njrat | bb60523263102e30304b879b02bac1179e07a2642232049beef4307a587c9a4a

General

Target

JaffaCakes118_6792a39bf671d4072534e4d91648d720.exe
Size

453KB
MD5

6792a39bf671d4072534e4d91648d720
SHA1

7007803aaff4e8de99a49ba0035f7447fa7d6f4c
SHA256

bb60523263102e30304b879b02bac1179e07a2642232049beef4307a587c9a4a
SHA512

03b0fe75629b2806e8521aa5ec50b36429cc955f23df0111e946e1f741b6922764caa25415fa1740c4dbc9d6745a148dca21b5d27ab7625a39d9be1c970fd54e
SSDEEP

6144:hulQI4MikY0QVYf99hSTCciNuAPFvq3G8kH10Fj3cq45B7:cMkY0QcITCci35

Score

10^/10

njrat hacked discovery trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

reeem20102010.ddns.net:8080

Mutex

14d6da4c751dc9c96791754c828d69d3

Attributes

reg_key
14d6da4c751dc9c96791754c828d69d3
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	JaffaCakes118_6792a39bf671d4072534e4d91648d720.exe

Executes dropped EXE 1 IoCs

pid	Process
3488	server.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2180 set thread context of 4336	2180	JaffaCakes118_6792a39bf671d4072534e4d91648d720.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6792a39bf671d4072534e4d91648d720.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6792a39bf671d4072534e4d91648d720.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2180	JaffaCakes118_6792a39bf671d4072534e4d91648d720.exe
2180	JaffaCakes118_6792a39bf671d4072534e4d91648d720.exe
2180	JaffaCakes118_6792a39bf671d4072534e4d91648d720.exe
3488	server.exe
3488	server.exe
3488	server.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2180	JaffaCakes118_6792a39bf671d4072534e4d91648d720.exe
Token: SeDebugPrivilege	3488	server.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 4336	2180	JaffaCakes118_6792a39bf671d4072534e4d91648d720.exe	82
PID 2180 wrote to memory of 4336	2180	JaffaCakes118_6792a39bf671d4072534e4d91648d720.exe	82
PID 2180 wrote to memory of 4336	2180	JaffaCakes118_6792a39bf671d4072534e4d91648d720.exe	82
PID 2180 wrote to memory of 4336	2180	JaffaCakes118_6792a39bf671d4072534e4d91648d720.exe	82
PID 2180 wrote to memory of 4336	2180	JaffaCakes118_6792a39bf671d4072534e4d91648d720.exe	82
PID 4336 wrote to memory of 3488	4336	JaffaCakes118_6792a39bf671d4072534e4d91648d720.exe	84
PID 4336 wrote to memory of 3488	4336	JaffaCakes118_6792a39bf671d4072534e4d91648d720.exe	84
PID 4336 wrote to memory of 3488	4336	JaffaCakes118_6792a39bf671d4072534e4d91648d720.exe	84
PID 3488 wrote to memory of 4568	3488	server.exe	85
PID 3488 wrote to memory of 4568	3488	server.exe	85
PID 3488 wrote to memory of 4568	3488	server.exe	85

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6792a39bf671d4072534e4d91648d720.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6792a39bf671d4072534e4d91648d720.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6792a39bf671d4072534e4d91648d720.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6792a39bf671d4072534e4d91648d720.exe
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3488
  - - C:\Users\Admin\AppData\Local\Temp\server.exe
      C:\Users\Admin\AppData\Local\Temp\server.exe
      4⤵
      PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JaffaCakes118_6792a39bf671d4072534e4d91648d720.exe.log

Filesize
1KB

MD5
de52595a6f9ede9663416e246e7cdaca

SHA1
8b14da579a6aa0e0f111415807bbd8c1e81dbb2d

SHA256
445ff9b847c4564d1c58857d7ff036a7347869ac3172a2aedef0da15122d5b25

SHA512
1402b4641f6b5bdda7b0e7081c23d5e36f70a6b88b59eea6a8605b8426899e8b1367fe3ae864a9d2c1c819b8eedeb6db765d6334da778629f9e77593e5ce0b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
453KB

MD5
6792a39bf671d4072534e4d91648d720

SHA1
7007803aaff4e8de99a49ba0035f7447fa7d6f4c

SHA256
bb60523263102e30304b879b02bac1179e07a2642232049beef4307a587c9a4a

SHA512
03b0fe75629b2806e8521aa5ec50b36429cc955f23df0111e946e1f741b6922764caa25415fa1740c4dbc9d6745a148dca21b5d27ab7625a39d9be1c970fd54e

Download Submit
memory/2180-5-0x0000000005150000-0x000000000515A000-memory.dmp

Filesize
40KB

Download
memory/2180-22-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/2180-4-0x00000000052C0000-0x000000000535C000-memory.dmp

Filesize
624KB

Download
memory/2180-0-0x000000007483E000-0x000000007483F000-memory.dmp

Filesize
4KB

Download
memory/2180-6-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/2180-7-0x00000000057D0000-0x00000000057DA000-memory.dmp

Filesize
40KB

Download
memory/2180-1-0x0000000000730000-0x00000000007A8000-memory.dmp

Filesize
480KB

Download
memory/2180-20-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/2180-21-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/2180-3-0x00000000051B0000-0x0000000005242000-memory.dmp

Filesize
584KB

Download
memory/2180-2-0x0000000005870000-0x0000000005E14000-memory.dmp

Filesize
5.6MB

Download
memory/2180-24-0x0000000008B00000-0x0000000008B18000-memory.dmp

Filesize
96KB

Download
memory/2180-26-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/3488-39-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/3488-46-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/4336-23-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/4336-18-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4336-40-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing