Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2024 15:57
Static task
static1
Behavioral task
behavioral1
Sample
1d436a4cc5e5cfb02d87dea4ff79e4b0_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1d436a4cc5e5cfb02d87dea4ff79e4b0_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
1d436a4cc5e5cfb02d87dea4ff79e4b0_JaffaCakes118.exe
-
Size
210KB
-
MD5
1d436a4cc5e5cfb02d87dea4ff79e4b0
-
SHA1
40f5564c91050fa44ea31d87b4bedca80638d1d8
-
SHA256
cb721eeebde355b68ec90050889b2427b67150b08f89e790328505f13d7956c3
-
SHA512
57359b96e319460c03a41754238a4f3904978f12686a474ef0b5c4ec4bcfc9a05874f201799306232a6057c3429e82fef8bb0aa383e4f624bd6b288b98026b84
-
SSDEEP
1536:yj6wz8pFu0dcxccjc9Gye5gLO9vEWWG5nukXegDkHEBxhcV91BdqcXpgfKiNZK1p:y7V77qSeoVUl7106LwdiB
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
victim
shooey.ddns.net:5353
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1d436a4cc5e5cfb02d87dea4ff79e4b0_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation 1d436a4cc5e5cfb02d87dea4ff79e4b0_JaffaCakes118.exe -
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe svchost.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exeServer.exeServer.exepid process 376 svchost.exe 3804 Server.exe 4780 Server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
1d436a4cc5e5cfb02d87dea4ff79e4b0_JaffaCakes118.exesvchost.exepid process 216 1d436a4cc5e5cfb02d87dea4ff79e4b0_JaffaCakes118.exe 376 svchost.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 376 svchost.exe Token: 33 376 svchost.exe Token: SeIncBasePriorityPrivilege 376 svchost.exe Token: 33 376 svchost.exe Token: SeIncBasePriorityPrivilege 376 svchost.exe Token: 33 376 svchost.exe Token: SeIncBasePriorityPrivilege 376 svchost.exe Token: 33 376 svchost.exe Token: SeIncBasePriorityPrivilege 376 svchost.exe Token: 33 376 svchost.exe Token: SeIncBasePriorityPrivilege 376 svchost.exe Token: 33 376 svchost.exe Token: SeIncBasePriorityPrivilege 376 svchost.exe Token: 33 376 svchost.exe Token: SeIncBasePriorityPrivilege 376 svchost.exe Token: 33 376 svchost.exe Token: SeIncBasePriorityPrivilege 376 svchost.exe Token: 33 376 svchost.exe Token: SeIncBasePriorityPrivilege 376 svchost.exe Token: 33 376 svchost.exe Token: SeIncBasePriorityPrivilege 376 svchost.exe Token: 33 376 svchost.exe Token: SeIncBasePriorityPrivilege 376 svchost.exe Token: 33 376 svchost.exe Token: SeIncBasePriorityPrivilege 376 svchost.exe Token: 33 376 svchost.exe Token: SeIncBasePriorityPrivilege 376 svchost.exe Token: 33 376 svchost.exe Token: SeIncBasePriorityPrivilege 376 svchost.exe Token: 33 376 svchost.exe Token: SeIncBasePriorityPrivilege 376 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1d436a4cc5e5cfb02d87dea4ff79e4b0_JaffaCakes118.exesvchost.exedescription pid process target process PID 216 wrote to memory of 376 216 1d436a4cc5e5cfb02d87dea4ff79e4b0_JaffaCakes118.exe svchost.exe PID 216 wrote to memory of 376 216 1d436a4cc5e5cfb02d87dea4ff79e4b0_JaffaCakes118.exe svchost.exe PID 216 wrote to memory of 376 216 1d436a4cc5e5cfb02d87dea4ff79e4b0_JaffaCakes118.exe svchost.exe PID 376 wrote to memory of 4664 376 svchost.exe schtasks.exe PID 376 wrote to memory of 4664 376 svchost.exe schtasks.exe PID 376 wrote to memory of 4664 376 svchost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d436a4cc5e5cfb02d87dea4ff79e4b0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1d436a4cc5e5cfb02d87dea4ff79e4b0_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Server.exe.logFilesize
706B
MD52d90411ca2e4d7ef408e783585795907
SHA1fb22747c207d8cdea79b181361004416c5a8fd10
SHA256aba1796b97761c6801df3fd42f47e207bb4e2c355444140adcb196ed464f8a31
SHA512c3a3fb4b59e09e62d8e77ebd2d0471d9d5b9cf46f28f2e4aa21ace7faf37dd6c0e99b17c5d1dac2394e41268d3d3b788aafe275e33ff6c268858c99e22c4ce00
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
210KB
MD51d436a4cc5e5cfb02d87dea4ff79e4b0
SHA140f5564c91050fa44ea31d87b4bedca80638d1d8
SHA256cb721eeebde355b68ec90050889b2427b67150b08f89e790328505f13d7956c3
SHA51257359b96e319460c03a41754238a4f3904978f12686a474ef0b5c4ec4bcfc9a05874f201799306232a6057c3429e82fef8bb0aa383e4f624bd6b288b98026b84
-
memory/216-19-0x0000000074FF0000-0x00000000757A0000-memory.dmpFilesize
7.7MB
-
memory/216-1-0x0000000000A80000-0x0000000000ABA000-memory.dmpFilesize
232KB
-
memory/216-4-0x0000000074FF0000-0x00000000757A0000-memory.dmpFilesize
7.7MB
-
memory/216-5-0x0000000005BC0000-0x0000000006164000-memory.dmpFilesize
5.6MB
-
memory/216-6-0x0000000005880000-0x0000000005912000-memory.dmpFilesize
584KB
-
memory/216-2-0x0000000005420000-0x00000000054BC000-memory.dmpFilesize
624KB
-
memory/216-0-0x0000000074FFE000-0x0000000074FFF000-memory.dmpFilesize
4KB
-
memory/216-3-0x0000000002D70000-0x0000000002D82000-memory.dmpFilesize
72KB
-
memory/376-20-0x0000000074FF0000-0x00000000757A0000-memory.dmpFilesize
7.7MB
-
memory/376-24-0x0000000074FF0000-0x00000000757A0000-memory.dmpFilesize
7.7MB
-
memory/376-23-0x0000000005C90000-0x0000000005C9A000-memory.dmpFilesize
40KB
-
memory/3804-27-0x0000000074FF0000-0x00000000757A0000-memory.dmpFilesize
7.7MB
-
memory/3804-28-0x0000000074FF0000-0x00000000757A0000-memory.dmpFilesize
7.7MB
-
memory/3804-30-0x0000000074FF0000-0x00000000757A0000-memory.dmpFilesize
7.7MB