Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 16:55
Static task
static1
Behavioral task
behavioral1
Sample
471f44b8dda9fc7d870fd9c3b0ca9e9e_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
471f44b8dda9fc7d870fd9c3b0ca9e9e_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
471f44b8dda9fc7d870fd9c3b0ca9e9e_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
471f44b8dda9fc7d870fd9c3b0ca9e9e
-
SHA1
468f47c964cb5b5f55b5815ca59933267da4dd7a
-
SHA256
087ab14dccf27b8defe6fd4b00e60d602b42dc9bcc92d4b71eaa71d34bb146a8
-
SHA512
3b70b76a6072b312821ae264cc77bb00ff9df08d5106339ae6fce52f416514cbd550560fd394eea0c325e821285878f1db6c414c1c936701f0aa50fd72caa6f4
-
SSDEEP
24576:25CUuHFZER78cA3Mp2Gc/tcTG6cYKY54I66WierjjALnDj:0eHFZM7tAG2GcliG4KYR66Wi0j0Dj
Malware Config
Extracted
njrat
im523
HacKer
91.232.111.212:7777
4a3d67ee61b43118e4130164dec374f7
-
reg_key
4a3d67ee61b43118e4130164dec374f7
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2844 netsh.exe -
Drops startup file 2 IoCs
Processes:
expler.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4a3d67ee61b43118e4130164dec374f7.exe expler.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4a3d67ee61b43118e4130164dec374f7.exe expler.exe -
Executes dropped EXE 1 IoCs
Processes:
expler.exepid process 2400 expler.exe -
Loads dropped DLL 1 IoCs
Processes:
471f44b8dda9fc7d870fd9c3b0ca9e9e_JaffaCakes118.exepid process 2348 471f44b8dda9fc7d870fd9c3b0ca9e9e_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
expler.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\4a3d67ee61b43118e4130164dec374f7 = "\"C:\\Users\\Admin\\expler.exe\" .." expler.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4a3d67ee61b43118e4130164dec374f7 = "\"C:\\Users\\Admin\\expler.exe\" .." expler.exe -
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
expler.exedescription ioc process File created C:\autorun.inf expler.exe File opened for modification C:\autorun.inf expler.exe File created D:\autorun.inf expler.exe File created F:\autorun.inf expler.exe File opened for modification F:\autorun.inf expler.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
Processes:
471f44b8dda9fc7d870fd9c3b0ca9e9e_JaffaCakes118.exeexpler.exepid process 2348 471f44b8dda9fc7d870fd9c3b0ca9e9e_JaffaCakes118.exe 2348 471f44b8dda9fc7d870fd9c3b0ca9e9e_JaffaCakes118.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2572 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
expler.exepid process 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe 2400 expler.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
expler.exepid process 2400 expler.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
expler.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2400 expler.exe Token: SeDebugPrivilege 2572 taskkill.exe Token: 33 2400 expler.exe Token: SeIncBasePriorityPrivilege 2400 expler.exe Token: 33 2400 expler.exe Token: SeIncBasePriorityPrivilege 2400 expler.exe Token: 33 2400 expler.exe Token: SeIncBasePriorityPrivilege 2400 expler.exe Token: 33 2400 expler.exe Token: SeIncBasePriorityPrivilege 2400 expler.exe Token: 33 2400 expler.exe Token: SeIncBasePriorityPrivilege 2400 expler.exe Token: 33 2400 expler.exe Token: SeIncBasePriorityPrivilege 2400 expler.exe Token: 33 2400 expler.exe Token: SeIncBasePriorityPrivilege 2400 expler.exe Token: 33 2400 expler.exe Token: SeIncBasePriorityPrivilege 2400 