njrat | 6e37585d7469e4f38e734d8d86087fff1c2dcd52c1a94037f8e3d74e4fd2224b

General

Target

JaffaCakes118_63576009051871b0fea84610800829c0.exe
Size

427KB
MD5

63576009051871b0fea84610800829c0
SHA1

00ddd48d617ef5f3b1ab2b4a6d61f7720f351951
SHA256

6e37585d7469e4f38e734d8d86087fff1c2dcd52c1a94037f8e3d74e4fd2224b
SHA512

a02974916c5f761f47d815fa5b4d59b23228522f5e6b2f204953d899feff20f7544fccc1f53e3cd5639e205cfa29b8bb2bc5faa1494265ac1ee2e51649878d32
SSDEEP

12288:56Wq4aaE6KwyF5L0Y2D1PqLo3GTaLlSeCy:PthEVaPqLoPceX

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan upx

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

127.0.0.1:1177

Mutex

301b5fcf8ce2fab8868e80b6c1f912fe

Attributes

reg_key
301b5fcf8ce2fab8868e80b6c1f912fe
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
744	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Server.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe	System.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\301b5fcf8ce2fab8868e80b6c1f912fe.exe	System.exe

Executes dropped EXE 2 IoCs

pid	Process
2352	Server.exe
3052	System.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\301b5fcf8ce2fab8868e80b6c1f912fe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.exe\" .."	System.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\301b5fcf8ce2fab8868e80b6c1f912fe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.exe\" .."	System.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1116-18-0x0000000000400000-0x00000000004B8000-memory.dmp	autoit_exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1116-0-0x0000000000400000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/1116-18-0x0000000000400000-0x00000000004B8000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	System.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_63576009051871b0fea84610800829c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe
3052	System.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3052	System.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 2352	1116	JaffaCakes118_63576009051871b0fea84610800829c0.exe	82
PID 1116 wrote to memory of 2352	1116	JaffaCakes118_63576009051871b0fea84610800829c0.exe	82
PID 1116 wrote to memory of 2352	1116	JaffaCakes118_63576009051871b0fea84610800829c0.exe	82
PID 2352 wrote to memory of 3052	2352	Server.exe	83
PID 2352 wrote to memory of 3052	2352	Server.exe	83
PID 2352 wrote to memory of 3052	2352	Server.exe	83
PID 3052 wrote to memory of 744	3052	System.exe	84
PID 3052 wrote to memory of 744	3052	System.exe	84
PID 3052 wrote to memory of 744	3052	System.exe	84

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63576009051871b0fea84610800829c0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_63576009051871b0fea84610800829c0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp/Server.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Users\Admin\AppData\Local\Temp\System.exe
    "C:\Users\Admin\AppData\Local\Temp\System.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\System.exe" "System.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
29KB

MD5
ab1f9d0d1d62cf2675ff5e7a13cbd24d

SHA1
92a98a7247cbdd7024d2ab5da6af66ece570ce11

SHA256
407d9972c01f8743b6774cffe95035fc2e00d2a2610f825588cc014bb6036f77

SHA512
c937125c4c05109e852629eacbd1a608bcc8b2cf1cc37bcc77f509cdf2bef201a6a342d16419b8f2278f59c4fd473141ecec96220b5c19d9a4bde96d668159eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut8ADC.tmp

Filesize
132KB

MD5
38c554d3e025bfcb57f48fb8ced6a7ca

SHA1
fc77bd45a18fab2d64c9e3ea12cae71c737de7ab

SHA256
4720c99d55392ae7de9de90cb0d3ee9d3ecacd9ca804b287aa35b8f6189fbb1c

SHA512
87744d62e8c2e2cfd681d91e5a5af9fe414c5beda6bd3c0321c12fed045346056787af3b6d75f8ed73e9648688ae7b38c85c81fcd99b9cde6ca26060411a2244

Download Submit
memory/1116-0-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1116-18-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2352-19-0x00000000746E2000-0x00000000746E3000-memory.dmp

Filesize
4KB

Download
memory/2352-20-0x00000000746E0000-0x0000000074C91000-memory.dmp

Filesize
5.7MB

Download
memory/2352-21-0x00000000746E0000-0x0000000074C91000-memory.dmp

Filesize
5.7MB

Download
memory/2352-31-0x00000000746E0000-0x0000000074C91000-memory.dmp

Filesize
5.7MB

Download
memory/3052-32-0x00000000746E0000-0x0000000074C91000-memory.dmp

Filesize
5.7MB

Download
memory/3052-33-0x00000000746E0000-0x0000000074C91000-memory.dmp

Filesize
5.7MB

Download
memory/3052-35-0x00000000746E0000-0x0000000074C91000-memory.dmp

Filesize
5.7MB

Download
memory/3052-36-0x00000000746E0000-0x0000000074C91000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads