Overview

overview

10

Static

static

3

JaffaCakes...40.exe

windows7-x64

10

JaffaCakes...40.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-01-2025 17:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_66ef528412dc934d21412e0601b53440.exe

  • Size

    251KB

  • MD5

    66ef528412dc934d21412e0601b53440

  • SHA1

    7410355ff27c41f77ac7753ecfd27977a745651e

  • SHA256

    63cc576ffefbcaf8e685b04e8cb0a86b94cc8ca35ac34f2eecadc65b9d6ff26d

  • SHA512

    b046ef3685481011900ddc2d39c02a74fd9d06a6ae7e1e788699cec5c712aba284db9e91fc34ad8f5854cd1df44ea596507bd7823cae4f4dd3b055c838587ac7

  • SSDEEP

    3072:i95oylZ4GU11ahLGAshKwBQYRvvtQsLj4HrNperABxTjCGPWEYpjG/KJFhy2h0pq:i95cGU+hshDtfLmb3x/CwTOjEwo

Score
10/10
njratهههههههههههههههevasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

ههههههههههههههه

C2

youssef20.ddns.net:1177

Mutex

9322d95e65c8bd8ef9d5d31561116d58

Attributes
  • reg_key

    9322d95e65c8bd8ef9d5d31561116d58

  • splitter

    |'|'|

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_66ef528412dc934d21412e0601b53440.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_66ef528412dc934d21412e0601b53440.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:660
    • C:\Windows\SYSTEM32\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_66ef528412dc934d21412e0601b53440.exe" "JaffaCakes118_66ef528412dc934d21412e0601b53440.exe" ENABLE
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      PID:3480

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/660-0-0x00007FFCD4895000-0x00007FFCD4896000-memory.dmp

    Filesize

    4KB

    Download

  • memory/660-1-0x00007FFCD45E0000-0x00007FFCD4F81000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/660-2-0x000000001B940000-0x000000001BE0E000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/660-3-0x000000001BEB0000-0x000000001BF4C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/660-4-0x000000001C000000-0x000000001C0A6000-memory.dmp

    Filesize

    664KB

    Download

  • memory/660-5-0x00007FFCD45E0000-0x00007FFCD4F81000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/660-6-0x00007FFCD4895000-0x00007FFCD4896000-memory.dmp

    Filesize

    4KB

    Download

  • memory/660-7-0x00007FFCD45E0000-0x00007FFCD4F81000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/660-8-0x0000000000B90000-0x0000000000B9A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/660-9-0x0000000000B80000-0x0000000000B88000-memory.dmp

    Filesize

    32KB

    Download