njrat | 3bf3cd02f196b7eb2596c361a708e8723c31dc1c8637f43cad2485d754b60c8b

General

Target

JaffaCakes118_78c618883d4ef11d7967a085bb169a90.exe
Size

142KB
MD5

78c618883d4ef11d7967a085bb169a90
SHA1

01eddd4cc1a1103838dd3a2147914c63d79eb43e
SHA256

3bf3cd02f196b7eb2596c361a708e8723c31dc1c8637f43cad2485d754b60c8b
SHA512

66fbcfbf608c28038c7ab2ef5132d978147a0393ef7b44dddf180cc3cffea94c677b14972ce63a5f580786259bd0f039961e131ec4641c1df6bacf93f660e707
SSDEEP

3072:t1EHZVn4swmr7XCgNzzKFVlRHCkV162LOh8bO8ntT8r:tOHZV44C4KFX1C01uyxtT

Score

10^/10

njrat hacked discovery trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

110xxx.zapto.org:1177

Mutex

e2acc3c4483cfae75255b2af38dd51a3

Attributes

reg_key
e2acc3c4483cfae75255b2af38dd51a3
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	JaffaCakes118_78c618883d4ef11d7967a085bb169a90.exe

Executes dropped EXE 1 IoCs

pid	Process
2812	adobe.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3764 set thread context of 2592	3764	JaffaCakes118_78c618883d4ef11d7967a085bb169a90.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_78c618883d4ef11d7967a085bb169a90.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_78c618883d4ef11d7967a085bb169a90.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobe.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3764	JaffaCakes118_78c618883d4ef11d7967a085bb169a90.exe
Token: SeDebugPrivilege	2812	adobe.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3764 wrote to memory of 2592	3764	JaffaCakes118_78c618883d4ef11d7967a085bb169a90.exe	83
PID 3764 wrote to memory of 2592	3764	JaffaCakes118_78c618883d4ef11d7967a085bb169a90.exe	83
PID 3764 wrote to memory of 2592	3764	JaffaCakes118_78c618883d4ef11d7967a085bb169a90.exe	83
PID 3764 wrote to memory of 2592	3764	JaffaCakes118_78c618883d4ef11d7967a085bb169a90.exe	83
PID 3764 wrote to memory of 2592	3764	JaffaCakes118_78c618883d4ef11d7967a085bb169a90.exe	83
PID 2592 wrote to memory of 2812	2592	JaffaCakes118_78c618883d4ef11d7967a085bb169a90.exe	84
PID 2592 wrote to memory of 2812	2592	JaffaCakes118_78c618883d4ef11d7967a085bb169a90.exe	84
PID 2592 wrote to memory of 2812	2592	JaffaCakes118_78c618883d4ef11d7967a085bb169a90.exe	84
PID 2812 wrote to memory of 2008	2812	adobe.exe	85
PID 2812 wrote to memory of 2008	2812	adobe.exe	85
PID 2812 wrote to memory of 2008	2812	adobe.exe	85

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78c618883d4ef11d7967a085bb169a90.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78c618883d4ef11d7967a085bb169a90.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78c618883d4ef11d7967a085bb169a90.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78c618883d4ef11d7967a085bb169a90.exe
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Users\Admin\AppData\Roaming\adobe.exe
    "C:\Users\Admin\AppData\Roaming\adobe.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Users\Admin\AppData\Roaming\adobe.exe
      C:\Users\Admin\AppData\Roaming\adobe.exe
      4⤵
      PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\JaffaCakes118_78c618883d4ef11d7967a085bb169a90.exe.log

Filesize
223B

MD5
1cc4c5b51e50ec74a6880b50ecbee28b

SHA1
1ba7bb0e86c3d23fb0dc8bf16798d37afb4c4aba

SHA256
0556734df26e82e363d47748a3ceedd5c23ea4b9ded6e68bd5c373c1c9f8777b

SHA512
5d5532602b381125b24a9bd78781ed722ce0c862214ef17e7d224d269e6e7045c919ab19896dd8d9ae8920726092efe0ffb776a77a9a9539c4a70188d5a4c706

Download Submit
C:\Users\Admin\AppData\Roaming\adobe.exe

Filesize
142KB

MD5
78c618883d4ef11d7967a085bb169a90

SHA1
01eddd4cc1a1103838dd3a2147914c63d79eb43e

SHA256
3bf3cd02f196b7eb2596c361a708e8723c31dc1c8637f43cad2485d754b60c8b

SHA512
66fbcfbf608c28038c7ab2ef5132d978147a0393ef7b44dddf180cc3cffea94c677b14972ce63a5f580786259bd0f039961e131ec4641c1df6bacf93f660e707

Download Submit
memory/2592-22-0x00000000745B0000-0x0000000074B61000-memory.dmp

Filesize
5.7MB

Download
memory/2592-34-0x00000000745B0000-0x0000000074B61000-memory.dmp

Filesize
5.7MB

Download
memory/2592-15-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2812-44-0x00000000745B0000-0x0000000074B61000-memory.dmp

Filesize
5.7MB

Download
memory/2812-43-0x00000000745B0000-0x0000000074B61000-memory.dmp

Filesize
5.7MB

Download
memory/2812-36-0x00000000745B0000-0x0000000074B61000-memory.dmp

Filesize
5.7MB

Download
memory/2812-37-0x00000000745B0000-0x0000000074B61000-memory.dmp

Filesize
5.7MB

Download
memory/2812-35-0x00000000745B0000-0x0000000074B61000-memory.dmp

Filesize
5.7MB

Download
memory/3764-21-0x00000000745B0000-0x0000000074B61000-memory.dmp

Filesize
5.7MB

Download
memory/3764-1-0x00000000745B0000-0x0000000074B61000-memory.dmp

Filesize
5.7MB

Download
memory/3764-2-0x00000000745B0000-0x0000000074B61000-memory.dmp

Filesize
5.7MB

Download
memory/3764-0-0x00000000745B2000-0x00000000745B3000-memory.dmp

Filesize
4KB

Download
memory/3764-20-0x00000000745B0000-0x0000000074B61000-memory.dmp

Filesize
5.7MB

Download
memory/3764-4-0x00000000745B0000-0x0000000074B61000-memory.dmp

Filesize
5.7MB

Download
memory/3764-18-0x00000000745B0000-0x0000000074B61000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing