Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 03:27
Static task
static1
Behavioral task
behavioral1
Sample
f4ef4c394d0ca5d493b584b0d6f7a08d_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f4ef4c394d0ca5d493b584b0d6f7a08d_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f4ef4c394d0ca5d493b584b0d6f7a08d_JaffaCakes118.exe
-
Size
120KB
-
MD5
f4ef4c394d0ca5d493b584b0d6f7a08d
-
SHA1
3ec040c1ac1a4c72430e70505746d69c1379c7f4
-
SHA256
f82488b7580088ef97f7eb9112a860ebd7c67489b40e23971e37acdfc6bbf0a3
-
SHA512
a44460b7edbc0761a12457fc27627dc7bc28820fd8b48412e12e1d13aabac1f146cba147d61afbe43c0a39cfc90367aa49667ee6717cda5b57757353d7a7cd06
-
SSDEEP
1536:9qNkaWgQKUFftuITp1+8+CthPXstugIaFVIFEKFR59vEcqrmqwfzy9KJsz:o/WXPD+8TXM9F+EO595qrb9y
Malware Config
Extracted
njrat
v2.0
HacKed
107.152.99.41:54893
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 5116 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f4ef4c394d0ca5d493b584b0d6f7a08d_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation f4ef4c394d0ca5d493b584b0d6f7a08d_JaffaCakes118.exe -
Drops startup file 6 IoCs
Processes:
tmp347D.tmphjgcdkzzlzn.exetmp353A.tmpxiehdojqwgdwfoy.exeattrib.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk tmp347D.tmphjgcdkzzlzn.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\57fb05ec5f5f4ec817027bcb7278a5fa.exe tmp353A.tmpxiehdojqwgdwfoy.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\57fb05ec5f5f4ec817027bcb7278a5fa.exe tmp353A.tmpxiehdojqwgdwfoy.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe tmp347D.tmphjgcdkzzlzn.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe tmp347D.tmphjgcdkzzlzn.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe attrib.exe -
Executes dropped EXE 2 IoCs
Processes:
tmp347D.tmphjgcdkzzlzn.exetmp353A.tmpxiehdojqwgdwfoy.exepid process 1440 tmp347D.tmphjgcdkzzlzn.exe 2688 tmp353A.tmpxiehdojqwgdwfoy.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
tmp347D.tmphjgcdkzzlzn.exetmp353A.tmpxiehdojqwgdwfoy.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" tmp347D.tmphjgcdkzzlzn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" tmp347D.tmphjgcdkzzlzn.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\57fb05ec5f5f4ec817027bcb7278a5fa = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp353A.tmpxiehdojqwgdwfoy.exe\" .." tmp353A.tmpxiehdojqwgdwfoy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\57fb05ec5f5f4ec817027bcb7278a5fa = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp353A.tmpxiehdojqwgdwfoy.exe\" .." tmp353A.tmpxiehdojqwgdwfoy.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" tmp347D.tmphjgcdkzzlzn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" tmp347D.tmphjgcdkzzlzn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
tmp353A.tmpxiehdojqwgdwfoy.exetmp347D.tmphjgcdkzzlzn.exedescription pid process Token: SeDebugPrivilege 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: SeDebugPrivilege 1440 tmp347D.tmphjgcdkzzlzn.exe Token: 33 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: SeIncBasePriorityPrivilege 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: 33 1440 tmp347D.tmphjgcdkzzlzn.exe Token: SeIncBasePriorityPrivilege 1440 tmp347D.tmphjgcdkzzlzn.exe Token: 33 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: SeIncBasePriorityPrivilege 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: 33 1440 tmp347D.tmphjgcdkzzlzn.exe Token: SeIncBasePriorityPrivilege 1440 tmp347D.tmphjgcdkzzlzn.exe Token: 33 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: SeIncBasePriorityPrivilege 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: 33 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: SeIncBasePriorityPrivilege 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: 33 1440 tmp347D.tmphjgcdkzzlzn.exe Token: SeIncBasePriorityPrivilege 