njrat | 5b2d7dab768bc2118c28c73e32cf7e1a4dd6129016abe2df6f0876d090ef56d4

General

Target

JaffaCakes118_601dfb7a98e57ececf07d2ada03536a0.exe
Size

233KB
MD5

601dfb7a98e57ececf07d2ada03536a0
SHA1

19dbc350938e846b5605c824d06c27b5b46ab4c1
SHA256

5b2d7dab768bc2118c28c73e32cf7e1a4dd6129016abe2df6f0876d090ef56d4
SHA512

66838b20e6de2ccb1f5255cc44d3deee30f193c71a5d3281bc05ff0dcea148fd2dd2b6461d9e4aa10af10e034ad8ff4e1e6235068b11f3dc0c734651800ea14a
SSDEEP

3072:/DUAdD0ytjEI45F4i8tWTn90TL/mIPHlzi/9LavTfQmUskSQiKswVzL8FqvsJO:/D3Vy8twuf/mCHiLacLsyiKlgFqv

Score

10^/10

njrat hacked discovery persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

1232.no-ip.org:9012

Mutex

51e62071a7618beb9182650c6cc1d0df

Attributes

reg_key
51e62071a7618beb9182650c6cc1d0df
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	JaffaCakes118_601dfb7a98e57ececf07d2ada03536a0.exe

Executes dropped EXE 1 IoCs

pid	Process
3948	server.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aYBbeC1N0pkVv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ajNo3ggKEh0.exe"	JaffaCakes118_601dfb7a98e57ececf07d2ada03536a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aYBbeC1N0pkVv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ajNo3ggKEh0.exe"	server.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4244 set thread context of 2160	4244	JaffaCakes118_601dfb7a98e57ececf07d2ada03536a0.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_601dfb7a98e57ececf07d2ada03536a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_601dfb7a98e57ececf07d2ada03536a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4244	JaffaCakes118_601dfb7a98e57ececf07d2ada03536a0.exe
4244	JaffaCakes118_601dfb7a98e57ececf07d2ada03536a0.exe
4244	JaffaCakes118_601dfb7a98e57ececf07d2ada03536a0.exe
3948	server.exe
3948	server.exe
3948	server.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4244	JaffaCakes118_601dfb7a98e57ececf07d2ada03536a0.exe
Token: SeDebugPrivilege	3948	server.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 2160	4244	JaffaCakes118_601dfb7a98e57ececf07d2ada03536a0.exe	82
PID 4244 wrote to memory of 2160	4244	JaffaCakes118_601dfb7a98e57ececf07d2ada03536a0.exe	82
PID 4244 wrote to memory of 2160	4244	JaffaCakes118_601dfb7a98e57ececf07d2ada03536a0.exe	82
PID 4244 wrote to memory of 2160	4244	JaffaCakes118_601dfb7a98e57ececf07d2ada03536a0.exe	82
PID 4244 wrote to memory of 2160	4244	JaffaCakes118_601dfb7a98e57ececf07d2ada03536a0.exe	82
PID 2160 wrote to memory of 3948	2160	JaffaCakes118_601dfb7a98e57ececf07d2ada03536a0.exe	88
PID 2160 wrote to memory of 3948	2160	JaffaCakes118_601dfb7a98e57ececf07d2ada03536a0.exe	88
PID 2160 wrote to memory of 3948	2160	JaffaCakes118_601dfb7a98e57ececf07d2ada03536a0.exe	88
PID 3948 wrote to memory of 2344	3948	server.exe	91
PID 3948 wrote to memory of 2344	3948	server.exe	91
PID 3948 wrote to memory of 2344	3948	server.exe	91

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_601dfb7a98e57ececf07d2ada03536a0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_601dfb7a98e57ececf07d2ada03536a0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_601dfb7a98e57ececf07d2ada03536a0.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_601dfb7a98e57ececf07d2ada03536a0.exe
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Users\Admin\AppData\Roaming\server.exe
    "C:\Users\Admin\AppData\Roaming\server.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3948
  - - C:\Users\Admin\AppData\Roaming\server.exe
      C:\Users\Admin\AppData\Roaming\server.exe
      4⤵
      PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JaffaCakes118_601dfb7a98e57ececf07d2ada03536a0.exe.log

