njrat | 40d209a52f28e901ef7c088a74fa7a4f4822d8c15460cfaa6fa73a4d4bb074ba

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2025 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c9ea2c601f092e8af013d1eee3d15f3b.exe
Size

300KB
MD5

c9ea2c601f092e8af013d1eee3d15f3b
SHA1

16a0f37d44f602365ac18cab3cc216caa26f6a9d
SHA256

40d209a52f28e901ef7c088a74fa7a4f4822d8c15460cfaa6fa73a4d4bb074ba
SHA512

26ccbad8b7f82868f9a2ec034ce13424672bd6bc9c82843c8ce2253eef83ff449d0502def57a70ddd54d86d3bb879c91296f7198890f4c5c5482db565fb2b9ef
SSDEEP

6144:EH+B6jXSEggT3L3PiO4ubwdjaKf7vfgDSMpv+u:EH+4jXagT3L3PiO4ubc/Tg7pv+u

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

hakim32.ddns.net:2000

abada2018.ddns.net:1177

Mutex

ff0b80ee33aa195b5fb9d33d0e0bf17c

Attributes

reg_key
ff0b80ee33aa195b5fb9d33d0e0bf17c
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2964	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	JaffaCakes118_c9ea2c601f092e8af013d1eee3d15f3b.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff0b80ee33aa195b5fb9d33d0e0bf17cWindows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ff0b80ee33aa195b5fb9d33d0e0bf17cWindows Update.exe	server.exe

Executes dropped EXE 1 IoCs

pid	Process
3024	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c9ea2c601f092e8af013d1eee3d15f3b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe
3024	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3024	server.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	3024	server.exe
Token: 33	3024	server.exe
Token: SeIncBasePriorityPrivilege	3024	server.exe
Token: 33	3024	server.exe
Token: SeIncBasePriorityPrivilege	3024	server.exe
Token: 33	3024	server.exe
Token: SeIncBasePriorityPrivilege	3024	server.exe
Token: 33	3024	server.exe
Token: SeIncBasePriorityPrivilege	3024	server.exe
Token: 33	3024	server.exe
Token: SeIncBasePriorityPrivilege	3024	server.exe
Token: 33	3024	server.exe
Token: SeIncBasePriorityPrivilege	3024	server.exe
Token: 33	3024	server.exe
Token: SeIncBasePriorityPrivilege	3024	server.exe
Token: 33	3024	server.exe
Token: SeIncBasePriorityPrivilege	3024	server.exe
Token: 33	3024	server.exe
Token: SeIncBasePriorityPrivilege	3024	server.exe
Token: 33	3024	server.exe
Token: SeIncBasePriorityPrivilege	3024	server.exe
Token: 33	3024	server.exe
Token: SeIncBasePriorityPrivilege	3024	server.exe
Token: 33	3024	server.exe
Token: SeIncBasePriorityPrivilege	3024	server.exe
Token: 33	3024	server.exe
Token: SeIncBasePriorityPrivilege	3024	server.exe
Token: 33	3024	server.exe
Token: SeIncBasePriorityPrivilege	3024	server.exe
Token: 33	3024	server.exe
Token: SeIncBasePriorityPrivilege	3024	server.exe
Token: 33	3024	server.exe
Token: SeIncBasePriorityPrivilege	3024	server.exe
Token: 33	3024	server.exe
Token: SeIncBasePriorityPrivilege	3024	server.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 3024	1376	JaffaCakes118_c9ea2c601f092e8af013d1eee3d15f3b.exe	83
PID 1376 wrote to memory of 3024	1376	JaffaCakes118_c9ea2c601f092e8af013d1eee3d15f3b.exe	83
PID 1376 wrote to memory of 3024	1376	JaffaCakes118_c9ea2c601f092e8af013d1eee3d15f3b.exe	83
PID 3024 wrote to memory of 2964	3024	server.exe	84
PID 3024 wrote to memory of 2964	3024	server.exe	84
PID 3024 wrote to memory of 2964	3024	server.exe	84

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c9ea2c601f092e8af013d1eee3d15f3b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c9ea2c601f092e8af013d1eee3d15f3b.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
300KB

MD5
c9ea2c601f092e8af013d1eee3d15f3b

SHA1
16a0f37d44f602365ac18cab3cc216caa26f6a9d

SHA256
40d209a52f28e901ef7c088a74fa7a4f4822d8c15460cfaa6fa73a4d4bb074ba

SHA512
26ccbad8b7f82868f9a2ec034ce13424672bd6bc9c82843c8ce2253eef83ff449d0502def57a70ddd54d86d3bb879c91296f7198890f4c5c5482db565fb2b9ef

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
4B

MD5
7a8184d640ef6cdf954a7f10b80dc908

SHA1
541efc229f03c114a3e8f8413a293947e2578e82

SHA256
f82cb3b7c58b97a0b99662278b17e1cfb211ac7db5640f116ee2cc78475a1887

SHA512
cfa2535b3f842bc525b5d07053fd0267bbdea903364965971b472a172395c557d716b3caa5330a80c197331ce6b0fa6c1d3cb9bed4ae290fc4a8190479425659

Download Submit
memory/1376-6-0x0000000005080000-0x0000000005112000-memory.dmp

Filesize
584KB

Download
memory/1376-3-0x0000000000DF0000-0x0000000000E0C000-memory.dmp

Filesize
112KB

Download
memory/1376-4-0x0000000005570000-0x0000000005B14000-memory.dmp

Filesize
5.6MB

Download
memory/1376-5-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/1376-0-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

Filesize
4KB

Download
memory/1376-2-0x0000000004C90000-0x0000000004D2C000-memory.dmp

Filesize
624KB

Download
memory/1376-21-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/1376-1-0x0000000000410000-0x0000000000460000-memory.dmp

Filesize
320KB

Download
memory/3024-20-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/3024-22-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/3024-27-0x00000000053A0000-0x00000000053AA000-memory.dmp

Filesize
40KB

Download
memory/3024-29-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/3024-30-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download