1440 tmp347D.tmphjgcdkzzlzn.exe Token: 33 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: SeIncBasePriorityPrivilege 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: 33 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: SeIncBasePriorityPrivilege 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: 33 1440 tmp347D.tmphjgcdkzzlzn.exe Token: SeIncBasePriorityPrivilege 1440 tmp347D.tmphjgcdkzzlzn.exe Token: 33 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: SeIncBasePriorityPrivilege 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: 33 1440 tmp347D.tmphjgcdkzzlzn.exe Token: SeIncBasePriorityPrivilege 1440 tmp347D.tmphjgcdkzzlzn.exe Token: 33 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: SeIncBasePriorityPrivilege 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: 33 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: SeIncBasePriorityPrivilege 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: 33 1440 tmp347D.tmphjgcdkzzlzn.exe Token: SeIncBasePriorityPrivilege 1440 tmp347D.tmphjgcdkzzlzn.exe Token: 33 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: SeIncBasePriorityPrivilege 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: 33 1440 tmp347D.tmphjgcdkzzlzn.exe Token: SeIncBasePriorityPrivilege 1440 tmp347D.tmphjgcdkzzlzn.exe Token: 33 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: SeIncBasePriorityPrivilege 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: 33 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: SeIncBasePriorityPrivilege 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: 33 1440 tmp347D.tmphjgcdkzzlzn.exe Token: SeIncBasePriorityPrivilege 1440 tmp347D.tmphjgcdkzzlzn.exe Token: 33 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: SeIncBasePriorityPrivilege 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: 33 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: SeIncBasePriorityPrivilege 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: 33 1440 tmp347D.tmphjgcdkzzlzn.exe Token: SeIncBasePriorityPrivilege 1440 tmp347D.tmphjgcdkzzlzn.exe Token: 33 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: SeIncBasePriorityPrivilege 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: 33 1440 tmp347D.tmphjgcdkzzlzn.exe Token: SeIncBasePriorityPrivilege 1440 tmp347D.tmphjgcdkzzlzn.exe Token: 33 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: SeIncBasePriorityPrivilege 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: 33 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: SeIncBasePriorityPrivilege 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: 33 1440 tmp347D.tmphjgcdkzzlzn.exe Token: SeIncBasePriorityPrivilege 1440 tmp347D.tmphjgcdkzzlzn.exe Token: 33 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: SeIncBasePriorityPrivilege 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: 33 1440 tmp347D.tmphjgcdkzzlzn.exe Token: SeIncBasePriorityPrivilege 1440 tmp347D.tmphjgcdkzzlzn.exe Token: 33 2688 tmp353A.tmpxiehdojqwgdwfoy.exe Token: SeIncBasePriorityPrivilege 2688 tmp353A.tmpxiehdojqwgdwfoy.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
f4ef4c394d0ca5d493b584b0d6f7a08d_JaffaCakes118.exetmp353A.tmpxiehdojqwgdwfoy.exetmp347D.tmphjgcdkzzlzn.exedescription pid process target process PID 2584 wrote to memory of 1440 2584 f4ef4c394d0ca5d493b584b0d6f7a08d_JaffaCakes118.exe tmp347D.tmphjgcdkzzlzn.exe PID 2584 wrote to memory of 1440 2584 f4ef4c394d0ca5d493b584b0d6f7a08d_JaffaCakes118.exe tmp347D.tmphjgcdkzzlzn.exe PID 2584 wrote to memory of 1440 2584 f4ef4c394d0ca5d493b584b0d6f7a08d_JaffaCakes118.exe tmp347D.tmphjgcdkzzlzn.exe PID 2584 wrote to memory of 2688 2584 f4ef4c394d0ca5d493b584b0d6f7a08d_JaffaCakes118.exe tmp353A.tmpxiehdojqwgdwfoy.exe PID 2584 wrote to memory of 2688 2584 