Filesize
1KB

MD5
3e4397aeafdc36308cf2e69b1a95af46

SHA1
89edb089c6d0f6ff6b3cf7d9b66e24ee6a4cc8dc

SHA256
314c58a3a7be41f6ce4662c67b7adc823cc37923125e61f91f5ec4c6a6760131

SHA512
46251e8d4c02478ddaa42c96be2b7909d215c8608b40b6daef7cd34756709fa95b1a95f02d0c04aa914130ed715a7bd1a1ac43fbfa22477c73639ec57a29898f

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
233KB

MD5
601dfb7a98e57ececf07d2ada03536a0

SHA1
19dbc350938e846b5605c824d06c27b5b46ab4c1

SHA256
5b2d7dab768bc2118c28c73e32cf7e1a4dd6129016abe2df6f0876d090ef56d4

SHA512
66838b20e6de2ccb1f5255cc44d3deee30f193c71a5d3281bc05ff0dcea148fd2dd2b6461d9e4aa10af10e034ad8ff4e1e6235068b11f3dc0c734651800ea14a

Download Submit
memory/2160-23-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2160-46-0x00000000752C0000-0x0000000075A70000-memory.dmp

Filesize
7.7MB

Download
memory/2160-29-0x00000000752C0000-0x0000000075A70000-memory.dmp

Filesize
7.7MB

Download
memory/3948-55-0x00000000752C0000-0x0000000075A70000-memory.dmp

Filesize
7.7MB

Download
memory/3948-49-0x00000000752C0000-0x0000000075A70000-memory.dmp

Filesize
7.7MB

Download
memory/3948-48-0x00000000752C0000-0x0000000075A70000-memory.dmp

Filesize
7.7MB

Download
memory/3948-47-0x00000000752C0000-0x0000000075A70000-memory.dmp

Filesize
7.7MB

Download
memory/4244-6-0x0000000007240000-0x00000000072D2000-memory.dmp

Filesize
584KB

Download
memory/4244-31-0x000000000AA80000-0x000000000AA98000-memory.dmp

Filesize
96KB

Download
memory/4244-11-0x0000000002300000-0x000000000230A000-memory.dmp

Filesize
40KB

Download
memory/4244-9-0x00000000752CE000-0x00000000752CF000-memory.dmp

Filesize
4KB

Download
memory/4244-25-0x00000000752C0000-0x0000000075A70000-memory.dmp

Filesize
7.7MB

Download
memory/4244-26-0x00000000752C0000-0x0000000075A70000-memory.dmp

Filesize
7.7MB

Download
memory/4244-27-0x00000000752C0000-0x0000000075A70000-memory.dmp

Filesize
7.7MB

Download
memory/4244-28-0x00000000752C0000-0x0000000075A70000-memory.dmp

Filesize
7.7MB

Download
memory/4244-8-0x0000000008830000-0x00000000088CC000-memory.dmp

Filesize
624KB

Download
memory/4244-10-0x00000000752C0000-0x0000000075A70000-memory.dmp

Filesize
7.7MB

Download
memory/4244-33-0x00000000752C0000-0x0000000075A70000-memory.dmp

Filesize
7.7MB

Download
memory/4244-7-0x00000000071D0000-0x00000000071DA000-memory.dmp

Filesize
40KB

Download
memory/4244-0-0x00000000752CE000-0x00000000752CF000-memory.dmp

Filesize
4KB

Download
memory/4244-5-0x0000000007750000-0x0000000007CF4000-memory.dmp

Filesize
5.6MB

Download
memory/4244-4-0x0000000004A10000-0x0000000004A52000-memory.dmp

Filesize
264KB

Download
memory/4244-3-0x00000000752C0000-0x0000000075A70000-memory.dmp

Filesize
7.7MB

Download
memory/4244-2-0x00000000023C0000-0x00000000023CE000-memory.dmp

Filesize
56KB

Download
memory/4244-1-0x0000000000030000-0x0000000000070000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads