote to memory of 2252	2288	chargeable.exe	32
PID 2288 wrote to memory of 2252	2288	chargeable.exe	32
PID 2288 wrote to memory of 2252	2288	chargeable.exe	32
PID 2288 wrote to memory of 2252	2288	chargeable.exe	32
PID 2288 wrote to memory of 2252	2288	chargeable.exe	32
PID 2288 wrote to memory of 2252	2288	chargeable.exe	32
PID 2288 wrote to memory of 2252	2288	chargeable.exe	32
PID 2288 wrote to memory of 2252	2288	chargeable.exe	32
PID 2288 wrote to memory of 2252	2288	chargeable.exe	32
PID 2252 wrote to memory of 2712	2252	chargeable.exe	33
PID 2252 wrote to memory of 2712	2252	chargeable.exe	33
PID 2252 wrote to memory of 2712	2252	chargeable.exe	33
PID 2252 wrote to memory of 2712	2252	chargeable.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3d5d5001a558f06c8013f35d0708817c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3d5d5001a558f06c8013f35d0708817c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
  "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\confuse\chargeable.exe" "chargeable.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\confuse\chargeable.exe

Filesize
100KB

MD5
0d1739a601c5570c2248fd67a9ce2773

SHA1
a29d2fff1549adf0bbea8afa38ed5fe7528127d7

SHA256
a52c721e0d0b9326259162bba2dc2fd4e362efc152a3f9e423764301daa0dc84

SHA512
ae357aabd9c010ecb10ae19df93470e4edad40485c0d897e26e16fcc699a57bb3bba2b8aeec551c39579c1cebe376cdd2ff5f233a627e9b6dde99171375cf948

Download Submit
memory/2252-25-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2252-23-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2252-20-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2288-17-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2288-16-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2288-18-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2288-26-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2288-27-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2328-0-0x0000000074221000-0x0000000074222000-memory.dmp

Filesize
4KB

Download
memory/2328-19-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2328-6-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2328-2-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download
memory/2328-1-0x0000000074220000-0x00000000747CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads