Overview

overview

10

Static

static

3

JaffaCakes...90.exe

windows7-x64

10

JaffaCakes...90.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_6344e87d70b99f77eceae33035518d90

  • Size

    736KB

  • Sample

    250102-hc93pa1kgl

  • MD5

    6344e87d70b99f77eceae33035518d90

  • SHA1

    05defaaa2f0e94c13c85cf30a77e0be7a5173538

  • SHA256

    e5070571ea4a2f8c1cb52553bfe80de8b06de24fdd48996881b96525058b29e4

  • SHA512

    3c8b24272c4e87d05f27b19af81a4503f2bf224e6a354e9abbb4247037443fe60dd2273270dc069fff1b75874f1c6b7d91440b85d840d543ac55ae3949144d2d

  • SSDEEP

    12288:Q/V2fPzy1EZ5j9KYNLEW69IqWHd6e/y0Ws96fNzZLsMlGP3:z2EZ50SLEW6il96VE9odZLsMUP

Score
10/10
njrathamoodydiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

hamoody

C2

heroasd.no-ip.biz:9988

Mutex

d46656e8e7de092cfe266ea0e559dc73

Attributes
  • reg_key

    d46656e8e7de092cfe266ea0e559dc73

  • splitter

    |'|'|

Targets

    • Target

      JaffaCakes118_6344e87d70b99f77eceae33035518d90

    • Size

      736KB

    • MD5

      6344e87d70b99f77eceae33035518d90

    • SHA1

      05defaaa2f0e94c13c85cf30a77e0be7a5173538

    • SHA256

      e5070571ea4a2f8c1cb52553bfe80de8b06de24fdd48996881b96525058b29e4

    • SHA512

      3c8b24272c4e87d05f27b19af81a4503f2bf224e6a354e9abbb4247037443fe60dd2273270dc069fff1b75874f1c6b7d91440b85d840d543ac55ae3949144d2d

    • SSDEEP

      12288:Q/V2fPzy1EZ5j9KYNLEW69IqWHd6e/y0Ws96fNzZLsMlGP3:z2EZ50SLEW6il96VE9odZLsMUP

    Score
    10/10
    njrathamoodydiscoveryevasionpersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks