Overview

overview

10

Static

static

3

JaffaCakes...30.exe

windows7-x64

10

JaffaCakes...30.exe

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_5b572bea2d6b56907d78d722b382ee30

  • Size

    285KB

  • Sample

    250101-tezkhstpgl

  • MD5

    5b572bea2d6b56907d78d722b382ee30

  • SHA1

    8d8e93390beaf88bee51e8ae52a23a48799b47ed

  • SHA256

    8d36a9fbd7cb689672489b3e2d8b769e07fdcc06cc410ee0ccc2b8e5ec36bd57

  • SHA512

    750af86e429fc96c9d4595b0df1dc8a805b53720e631bb63e905fd5be99ffed423df6c60d661270644af44a18bf0b656feabcc716897b0ec33584dbf2a9f0dd2

  • SSDEEP

    768:pZZpe06/gmAV4+RiHdxOnW5MedsruJDWaS77BKbwexZw32SLg0innjhyVT8w:n6/gmM2WW5MeGD7BKb7+it2Aw

Score
10/10
njratsaradiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

sara

C2

mouhamed0123.no-ip.biz:1177

Mutex

d06e5204d6dc66dc117e509f9784b277

Attributes
  • reg_key

    d06e5204d6dc66dc117e509f9784b277

  • splitter

    |'|'|

Targets

    • Target

      JaffaCakes118_5b572bea2d6b56907d78d722b382ee30

    • Size

      285KB

    • MD5

      5b572bea2d6b56907d78d722b382ee30

    • SHA1

      8d8e93390beaf88bee51e8ae52a23a48799b47ed

    • SHA256

      8d36a9fbd7cb689672489b3e2d8b769e07fdcc06cc410ee0ccc2b8e5ec36bd57

    • SHA512

      750af86e429fc96c9d4595b0df1dc8a805b53720e631bb63e905fd5be99ffed423df6c60d661270644af44a18bf0b656feabcc716897b0ec33584dbf2a9f0dd2

    • SSDEEP

      768:pZZpe06/gmAV4+RiHdxOnW5MedsruJDWaS77BKbwexZw32SLg0innjhyVT8w:n6/gmM2WW5MeGD7BKb7+it2Aw

    Score
    10/10
    njratsaradiscoveryevasionpersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks