Analysis
-
max time kernel
147s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 02:19
Static task
static1
Behavioral task
behavioral1
Sample
0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe
-
Size
270KB
-
MD5
0428ff225e18a0e79774b8f1b0c30b80
-
SHA1
806413191e59a704f26287aa5b0136d64dd2f30b
-
SHA256
54f0b6b1c309caccd02bab4a0013277e9f1ffde051fd2e45a59d784d1f425563
-
SHA512
66e69515691834cb8e143e65addfbd5e1368a173da697614adb8c4b15f046aadabb15e93c0809708a0a82f7f59781ca74169756cd7012199e5c753ef502b2b86
-
SSDEEP
3072:WxNvADAOY5ZMb7kj92vW1gowzSRtqBP0u+BqNfzUubhpgeUATDPYiPzXGw2:WvveAb7MUgW1aBPUBqzb0ATDPbPD2
Malware Config
Extracted
njrat
0.7d
FLYLYLYL
cihan05.duckdns.org:1954
079c805e27db52da73000f101b1bee84
-
reg_key
079c805e27db52da73000f101b1bee84
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2992 netsh.exe -
Executes dropped EXE 2 IoCs
Processes:
tmp.exesvhost.exepid process 2896 tmp.exe 2632 svhost.exe -
Loads dropped DLL 2 IoCs
Processes:
0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exepid process 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exedescription pid process target process PID 2440 set thread context of 2632 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2604 timeout.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\chorme\chormee.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exepid process 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exetmp.exedescription pid process Token: SeDebugPrivilege 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe Token: SeDebugPrivilege 2896 tmp.exe Token: 33 2896 tmp.exe Token: SeIncBasePriorityPrivilege 2896 tmp.exe Token: 33 2896 tmp.exe Token: SeIncBasePriorityPrivilege 2896 tmp.exe Token: 33 2896 tmp.exe Token: SeIncBasePriorityPrivilege 2896 tmp.exe Token: 33 2896 tmp.exe Token: SeIncBasePriorityPrivilege 2896 tmp.exe Token: 33 2896 tmp.exe Token: SeIncBasePriorityPrivilege 2896 tmp.exe Token: 33 2896 tmp.exe Token: SeIncBasePriorityPrivilege 2896 tmp.exe Token: 33 2896 tmp.exe Token: SeIncBasePriorityPrivilege 2896 tmp.exe Token: 33 2896 tmp.exe Token: SeIncBasePriorityPrivilege 2896 tmp.exe Token: 33 2896 tmp.exe Token: SeIncBasePriorityPrivilege 2896 tmp.exe Token: 33 2896 tmp.exe Token: SeIncBasePriorityPrivilege 2896 tmp.exe Token: 33 2896 tmp.exe Token: SeIncBasePriorityPrivilege 2896 tmp.exe Token: 33 2896 tmp.exe Token: SeIncBasePriorityPrivilege 2896 tmp.exe Token: 33 2896 tmp.exe Token: SeIncBasePriorityPrivilege 2896 tmp.exe Token: 33 2896 tmp.exe Token: SeIncBasePriorityPrivilege 2896 tmp.exe Token: 33 2896 tmp.exe Token: SeIncBasePriorityPrivilege 2896 tmp.exe Token: 33 2896 tmp.exe Token: SeIncBasePriorityPrivilege 2896 tmp.exe Token: 33 2896 tmp.exe Token: SeIncBasePriorityPrivilege 2896 tmp.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.execmd.execmd.exetmp.exedescription pid process target process PID 2440 wrote to memory of 2304 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe cmd.exe PID 2440 wrote to memory of 2304 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe cmd.exe PID 2440 wrote to memory of 2304 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe cmd.exe PID 2440 wrote to memory of 2304 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe cmd.exe PID 2304 wrote to memory of 2668 2304 cmd.exe reg.exe PID 2304 wrote to memory of 2668 2304 cmd.exe reg.exe PID 2304 wrote to memory of 2668 2304 cmd.exe reg.exe PID 2304 wrote to memory of 2668 2304 cmd.exe reg.exe PID 2440 wrote to memory of 2896 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe tmp.exe PID 2440 wrote to memory of 2896 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe tmp.exe PID 2440 wrote to memory of 2896 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe tmp.exe PID 2440 wrote to memory of 2896 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe tmp.exe PID 2440 wrote to memory of 2632 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe svhost.exe PID 2440 wrote to memory of 2632 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe svhost.exe PID 2440 wrote to memory of 2632 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe svhost.exe PID 2440 wrote to memory of 2632 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe svhost.exe