Overview

overview

10

Static

static

3

JaffaCakes...67.exe

windows7-x64

10

JaffaCakes...67.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_9879774208b15b338883bb3e4b3b1f67

  • Size

    11.7MB

  • Sample

    250105-knhhxsypfv

  • MD5

    9879774208b15b338883bb3e4b3b1f67

  • SHA1

    f3c6bfabe12989b0937c007298593ce753528525

  • SHA256

    46c75b74d21515e607a66db4dc2a04aebf4c03b5f885e2008f7ab2238a87c334

  • SHA512

    61a3ee21ff5b413d0856f17fe56b760061b9f819d5d9ba5a6451b01e5ba8f881bdf03b80587912c27a2ea5c2f1cd60e7b4f84b80b07b589e838be092ac117cfd

  • SSDEEP

    196608:310dD4Uk+mdtvzgLvEixiwPj8DMw1046pdHK1MVoK4JH539q15Un:31yDJmd6LvE4vOMJd9K1MVoKeH5NqM

Score
10/10
njratdiscoveryevasionpersistenceprivilege_escalationtrojan

Malware Config

Targets

    • Target

      JaffaCakes118_9879774208b15b338883bb3e4b3b1f67

    • Size

      11.7MB

    • MD5

      9879774208b15b338883bb3e4b3b1f67

    • SHA1

      f3c6bfabe12989b0937c007298593ce753528525

    • SHA256

      46c75b74d21515e607a66db4dc2a04aebf4c03b5f885e2008f7ab2238a87c334

    • SHA512

      61a3ee21ff5b413d0856f17fe56b760061b9f819d5d9ba5a6451b01e5ba8f881bdf03b80587912c27a2ea5c2f1cd60e7b4f84b80b07b589e838be092ac117cfd

    • SSDEEP

      196608:310dD4Uk+mdtvzgLvEixiwPj8DMw1046pdHK1MVoK4JH539q15Un:31yDJmd6LvE4vOMJd9K1MVoKeH5NqM

    Score
    10/10
    njratdiscoveryevasionpersistenceprivilege_escalationtrojan

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Tasks