njrat | d4505f8faf56e0ff680a7c13e9b2dfde5ef091352a2754cc059d6c95b1ed764a

General

Target

JaffaCakes118_776bc344558e17c4f79a52eefd4af350.exe
Size

63KB
MD5

776bc344558e17c4f79a52eefd4af350
SHA1

a4da5e693c29bf35b96543e37142d8b53dd11c19
SHA256

d4505f8faf56e0ff680a7c13e9b2dfde5ef091352a2754cc059d6c95b1ed764a
SHA512

5f8e3b5408226b8bc02f7ecfa815f703be044123ea88ce0fc40fa600d376b1fe67e7a05d7b43c5d5b16c0652a28c8bfaa12194295368ee11bc607bac7fc54efb
SSDEEP

1536:G3GNisbcrQ3KXyV+LKhpadsNbRPLN8GQhTUVYC3EW:bN0r3XyamrNdPR8GcYEW

Score

10^/10

njrat mourad discovery trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Mourad

C2

halimoullah.no-ip.org:1234

Mutex

0e38f0c0b1d3bb006f8fbc6faf254716

Attributes

reg_key
0e38f0c0b1d3bb006f8fbc6faf254716
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_776bc344558e17c4f79a52eefd4af350.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2720	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2720	AcroRd32.exe
2720	AcroRd32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 1724	2192	JaffaCakes118_776bc344558e17c4f79a52eefd4af350.exe	30
PID 2192 wrote to memory of 1724	2192	JaffaCakes118_776bc344558e17c4f79a52eefd4af350.exe	30
PID 2192 wrote to memory of 1724	2192	JaffaCakes118_776bc344558e17c4f79a52eefd4af350.exe	30
PID 2192 wrote to memory of 1724	2192	JaffaCakes118_776bc344558e17c4f79a52eefd4af350.exe	30
PID 2192 wrote to memory of 1724	2192	JaffaCakes118_776bc344558e17c4f79a52eefd4af350.exe	30
PID 2192 wrote to memory of 1724	2192	JaffaCakes118_776bc344558e17c4f79a52eefd4af350.exe	30
PID 2192 wrote to memory of 1724	2192	JaffaCakes118_776bc344558e17c4f79a52eefd4af350.exe	30
PID 1724 wrote to memory of 2720	1724	rundll32.exe	31
PID 1724 wrote to memory of 2720	1724	rundll32.exe	31
PID 1724 wrote to memory of 2720	1724	rundll32.exe	31
PID 1724 wrote to memory of 2720	1724	rundll32.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_776bc344558e17c4f79a52eefd4af350.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_776bc344558e17c4f79a52eefd4af350.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\chrome.eexe
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\chrome.eexe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
f9fbccdf86e408578a45a2cd2110e251

SHA1
725c9d225bab4a63f419def75185e3b5d1e08b6f

SHA256
1a478586cd3cf1bd970433ed5d64d278ab0007314b564be4b65da0f1db840abc

SHA512
eb829b6215db8b34fdcf241998dcc7488f7cb160272258773a49c12a6a72d40828eb80c1908300b2969243ee447f8610284477b016d778bbe448ea47dea1d5ee

Download Submit
C:\Users\Admin\AppData\Roaming\chrome.eexe

Filesize
63KB

MD5
776bc344558e17c4f79a52eefd4af350

SHA1
a4da5e693c29bf35b96543e37142d8b53dd11c19

SHA256
d4505f8faf56e0ff680a7c13e9b2dfde5ef091352a2754cc059d6c95b1ed764a

SHA512
5f8e3b5408226b8bc02f7ecfa815f703be044123ea88ce0fc40fa600d376b1fe67e7a05d7b43c5d5b16c0652a28c8bfaa12194295368ee11bc607bac7fc54efb

Download Submit
memory/2192-0-0x000000007450E000-0x000000007450F000-memory.dmp

Filesize
4KB

Download
memory/2192-1-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2192-2-0x0000000000530000-0x000000000053A000-memory.dmp

Filesize
40KB

Download
memory/2192-3-0x0000000000750000-0x000000000076C000-memory.dmp

Filesize
112KB

Download
memory/2192-4-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2192-6-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing