Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
27/04/2024, 05:33
Static task
static1
Behavioral task
behavioral1
Sample
0289ca0e6a5378bb01d2fdb5c84aaf07_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
0289ca0e6a5378bb01d2fdb5c84aaf07_JaffaCakes118.exe
-
Size
472KB
-
MD5
0289ca0e6a5378bb01d2fdb5c84aaf07
-
SHA1
5f76ce7e0ffe97d949988974fb96f36b8d39cfd6
-
SHA256
b20b02e40ef6e17882c380a681278f21ccb3699847cb7f618b78f6be6ba63609
-
SHA512
974d923a74b145a9014e384e8f43812c170b40459055c974a420bc77b7f956c6469c9e01e66ec1ea0c3033c32eaf062c886195c39acbd87edb34dae7e40240e7
-
SSDEEP
6144:F5/ajfCT5B2VXdy1HsZVzJBTZYyk7i8IIlVR4dBicSka4GctucxFyaqjztgmM9g+:fmJBG/m05z7LeQia51fn698up
Malware Config
Extracted
njrat
0.7d
adobe
hakim32.ddns.net:2000
178.237.176.97:1604
70a2da185a5371de029662fd48a04b9b
-
reg_key
70a2da185a5371de029662fd48a04b9b
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1208 server.exe -
Loads dropped DLL 1 IoCs
pid Process 2884 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2240 set thread context of 2884 2240 0289ca0e6a5378bb01d2fdb5c84aaf07_JaffaCakes118.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2240 0289ca0e6a5378bb01d2fdb5c84aaf07_JaffaCakes118.exe 2240 0289ca0e6a5378bb01d2fdb5c84aaf07_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2240 0289ca0e6a5378bb01d2fdb5c84aaf07_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2240 wrote to memory of 2884 2240 0289ca0e6a5378bb01d2fdb5c84aaf07_JaffaCakes118.exe 28 PID 2240 wrote to memory of 2884 2240 0289ca0e6a5378bb01d2fdb5c84aaf07_JaffaCakes118.exe 28 PID 2240 wrote to memory of 2884 2240 0289ca0e6a5378bb01d2fdb5c84aaf07_JaffaCakes118.exe 28 PID 2240 wrote to memory of 2884 2240 0289ca0e6a5378bb01d2fdb5c84aaf07_JaffaCakes118.exe 28 PID 2240 wrote to memory of 2884 2240 0289ca0e6a5378bb01d2fdb5c84aaf07_JaffaCakes118.exe 28 PID 2240 wrote to memory of 2884 2240 0289ca0e6a5378bb01d2fdb5c84aaf07_JaffaCakes118.exe 28 PID 2240 wrote to memory of 2884 2240 0289ca0e6a5378bb01d2fdb5c84aaf07_JaffaCakes118.exe 28 PID 2240 wrote to memory of 2884 2240 0289ca0e6a5378bb01d2fdb5c84aaf07_JaffaCakes118.exe 28 PID 2240 wrote to memory of 2884 2240 0289ca0e6a5378bb01d2fdb5c84aaf07_JaffaCakes118.exe 28 PID 2240 wrote to memory of 2884 2240 0289ca0e6a5378bb01d2fdb5c84aaf07_JaffaCakes118.exe 28 PID 2240 wrote to memory of 2884 2240 0289ca0e6a5378bb01d2fdb5c84aaf07_JaffaCakes118.exe 28 PID 2884 wrote to memory of 1208 2884 RegAsm.exe 29 PID 2884 wrote to memory of 1208 2884 RegAsm.exe 29 PID 2884 wrote to memory of 1208 2884 RegAsm.exe 29 PID 2884 wrote to memory of 1208 2884 RegAsm.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\0289ca0e6a5378bb01d2fdb5c84aaf07_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0289ca0e6a5378bb01d2fdb5c84aaf07_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"3⤵
- Executes dropped EXE
PID:1208
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD5278edbd499374bf73621f8c1f969d894
SHA1a81170af14747781c5f5f51bb1215893136f0bc0
SHA256c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
SHA51293b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9