njrat | 05fb1f2607fc07650bfef4d68b96e311b21425eabaa9fa8eb5ff0f2274828a36

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_377179f58983528698d54d187d813393.exe
Size

538KB
MD5

377179f58983528698d54d187d813393
SHA1

0f0e1ca715a02e97f6d4569367ea41527cee9712
SHA256

05fb1f2607fc07650bfef4d68b96e311b21425eabaa9fa8eb5ff0f2274828a36
SHA512

c8533bb44d0a30f19df4376f64983e0c50201b4281a7f571c6dda1164188562441848d9f5847b66b232d6e142a35b695d175bbe64ee29125b512ba1f5718bbd9
SSDEEP

12288:bTgWEaBhNkj2ayhxt8uQ3TUORQh5HSZqc+:F

Score

10^/10

njrat trojan

Malware Config

Extracted

Family

njrat

206.123.129.13:1911

Mutex

95768135b1

Attributes

reg_key
95768135b1
splitter
@!#&^%$

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
2936	JaffaCakes118_377179f58983528698d54d187d813393.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: 33	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: SeIncBasePriorityPrivilege	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: 33	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: SeIncBasePriorityPrivilege	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: 33	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: SeIncBasePriorityPrivilege	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: 33	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: SeIncBasePriorityPrivilege	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: 33	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: SeIncBasePriorityPrivilege	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: 33	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: SeIncBasePriorityPrivilege	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: 33	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: SeIncBasePriorityPrivilege	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: 33	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: SeIncBasePriorityPrivilege	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: 33	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: SeIncBasePriorityPrivilege	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: 33	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: SeIncBasePriorityPrivilege	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: 33	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: SeIncBasePriorityPrivilege	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: 33	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: SeIncBasePriorityPrivilege	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: 33	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: SeIncBasePriorityPrivilege	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: 33	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: SeIncBasePriorityPrivilege	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: 33	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: SeIncBasePriorityPrivilege	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: 33	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: SeIncBasePriorityPrivilege	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: 33	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: SeIncBasePriorityPrivilege	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: 33	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe
Token: SeIncBasePriorityPrivilege	2936	JaffaCakes118_377179f58983528698d54d187d813393.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_377179f58983528698d54d187d813393.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_377179f58983528698d54d187d813393.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2936-0-0x00007FFBA0D83000-0x00007FFBA0D85000-memory.dmp

Filesize
8KB

Download
memory/2936-1-0x0000000000CF0000-0x0000000000D7C000-memory.dmp

Filesize
560KB

Download
memory/2936-2-0x00007FFBA0D80000-0x00007FFBA1841000-memory.dmp

Filesize
10.8MB

Download
memory/2936-3-0x0000000002E70000-0x0000000002E7C000-memory.dmp

Filesize
48KB

Download
memory/2936-4-0x00007FFBA0D83000-0x00007FFBA0D85000-memory.dmp

Filesize
8KB

Download
memory/2936-5-0x00007FFBA0D80000-0x00007FFBA1841000-memory.dmp

Filesize
10.8MB

Download