expler.exe Token: 33 2400 expler.exe Token: SeIncBasePriorityPrivilege 2400 expler.exe Token: 33 2400 expler.exe Token: SeIncBasePriorityPrivilege 2400 expler.exe Token: 33 2400 expler.exe Token: SeIncBasePriorityPrivilege 2400 expler.exe Token: 33 2400 expler.exe Token: SeIncBasePriorityPrivilege 2400 expler.exe Token: 33 2400 expler.exe Token: SeIncBasePriorityPrivilege 2400 expler.exe Token: 33 2400 expler.exe Token: SeIncBasePriorityPrivilege 2400 expler.exe Token: 33 2400 expler.exe Token: SeIncBasePriorityPrivilege 2400 expler.exe Token: 33 2400 expler.exe Token: SeIncBasePriorityPrivilege 2400 expler.exe Token: 33 2400 expler.exe Token: SeIncBasePriorityPrivilege 2400 expler.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
471f44b8dda9fc7d870fd9c3b0ca9e9e_JaffaCakes118.exeexpler.exepid process 2348 471f44b8dda9fc7d870fd9c3b0ca9e9e_JaffaCakes118.exe 2400 expler.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
471f44b8dda9fc7d870fd9c3b0ca9e9e_JaffaCakes118.exeexpler.exedescription pid process target process PID 2348 wrote to memory of 2400 2348 471f44b8dda9fc7d870fd9c3b0ca9e9e_JaffaCakes118.exe expler.exe PID 2348 wrote to memory of 2400 2348 471f44b8dda9fc7d870fd9c3b0ca9e9e_JaffaCakes118.exe expler.exe PID 2348 wrote to memory of 2400 2348 471f44b8dda9fc7d870fd9c3b0ca9e9e_JaffaCakes118.exe expler.exe PID 2348 wrote to memory of 2400 2348 471f44b8dda9fc7d870fd9c3b0ca9e9e_JaffaCakes118.exe expler.exe PID 2400 wrote to memory of 2844 2400 expler.exe netsh.exe PID 2400 wrote to memory of 2844 2400 expler.exe netsh.exe PID 2400 wrote to memory of 2844 2400 expler.exe netsh.exe PID 2400 wrote to memory of 2844 2400 expler.exe netsh.exe PID 2400 wrote to memory of 2572 2400 expler.exe taskkill.exe PID 2400 wrote to memory of 2572 2400 expler.exe taskkill.exe PID 2400 wrote to memory of 2572 2400 expler.exe taskkill.exe PID 2400 wrote to memory of 2572 2400 expler.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\471f44b8dda9fc7d870fd9c3b0ca9e9e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\471f44b8dda9fc7d870fd9c3b0ca9e9e_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\expler.exe"C:\Users\Admin\expler.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\expler.exe" "expler.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Exsample.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\expler.exeFilesize
1.1MB
MD5471f44b8dda9fc7d870fd9c3b0ca9e9e
SHA1468f47c964cb5b5f55b5815ca59933267da4dd7a
SHA256087ab14dccf27b8defe6fd4b00e60d602b42dc9bcc92d4b71eaa71d34bb146a8
SHA5123b70b76a6072b312821ae264cc77bb00ff9df08d5106339ae6fce52f416514cbd550560fd394eea0c325e821285878f1db6c414c1c936701f0aa50fd72caa6f4
-
memory/2348-0-0x0000000000EC0000-0x0000000001256000-memory.dmpFilesize
3.6MB
-
memory/2348-1-0x0000000074581000-0x0000000074582000-memory.dmpFilesize
4KB
-
memory/2348-2-0x0000000074580000-0x0000000074B2B000-memory.dmpFilesize
5.7MB
-
memory/2348-3-0x0000000074580000-0x0000000074B2B000-memory.dmpFilesize
5.7MB
-
memory/2348-9-0x0000000006260000-0x00000000065F6000-memory.dmpFilesize
3.6MB
-
memory/2348-15-0x0000000074580000-0x0000000074B2B000-memory.dmpFilesize
5.7MB
-
memory/2348-13-0x0000000000EC0000-0x0000000001256000-memory.dmpFilesize
3.6MB
-
memory/2400-14-0x0000000074580000-0x0000000074B2B000-memory.dmpFilesize
5.7MB
-
memory/2400-27-0x0000000074580000-0x0000000074B2B000-memory.dmpFilesize
5.7MB