Overview

overview

10

Static

static

10

JaffaCakes...e5.exe

windows7-x64

10

JaffaCakes...e5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-01-2025 19:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_ba992f195c2a1517afe0bddd513459e5.exe

  • Size

    33KB

  • MD5

    ba992f195c2a1517afe0bddd513459e5

  • SHA1

    d148b93b652cf051263d030c66ec3bd0e8926267

  • SHA256

    5a37df41c699de4db40cce4ccb3bd9388a1cfb9691b803572effd6bf01a42514

  • SHA512

    9131ab7296b5f75be286cb52fcb9fa429b5637bb0332fb9fbd7e838b74277b8a9af8f8d6db6c3f161efa82f7d6df75397a46e7e00a2028ab5f5766f542218c28

  • SSDEEP

    768:PnKR7bUw2C/o26qupedBKh0p29SgRK15:vY7b2f/+KhG29jK15

Score
10/10
njratwest-k.s.a @evasionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

WeSt-K.S.A @

C2

127.0.0.1:5551

Mutex

0f436963af986f0915e6f175d79d7302

Attributes
  • reg_key

    0f436963af986f0915e6f175d79d7302

  • splitter

    |'|'|

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ba992f195c2a1517afe0bddd513459e5.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ba992f195c2a1517afe0bddd513459e5.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4480
    • C:\Windows\SYSTEM32\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ba992f195c2a1517afe0bddd513459e5.exe" "JaffaCakes118_ba992f195c2a1517afe0bddd513459e5.exe" ENABLE
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      PID:2256

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4480-0-0x00007FF87A7F3000-0x00007FF87A7F5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4480-1-0x0000000000860000-0x000000000086C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4480-2-0x0000000001120000-0x000000000112E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4480-3-0x00007FF87A7F0000-0x00007FF87B2B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4480-4-0x00007FF87A7F0000-0x00007FF87B2B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4480-5-0x00007FF87A7F0000-0x00007FF87B2B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4480-6-0x00007FF87A7F0000-0x00007FF87B2B1000-memory.dmp

    Filesize

    10.8MB

    Download