Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
02-01-2025 17:43
General
-
Target
JaffaCakes118_66f357009761da16ba97118cf921f030.exe
-
Size
97KB
-
MD5
66f357009761da16ba97118cf921f030
-
SHA1
7fa0857714cbfc108bf92ba81ea55a04f3adbafb
-
SHA256
1b8213f36e6aca9379292c1e2d77c46351703b89936d1e892c95a9496f83cb61
-
SHA512
9b77ef66e4dafec78a7bc5014aeff22e460a3ea7ec23ca1395a8e4cb741975005ab525f0e72db65ba58a9ca5bcd54b23f09c8b110082211094189e3555525a4c
-
SSDEEP
1536:BbL7oRv1uhlfShVjSEYTdp0u3p0WIkyZDKeO2XXZuF23CLyOHKr0hnv:9EyhMPYTdpFZnIk4DKeO2VbOHo0Bv
Malware Config
Extracted
njrat
0.7d
<<L~0~0~K >>
microsoft-help.myvnc.com:211
7484964710ffec0dd0c0abcd35c14b2c
-
reg_key
7484964710ffec0dd0c0abcd35c14b2c
-
splitter
|'|'|
Signatures
-
Njrat family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_66f357009761da16ba97118cf921f030.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_66f357009761da16ba97118cf921f030.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dllhost.exe"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\dllhost.exe" "dllhost.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD566f357009761da16ba97118cf921f030
SHA17fa0857714cbfc108bf92ba81ea55a04f3adbafb
SHA2561b8213f36e6aca9379292c1e2d77c46351703b89936d1e892c95a9496f83cb61
SHA5129b77ef66e4dafec78a7bc5014aeff22e460a3ea7ec23ca1395a8e4cb741975005ab525f0e72db65ba58a9ca5bcd54b23f09c8b110082211094189e3555525a4c
-
Filesize
32KB
-
Filesize
624KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
664KB
-
Filesize
4.8MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
48KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
9.6MB