Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2024 16:55
Static task
static1
Behavioral task
behavioral1
Sample
471f44b8dda9fc7d870fd9c3b0ca9e9e_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
471f44b8dda9fc7d870fd9c3b0ca9e9e_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
471f44b8dda9fc7d870fd9c3b0ca9e9e_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
471f44b8dda9fc7d870fd9c3b0ca9e9e
-
SHA1
468f47c964cb5b5f55b5815ca59933267da4dd7a
-
SHA256
087ab14dccf27b8defe6fd4b00e60d602b42dc9bcc92d4b71eaa71d34bb146a8
-
SHA512
3b70b76a6072b312821ae264cc77bb00ff9df08d5106339ae6fce52f416514cbd550560fd394eea0c325e821285878f1db6c414c1c936701f0aa50fd72caa6f4
-
SSDEEP
24576:25CUuHFZER78cA3Mp2Gc/tcTG6cYKY54I66WierjjALnDj:0eHFZM7tAG2GcliG4KYR66Wi0j0Dj
Malware Config
Extracted
njrat
im523
HacKer
91.232.111.212:7777
4a3d67ee61b43118e4130164dec374f7
-
reg_key
4a3d67ee61b43118e4130164dec374f7
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2168 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
471f44b8dda9fc7d870fd9c3b0ca9e9e_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 471f44b8dda9fc7d870fd9c3b0ca9e9e_JaffaCakes118.exe -
Drops startup file 2 IoCs
Processes:
expler.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4a3d67ee61b43118e4130164dec374f7.exe expler.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4a3d67ee61b43118e4130164dec374f7.exe expler.exe -
Executes dropped EXE 1 IoCs
Processes:
expler.exepid process 3088 expler.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
expler.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4a3d67ee61b43118e4130164dec374f7 = "\"C:\\Users\\Admin\\expler.exe\" .." expler.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4a3d67ee61b43118e4130164dec374f7 = "\"C:\\Users\\Admin\\expler.exe\" .." expler.exe -
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
expler.exedescription ioc process File created C:\autorun.inf expler.exe File opened for modification C:\autorun.inf expler.exe File created D:\autorun.inf expler.exe File created F:\autorun.inf expler.exe File opened for modification F:\autorun.inf expler.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
Processes:
471f44b8dda9fc7d870fd9c3b0ca9e9e_JaffaCakes118.exeexpler.exepid process 3852 471f44b8dda9fc7d870fd9c3b0ca9e9e_JaffaCakes118.exe 3852 471f44b8dda9fc7d870fd9c3b0ca9e9e_JaffaCakes118.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 5180 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
expler.exepid process 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe 3088 expler.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
expler.exepid process 3088 expler.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
expler.exetaskkill.exedescription pid process Token: SeDebugPrivilege 3088 expler.exe Token: SeDebugPrivilege 5180 taskkill.exe Token: 33 3088 expler.exe Token: SeIncBasePriorityPrivilege 3088 expler.exe Token: 33 3088 expler.exe Token: SeIncBasePriorityPrivilege 3088 expler.exe Token: 33 3088 expler.exe Token: SeIncBasePriorityPrivilege 3088 expler.exe Token: 33 3088 expler.exe Token: SeIncBasePriorityPrivilege 3088 expler.exe Token: 33 3088 expler.exe Token: SeIncBasePriorityPrivilege 3088 expler.exe Token: 33 3088 expler.exe Token: SeIncBasePriorityPrivilege 3088 expler.exe Token: 33 3088 expler.exe Token: SeIncBasePriorityPrivilege 3088 expler.exe Token: 33 3088 expler.exe Token: SeIncBasePriorityPrivilege 