PID 2440 wrote to memory of 2632 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe svhost.exe PID 2440 wrote to memory of 2632 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe svhost.exe PID 2440 wrote to memory of 2632 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe svhost.exe PID 2440 wrote to memory of 2632 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe svhost.exe PID 2440 wrote to memory of 2632 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe svhost.exe PID 2440 wrote to memory of 2536 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe cmd.exe PID 2440 wrote to memory of 2536 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe cmd.exe PID 2440 wrote to memory of 2536 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe cmd.exe PID 2440 wrote to memory of 2536 2440 0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe cmd.exe PID 2536 wrote to memory of 2604 2536 cmd.exe timeout.exe PID 2536 wrote to memory of 2604 2536 cmd.exe timeout.exe PID 2536 wrote to memory of 2604 2536 cmd.exe timeout.exe PID 2536 wrote to memory of 2604 2536 cmd.exe timeout.exe PID 2896 wrote to memory of 2992 2896 tmp.exe netsh.exe PID 2896 wrote to memory of 2992 2896 tmp.exe netsh.exe PID 2896 wrote to memory of 2992 2896 tmp.exe netsh.exe PID 2896 wrote to memory of 2992 2896 tmp.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0428ff225e18a0e79774b8f1b0c30b80_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\chorme\chormee.exe.lnk" /f3⤵
-
C:\Users\Admin\AppData\Roaming\tmp.exe"C:\Users\Admin\AppData\Roaming\tmp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\tmp.exe" "tmp.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\chorme\chormee.exe.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\chorme\chormee.exe.batFilesize
194B
MD5609f21988eae322f33f775df1cee0481
SHA130b3f2bdab680ffd92ac2cd248a6af3cdfcddd01
SHA2564891ae96168de7eb45ea4d17bdbd31ea8b29124163e3d982f4f6f120ff07e487
SHA512061d3896c955966feae7c4f698d7e313439586c9c300a763769f1f9fa58068a68766824a970df9f3f56ee1bab32685109eed4e928b15be8445d93602be2efadb
-
C:\Users\Admin\AppData\Local\Temp\chorme\chormee.exe.jpgFilesize
270KB
MD50428ff225e18a0e79774b8f1b0c30b80
SHA1806413191e59a704f26287aa5b0136d64dd2f30b
SHA25654f0b6b1c309caccd02bab4a0013277e9f1ffde051fd2e45a59d784d1f425563
SHA51266e69515691834cb8e143e65addfbd5e1368a173da697614adb8c4b15f046aadabb15e93c0809708a0a82f7f59781ca74169756cd7012199e5c753ef502b2b86
-
\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
85KB
MD52e5f1cf69f92392f8829fc9c9263ae9b
SHA197b9ca766bbbdaa8c9ec960dc41b598f7fad82a5
SHA25651985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
SHA512f7e096dd9d0fa3a3c04c01bf229c4b344798a4c8b7b848588c1d78cb9fadfa9b1d0fd53c1fe74d191d5561e9eb551a4a3fc918363f119ea60024dd3d67c83883
-
\Users\Admin\AppData\Roaming\tmp.exeFilesize
23KB
MD52177a5b2d4432d38ff059f9feb9b560f
SHA1e7c62227fa5fc416cd6d0bb4fec2dc34057130f9
SHA25676e3aa841279c976da1f37a675960dd7fcf119ef65bbe36764af1e4437c05bbf
SHA5125c6adffad74eaa7d7ba418d1b7e2ee64d57036c0b25227746799e65e3f76817393f3416e382e13c3e179c9a9015530e5d0a791c42e83e8618398ee42d03fbfe3
-
memory/2440-0-0x0000000074F80000-0x000000007552B000-memory.dmpFilesize
5.7MB
-
memory/2440-2-0x0000000000260000-0x00000000002A0000-memory.dmpFilesize
256KB
-
memory/2440-1-0x0000000074F80000-0x000000007552B000-memory.dmpFilesize
5.7MB
-
memory/2440-46-0x0000000074F80000-0x000000007552B000-memory.dmpFilesize
5.7MB
-
memory/2632-23-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2632-34-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2632-32-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2632-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2632-29-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2632-27-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2632-25-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2632-35-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2896-37-0x0000000074F80000-0x000000007552B000-memory.dmpFilesize
5.7MB
-
memory/2896-22-0x0000000074F80000-0x000000007552B000-memory.dmpFilesize
5.7MB
-
memory/2896-47-0x0000000074F80000-0x000000007552B000-memory.dmpFilesize
5.7MB
-
memory/2896-48-0x0000000000500000-0x0000000000540000-memory.dmpFilesize
256KB