Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
02-01-2025 11:57
General
-
Target
JaffaCakes118_64eb3998e26459e4c3077ad4024a1a80.exe
-
Size
29KB
-
MD5
64eb3998e26459e4c3077ad4024a1a80
-
SHA1
1c3e26247f971fb777d9ba220e65a21d3c4e1323
-
SHA256
2f01bed1f064d819090c4ae7f390d7ec9d63e2859c5553d1e96c16d627048f36
-
SHA512
55c7388ccc7bb0abc63ac169a5d158faaf826899d7c3261c62a9c4238bf9c002b9ea3204c00589b62ab2015a6dcd481b6003dd28d2ab9fba69434456dcbb6856
-
SSDEEP
384:1+jNl7fFhYUEWnPx5rNCYmWmqDUhHevaGBsbh0w4wlAokw9OhgOL1vYRGOZz3ZYY:m77YUEk5HCYIqsHe9BKh0p29SgRxn
Malware Config
Extracted
njrat
0.6.4
victoriah
zacinemzabi.bounceme.net:91
78eb78fcdfbb68ba8d69fee34d0c86a7
-
reg_key
78eb78fcdfbb68ba8d69fee34d0c86a7
-
splitter
|'|'|
Signatures
-
Njrat family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 41 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64eb3998e26459e4c3077ad4024a1a80.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64eb3998e26459e4c3077ad4024a1a80.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\mben.exe"C:\ProgramData\mben.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\ProgramData\mben.exe" "mben.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD564eb3998e26459e4c3077ad4024a1a80
SHA11c3e26247f971fb777d9ba220e65a21d3c4e1323
SHA2562f01bed1f064d819090c4ae7f390d7ec9d63e2859c5553d1e96c16d627048f36
SHA51255c7388ccc7bb0abc63ac169a5d158faaf826899d7c3261c62a9c4238bf9c002b9ea3204c00589b62ab2015a6dcd481b6003dd28d2ab9fba69434456dcbb6856
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB