Overview

overview

10

Static

static

3

JaffaCakes...40.exe

windows7-x64

10

JaffaCakes...40.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    02-01-2025 17:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_66ef528412dc934d21412e0601b53440.exe

  • Size

    251KB

  • MD5

    66ef528412dc934d21412e0601b53440

  • SHA1

    7410355ff27c41f77ac7753ecfd27977a745651e

  • SHA256

    63cc576ffefbcaf8e685b04e8cb0a86b94cc8ca35ac34f2eecadc65b9d6ff26d

  • SHA512

    b046ef3685481011900ddc2d39c02a74fd9d06a6ae7e1e788699cec5c712aba284db9e91fc34ad8f5854cd1df44ea596507bd7823cae4f4dd3b055c838587ac7

  • SSDEEP

    3072:i95oylZ4GU11ahLGAshKwBQYRvvtQsLj4HrNperABxTjCGPWEYpjG/KJFhy2h0pq:i95cGU+hshDtfLmb3x/CwTOjEwo

Score
10/10
njratهههههههههههههههevasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

ههههههههههههههه

C2

youssef20.ddns.net:1177

Mutex

9322d95e65c8bd8ef9d5d31561116d58

Attributes
  • reg_key

    9322d95e65c8bd8ef9d5d31561116d58

  • splitter

    |'|'|

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_66ef528412dc934d21412e0601b53440.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_66ef528412dc934d21412e0601b53440.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2312
    • C:\Windows\system32\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_66ef528412dc934d21412e0601b53440.exe" "JaffaCakes118_66ef528412dc934d21412e0601b53440.exe" ENABLE
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      PID:332

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2312-0-0x000007FEF55BE000-0x000007FEF55BF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2312-1-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2312-2-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2312-3-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2312-4-0x0000000000270000-0x000000000027A000-memory.dmp

    Filesize

    40KB

    Download