njrat | f173e2748342cecb2f69e6d83fb4e1a2e8e02556a2e0f74411e901b2fe6a734b

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_690f328aa5dfeac4a0961d2c7fa95540.exe
Size

1.1MB
MD5

690f328aa5dfeac4a0961d2c7fa95540
SHA1

b611df94d77a8f285c237f688ae93ca294aa3ed6
SHA256

f173e2748342cecb2f69e6d83fb4e1a2e8e02556a2e0f74411e901b2fe6a734b
SHA512

a4e6a1f588d7450f4266d7cf7d6910f82f5e30618a29a5dc028ce2ccb1c8cc90cff1ec09a60f80f234cd758745ac65dd72f431eaec422d9dd1422db88fc032b5
SSDEEP

24576:ztb20pkaCqT5TBWgNQ7aJmr52MU7hYM6A:wVg5tQ7aJY2MU9z5

Score

10^/10

njrat discovery trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 1 IoCs

pid	Process
2280	server.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Chaymae.JPG	DllHost.exe
File created	C:\Windows\Chaymae.JPG	JaffaCakes118_690f328aa5dfeac4a0961d2c7fa95540.exe
File opened for modification	C:\Windows\Chaymae.JPG	JaffaCakes118_690f328aa5dfeac4a0961d2c7fa95540.exe
File created	C:\Windows\server.exe	JaffaCakes118_690f328aa5dfeac4a0961d2c7fa95540.exe
File opened for modification	C:\Windows\server.exe	JaffaCakes118_690f328aa5dfeac4a0961d2c7fa95540.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_690f328aa5dfeac4a0961d2c7fa95540.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2088	DllHost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2088	DllHost.exe
2088	DllHost.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2280	2912	JaffaCakes118_690f328aa5dfeac4a0961d2c7fa95540.exe	29
PID 2912 wrote to memory of 2280	2912	JaffaCakes118_690f328aa5dfeac4a0961d2c7fa95540.exe	29
PID 2912 wrote to memory of 2280	2912	JaffaCakes118_690f328aa5dfeac4a0961d2c7fa95540.exe	29
PID 2912 wrote to memory of 2280	2912	JaffaCakes118_690f328aa5dfeac4a0961d2c7fa95540.exe	29

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_690f328aa5dfeac4a0961d2c7fa95540.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_690f328aa5dfeac4a0961d2c7fa95540.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\server.exe
  C:\Windows/server.exe
  2⤵
  - Executes dropped EXE
  PID:2280

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Chaymae.JPG

Filesize
66KB

MD5
ed75e620b9451086aa13833f836693df

SHA1
973c8a071c2a3366b72df52bba7646954774e19a

SHA256
15740a03882ae8a56d3a28ff725b7a697cd3595d0c9e9e9bf3a7310915bc76a2

SHA512
5b8126e92f21c4eb79b33395ef1bec1b452e0f804766f2932305b75016c0507a3c0b676fb85705dfcaf054b86aecee9e3f5585221d69caf255f8886e2c23a16a

Download Submit
C:\Windows\server.exe

Filesize
156KB

MD5
d9f54e2b6b5fae397ed2ec53da539362

SHA1
805eb1f334a564603896ef66b51d2de6adff90a3

SHA256
fd315f868bc5973954d9bb6b2f3e862e19ba49fb49960e75cbd176692df3cd2a

SHA512
ea809f62372a51e0f70439d2491f80728c3068bd24d416af57d5e9a9df52bed784acf67a2ae975c722515dc72e10e51adee68712b15131791f368f730593e12f

Download Submit
memory/2088-12-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2088-13-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2088-25-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2280-19-0x0000000000B00000-0x0000000000B80000-memory.dmp

Filesize
512KB

Download
memory/2280-20-0x0000000000580000-0x00000000005A8000-memory.dmp

Filesize
160KB

Download
memory/2280-21-0x0000000000AC0000-0x0000000000AE4000-memory.dmp

Filesize
144KB

Download
memory/2280-23-0x0000000000C80000-0x0000000000C9E000-memory.dmp

Filesize
120KB

Download
memory/2280-22-0x0000000000AE0000-0x0000000000B00000-memory.dmp

Filesize
128KB

Download
memory/2280-26-0x0000000000B00000-0x0000000000B80000-memory.dmp

Filesize
512KB

Download
memory/2912-11-0x0000000000C20000-0x0000000000C22000-memory.dmp

Filesize
8KB

Download