f4ef4c394d0ca5d493b584b0d6f7a08d_JaffaCakes118.exe tmp353A.tmpxiehdojqwgdwfoy.exe PID 2688 wrote to memory of 5116 2688 tmp353A.tmpxiehdojqwgdwfoy.exe netsh.exe PID 2688 wrote to memory of 5116 2688 tmp353A.tmpxiehdojqwgdwfoy.exe netsh.exe PID 1440 wrote to memory of 2260 1440 tmp347D.tmphjgcdkzzlzn.exe attrib.exe PID 1440 wrote to memory of 2260 1440 tmp347D.tmphjgcdkzzlzn.exe attrib.exe PID 1440 wrote to memory of 2260 1440 tmp347D.tmphjgcdkzzlzn.exe attrib.exe PID 1440 wrote to memory of 3052 1440 tmp347D.tmphjgcdkzzlzn.exe attrib.exe PID 1440 wrote to memory of 3052 1440 tmp347D.tmphjgcdkzzlzn.exe attrib.exe PID 1440 wrote to memory of 3052 1440 tmp347D.tmphjgcdkzzlzn.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2260 attrib.exe 3052 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4ef4c394d0ca5d493b584b0d6f7a08d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f4ef4c394d0ca5d493b584b0d6f7a08d_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp347D.tmphjgcdkzzlzn.exe"C:\Users\Admin\AppData\Local\Temp\tmp347D.tmphjgcdkzzlzn.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"3⤵
- Drops startup file
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\tmp353A.tmpxiehdojqwgdwfoy.exe"C:\Users\Admin\AppData\Local\Temp\tmp353A.tmpxiehdojqwgdwfoy.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\tmp353A.tmpxiehdojqwgdwfoy.exe" "tmp353A.tmpxiehdojqwgdwfoy.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp347D.tmphjgcdkzzlzn.exeFilesize
27KB
MD5c02d456f4a45039d08027055d44eafed
SHA1a29630fd9e2b16b5dedf690a3fe6b972149f7782
SHA2569f33ffec778fb87cece32d085b9dd91091fc5b5dc0d5babf4cf14db18b557ebf
SHA512c36bfe2145274d526aeb81e11840636564b569289d60ccdc1efdaf1dd09d5d00fd277d62bd218ad8686bf923b934039e643237dced3893996a63e1b050ce4a74
-
C:\Users\Admin\AppData\Local\Temp\tmp353A.tmpxiehdojqwgdwfoy.exeFilesize
71KB
MD553824bb4380d5ba3b4024322f157d467
SHA1e2b5fa8dcd0eb30ba0d16f7917aad9da2c6efb68
SHA256f0656c1cfecf896870c8852213507b50341d939a09abb0c7ea3b0b6121b749a2
SHA512a0f2be05bf7f45553735583265531a6731ba49166d7b864d50ebbcca2bbcfd993cca4f2e47ce9011718c2629f3a073862d312ce34c1c3d452ccfb1e7f4023097
-
memory/1440-31-0x0000000000C20000-0x0000000000C30000-memory.dmpFilesize
64KB
-
memory/1440-32-0x0000000074F20000-0x00000000754D1000-memory.dmpFilesize
5.7MB
-
memory/1440-48-0x0000000000C20000-0x0000000000C30000-memory.dmpFilesize
64KB
-
memory/1440-47-0x0000000074F20000-0x00000000754D1000-memory.dmpFilesize
5.7MB
-
memory/1440-29-0x0000000074F20000-0x00000000754D1000-memory.dmpFilesize
5.7MB
-
memory/2584-2-0x0000000001130000-0x0000000001140000-memory.dmpFilesize
64KB
-
memory/2584-1-0x00007FF9DDD80000-0x00007FF9DE721000-memory.dmpFilesize
9.6MB
-
memory/2584-24-0x00007FF9DDD80000-0x00007FF9DE721000-memory.dmpFilesize
9.6MB
-
memory/2584-4-0x00007FF9DDD80000-0x00007FF9DE721000-memory.dmpFilesize
9.6MB
-
memory/2584-0-0x000000001B8E0000-0x000000001B986000-memory.dmpFilesize
664KB
-
memory/2688-33-0x0000000000DB0000-0x0000000000DBE000-memory.dmpFilesize
56KB
-
memory/2688-27-0x00007FF9DDD80000-0x00007FF9DE721000-memory.dmpFilesize
9.6MB
-
memory/2688-34-0x000000001BE10000-0x000000001C2DE000-memory.dmpFilesize
4.8MB
-
memory/2688-37-0x000000001C5E0000-0x000000001C67C000-memory.dmpFilesize
624KB
-
memory/2688-38-0x000000001B0E0000-0x000000001B0E8000-memory.dmpFilesize
32KB
-
memory/2688-43-0x0000000000C10000-0x0000000000C20000-memory.dmpFilesize
64KB
-
memory/2688-45-0x00007FF9DDD80000-0x00007FF9DE721000-memory.dmpFilesize
9.6MB
-
memory/2688-46-0x0000000000C10000-0x0000000000C20000-memory.dmpFilesize
64KB
-
memory/2688-26-0x0000000000C10000-0x0000000000C20000-memory.dmpFilesize
64KB
-
memory/2688-25-0x00007FF9DDD80000-0x00007FF9DE721000-memory.dmpFilesize
9.6MB
-
memory/2688-51-0x0000000000C10000-0x0000000000C20000-memory.dmpFilesize
64KB