3088 expler.exe Token: 33 3088 expler.exe Token: SeIncBasePriorityPrivilege 3088 expler.exe Token: 33 3088 expler.exe Token: SeIncBasePriorityPrivilege 3088 expler.exe Token: 33 3088 expler.exe Token: SeIncBasePriorityPrivilege 3088 expler.exe Token: 33 3088 expler.exe Token: SeIncBasePriorityPrivilege 3088 expler.exe Token: 33 3088 expler.exe Token: SeIncBasePriorityPrivilege 3088 expler.exe Token: 33 3088 expler.exe Token: SeIncBasePriorityPrivilege 3088 expler.exe Token: 33 3088 expler.exe Token: SeIncBasePriorityPrivilege 3088 expler.exe Token: 33 3088 expler.exe Token: SeIncBasePriorityPrivilege 3088 expler.exe Token: 33 3088 expler.exe Token: SeIncBasePriorityPrivilege 3088 expler.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
471f44b8dda9fc7d870fd9c3b0ca9e9e_JaffaCakes118.exeexpler.exepid process 3852 471f44b8dda9fc7d870fd9c3b0ca9e9e_JaffaCakes118.exe 3088 expler.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
471f44b8dda9fc7d870fd9c3b0ca9e9e_JaffaCakes118.exeexpler.exedescription pid process target process PID 3852 wrote to memory of 3088 3852 471f44b8dda9fc7d870fd9c3b0ca9e9e_JaffaCakes118.exe expler.exe PID 3852 wrote to memory of 3088 3852 471f44b8dda9fc7d870fd9c3b0ca9e9e_JaffaCakes118.exe expler.exe PID 3852 wrote to memory of 3088 3852 471f44b8dda9fc7d870fd9c3b0ca9e9e_JaffaCakes118.exe expler.exe PID 3088 wrote to memory of 2168 3088 expler.exe netsh.exe PID 3088 wrote to memory of 2168 3088 expler.exe netsh.exe PID 3088 wrote to memory of 2168 3088 expler.exe netsh.exe PID 3088 wrote to memory of 5180 3088 expler.exe taskkill.exe PID 3088 wrote to memory of 5180 3088 expler.exe taskkill.exe PID 3088 wrote to memory of 5180 3088 expler.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\471f44b8dda9fc7d870fd9c3b0ca9e9e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\471f44b8dda9fc7d870fd9c3b0ca9e9e_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\expler.exe"C:\Users\Admin\expler.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\expler.exe" "expler.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Exsample.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\expler.exeFilesize
1.1MB
MD5471f44b8dda9fc7d870fd9c3b0ca9e9e
SHA1468f47c964cb5b5f55b5815ca59933267da4dd7a
SHA256087ab14dccf27b8defe6fd4b00e60d602b42dc9bcc92d4b71eaa71d34bb146a8
SHA5123b70b76a6072b312821ae264cc77bb00ff9df08d5106339ae6fce52f416514cbd550560fd394eea0c325e821285878f1db6c414c1c936701f0aa50fd72caa6f4
-
memory/3088-26-0x0000000073F10000-0x00000000744C1000-memory.dmpFilesize
5.7MB
-
memory/3088-41-0x0000000073F10000-0x00000000744C1000-memory.dmpFilesize
5.7MB
-
memory/3088-40-0x0000000001000000-0x0000000001396000-memory.dmpFilesize
3.6MB
-
memory/3088-28-0x0000000073F10000-0x00000000744C1000-memory.dmpFilesize
5.7MB
-
memory/3088-24-0x0000000001000000-0x0000000001396000-memory.dmpFilesize
3.6MB
-
memory/3088-27-0x0000000073F10000-0x00000000744C1000-memory.dmpFilesize
5.7MB
-
memory/3852-3-0x0000000073F10000-0x00000000744C1000-memory.dmpFilesize
5.7MB
-
memory/3852-25-0x0000000073F10000-0x00000000744C1000-memory.dmpFilesize
5.7MB
-
memory/3852-23-0x0000000000E70000-0x0000000001206000-memory.dmpFilesize
3.6MB
-
memory/3852-0-0x0000000000E70000-0x0000000001206000-memory.dmpFilesize
3.6MB
-
memory/3852-2-0x0000000073F10000-0x00000000744C1000-memory.dmpFilesize
5.7MB
-
memory/3852-1-0x0000000073F12000-0x0000000073F13000-memory.dmpFilesize
4KB