Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 16:22
Behavioral task
behavioral1
Sample
4701184e44814ce10db47e9adf55088b_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4701184e44814ce10db47e9adf55088b_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
4701184e44814ce10db47e9adf55088b_JaffaCakes118.exe
-
Size
134KB
-
MD5
4701184e44814ce10db47e9adf55088b
-
SHA1
658c1444f95ecb3930cb490368421eb0f2ec2b6a
-
SHA256
f816cf3c16d0925ccc3bcde9e7e01c80c4aa7f675595fcb6b599213cb4805de1
-
SHA512
db609061362e4319bcea52b9d073b7461fbc5156e4fe0b19fa9d840f1de5f95466137f5ec392a9beac5024040f905fdf5357121e81afe57a7cf1845e2d161045
-
SSDEEP
3072:/RizzKqY6rDC+tYw3RFa2je49OYwERuHTOUoRe:/Ri7/C+SQRgj4MHTOD
Malware Config
Extracted
njrat
0.6.4
تم الاختراق من قبل دكتور الغربية #
Dr187.ddns.net:999
59e66e4fd01ed7a53bb65713760bdb7d
-
reg_key
59e66e4fd01ed7a53bb65713760bdb7d
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2856 netsh.exe -
Drops startup file 2 IoCs
Processes:
Google Root.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59e66e4fd01ed7a53bb65713760bdb7d.exe Google Root.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59e66e4fd01ed7a53bb65713760bdb7d.exe Google Root.exe -
Executes dropped EXE 1 IoCs
Processes:
Google Root.exepid process 1256 Google Root.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/2364-1-0x0000000000C60000-0x0000000000C88000-memory.dmp agile_net C:\Users\Admin\AppData\Local\Temp\Google Root.exe agile_net behavioral1/memory/1256-9-0x0000000000BB0000-0x0000000000BD8000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Google Root.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\59e66e4fd01ed7a53bb65713760bdb7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Root.exe\" .." Google Root.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\59e66e4fd01ed7a53bb65713760bdb7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Root.exe\" .." Google Root.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
Google Root.exepid process 1256 Google Root.exe 1256 Google Root.exe 1256 Google Root.exe 1256 Google Root.exe 1256 Google Root.exe 1256 Google Root.exe 1256 Google Root.exe 1256 Google Root.exe 1256 Google Root.exe 1256 Google Root.exe 1256 Google Root.exe 1256 Google Root.exe 1256 Google Root.exe 1256 Google Root.exe 1256 Google Root.exe 1256 Google Root.exe 1256 Google Root.exe 1256 Google Root.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Google Root.exedescription pid process Token: SeDebugPrivilege 1256 Google Root.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
4701184e44814ce10db47e9adf55088b_JaffaCakes118.exeGoogle Root.exedescription pid process target process PID 2364 wrote to memory of 1256 2364 4701184e44814ce10db47e9adf55088b_JaffaCakes118.exe Google Root.exe PID 2364 wrote to memory of 1256 2364 4701184e44814ce10db47e9adf55088b_JaffaCakes118.exe Google Root.exe PID 2364 wrote to memory of 1256 2364 4701184e44814ce10db47e9adf55088b_JaffaCakes118.exe Google Root.exe PID 1256 wrote to memory of 2856 1256 Google Root.exe netsh.exe PID 1256 wrote to memory of 2856 1256 Google Root.exe netsh.exe PID 1256 wrote to memory of 2856 1256 Google Root.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4701184e44814ce10db47e9adf55088b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4701184e44814ce10db47e9adf55088b_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\Google Root.exe"C:\Users\Admin\AppData\Local\Temp\Google Root.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Google Root.exe" "Google Root.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2856
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Google Root.exeFilesize
134KB
MD54701184e44814ce10db47e9adf55088b
SHA1658c1444f95ecb3930cb490368421eb0f2ec2b6a
SHA256f816cf3c16d0925ccc3bcde9e7e01c80c4aa7f675595fcb6b599213cb4805de1
SHA512db609061362e4319bcea52b9d073b7461fbc5156e4fe0b19fa9d840f1de5f95466137f5ec392a9beac5024040f905fdf5357121e81afe57a7cf1845e2d161045
-
memory/1256-9-0x0000000000BB0000-0x0000000000BD8000-memory.dmpFilesize
160KB
-
memory/1256-12-0x000007FEF5670000-0x000007FEF605C000-memory.dmpFilesize
9.9MB
-
memory/1256-13-0x000007FEF5670000-0x000007FEF605C000-memory.dmpFilesize
9.9MB
-
memory/1256-14-0x000007FEF5670000-0x000007FEF605C000-memory.dmpFilesize
9.9MB
-
memory/1256-15-0x000007FEF5670000-0x000007FEF605C000-memory.dmpFilesize
9.9MB
-
memory/2364-0-0x000007FEF5673000-0x000007FEF5674000-memory.dmpFilesize
4KB
-
memory/2364-1-0x0000000000C60000-0x0000000000C88000-memory.dmpFilesize
160KB
-
memory/2364-2-0x0000000000150000-0x000000000015C000-memory.dmpFilesize
48KB
-
memory/2364-3-0x000007FEF5670000-0x000007FEF605C000-memory.dmpFilesize
9.9MB
-
memory/2364-10-0x000007FEF5670000-0x000007FEF605C000-memory.dmpFilesize
9.9MB