Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
06-07-2022 05:14
Behavioral task
behavioral1
Sample
JaySoy.exe
Resource
win7-20220414-en
General
-
Target
JaySoy.exe
-
Size
93KB
-
MD5
e1bb8ea28a8d53fd209d1262e239397a
-
SHA1
b4dd3322073f8d51ea1d8cb0f7a2768b388f1fbc
-
SHA256
ecb9c4919b6503f72bebaa118d23bcc09ce8430dae03b98b2b8e2eed206850ab
-
SHA512
3f0221d33d78324f6aa7091a20afd1c6d210bf00462c0468d7ea952c7b60ec7dcddb743257cc1d3b5b407de93bf18c2d36ae964cd83cf3c5c09863db5648c77d
Malware Config
Extracted
njrat
0.7d
JaySo
NC50Y3AuZXUubmdyb2suaW8Strik:MTI5MDg=
429c4d90923139137515b87f729f47b8
-
reg_key
429c4d90923139137515b87f729f47b8
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 2284 server.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
JaySoy.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation JaySoy.exe -
Drops startup file 4 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\429c4d90923139137515b87f729f47b8Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\429c4d90923139137515b87f729f47b8Windows Update.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe 2284 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 2284 server.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 2284 server.exe Token: 33 2284 server.exe Token: SeIncBasePriorityPrivilege 2284 server.exe Token: 33 2284 server.exe Token: SeIncBasePriorityPrivilege 2284 server.exe Token: 33 2284 server.exe Token: SeIncBasePriorityPrivilege 2284 server.exe Token: 33 2284 server.exe Token: SeIncBasePriorityPrivilege 2284 server.exe Token: 33 2284 server.exe Token: SeIncBasePriorityPrivilege 2284 server.exe Token: 33 2284 server.exe Token: SeIncBasePriorityPrivilege 2284 server.exe Token: 33 2284 server.exe Token: SeIncBasePriorityPrivilege 2284 server.exe Token: 33 2284 server.exe Token: SeIncBasePriorityPrivilege 2284 server.exe Token: 33 2284 server.exe Token: SeIncBasePriorityPrivilege 2284 server.exe Token: 33 2284 server.exe Token: SeIncBasePriorityPrivilege 2284 server.exe Token: 33 2284 server.exe Token: SeIncBasePriorityPrivilege 2284 server.exe Token: 33 2284 server.exe Token: SeIncBasePriorityPrivilege 2284 server.exe Token: 33 2284 server.exe Token: SeIncBasePriorityPrivilege 2284 server.exe Token: 33 2284 server.exe Token: SeIncBasePriorityPrivilege 2284 server.exe Token: 33 2284 server.exe Token: SeIncBasePriorityPrivilege 2284 server.exe Token: 33 2284 server.exe Token: SeIncBasePriorityPrivilege 2284 server.exe Token: 33 2284 server.exe Token: SeIncBasePriorityPrivilege 2284 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
JaySoy.exeserver.exedescription pid process target process PID 3024 wrote to memory of 2284 3024 JaySoy.exe server.exe PID 3024 wrote to memory of 2284 3024 JaySoy.exe server.exe PID 3024 wrote to memory of 2284 3024 JaySoy.exe server.exe PID 2284 wrote to memory of 4612 2284 server.exe netsh.exe PID 2284 wrote to memory of 4612 2284 server.exe netsh.exe PID 2284 wrote to memory of 4612 2284 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaySoy.exe"C:\Users\Admin\AppData\Local\Temp\JaySoy.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
93KB
MD5e1bb8ea28a8d53fd209d1262e239397a
SHA1b4dd3322073f8d51ea1d8cb0f7a2768b388f1fbc
SHA256ecb9c4919b6503f72bebaa118d23bcc09ce8430dae03b98b2b8e2eed206850ab
SHA5123f0221d33d78324f6aa7091a20afd1c6d210bf00462c0468d7ea952c7b60ec7dcddb743257cc1d3b5b407de93bf18c2d36ae964cd83cf3c5c09863db5648c77d
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
93KB
MD5e1bb8ea28a8d53fd209d1262e239397a
SHA1b4dd3322073f8d51ea1d8cb0f7a2768b388f1fbc
SHA256ecb9c4919b6503f72bebaa118d23bcc09ce8430dae03b98b2b8e2eed206850ab
SHA5123f0221d33d78324f6aa7091a20afd1c6d210bf00462c0468d7ea952c7b60ec7dcddb743257cc1d3b5b407de93bf18c2d36ae964cd83cf3c5c09863db5648c77d
-
C:\Users\Admin\AppData\Roaming\appFilesize
4B
MD53eb8a6afa534fadc147aa70dea76e863
SHA103b827d99098f69c9f126679598f7166c99d1624
SHA256d3d1d98df443947ab0b52378acbb5f5c21593677b45f0403b3831c93d8be7fca
SHA512b9d20e1f18dd2dc9a71e436e5c27854196f1f8f0adfbf59aed9d70ab83b88c2c39958720508e87d98f8cb23dcb7bbaa81825406439edcc07b6d2ee310acd4327
-
memory/2284-131-0x0000000000000000-mapping.dmp
-
memory/2284-135-0x0000000074A60000-0x0000000075011000-memory.dmpFilesize
5.7MB
-
memory/2284-138-0x0000000074A60000-0x0000000075011000-memory.dmpFilesize
5.7MB
-
memory/3024-130-0x0000000074A60000-0x0000000075011000-memory.dmpFilesize
5.7MB
-
memory/3024-134-0x0000000074A60000-0x0000000075011000-memory.dmpFilesize
5.7MB
-
memory/4612-137-0x0000000000000000-mapping.dmp