Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
02-01-2025 11:34
General
-
Target
JaffaCakes118_64c9f8d2a269237f3f8525651d53ad80.exe
-
Size
872KB
-
MD5
64c9f8d2a269237f3f8525651d53ad80
-
SHA1
c4cc3f01c09bbe5739ac59808004981b13016866
-
SHA256
113942263edbc8f96d31bb7cffb2c07bc960dcd423a82e039b5fe0d81f68cc8c
-
SHA512
1d4bbc5f49e508faf2507cfef755f613aceb1c2a5d9dab567e5e711bd29df1e5b22c4ba6607bfd5f5ac2239229cc3eda1186f72b3866c50774dffcb77356b9d2
-
SSDEEP
24576:ReFSOqvfLOXHMp4wtkOoTX17FUxy0vcroSfz0qdbPK:Y4OqC3MpFkDF7FUxy0vcroSAqNi
Malware Config
Signatures
-
Njrat family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64c9f8d2a269237f3f8525651d53ad80.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64c9f8d2a269237f3f8525651d53ad80.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
872KB
MD564c9f8d2a269237f3f8525651d53ad80
SHA1c4cc3f01c09bbe5739ac59808004981b13016866
SHA256113942263edbc8f96d31bb7cffb2c07bc960dcd423a82e039b5fe0d81f68cc8c
SHA5121d4bbc5f49e508faf2507cfef755f613aceb1c2a5d9dab567e5e711bd29df1e5b22c4ba6607bfd5f5ac2239229cc3eda1186f72b3866c50774dffcb77356b9d2
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
520KB
-
Filesize
9.9MB
-
Filesize
896KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
4KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
232KB
-
Filesize
464KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
9.9MB
-
Filesize
500KB
-
Filesize
520KB
-
Filesize
9.9MB
-
Filesize
384KB
-
Filesize
896KB