Analysis
-
max time kernel
149s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 08:19
Behavioral task
behavioral1
Sample
53cd92f44b837f835fe4e3ab7a53dda1_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
53cd92f44b837f835fe4e3ab7a53dda1_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
53cd92f44b837f835fe4e3ab7a53dda1_JaffaCakes118.exe
-
Size
228KB
-
MD5
53cd92f44b837f835fe4e3ab7a53dda1
-
SHA1
c054c5568ecbf3eb7535670a0b5de3cc2763b476
-
SHA256
24edc3ee97543e44ed48c91413aa4a34a57866cee28c86b1187ecdcddc52983c
-
SHA512
3d7319303af1f68f80e08769925a7c5a435d127b3dc529657a90c1b43a99d09fb1281110136a64186b11f5b79d9d4b69555ddf433c22d0527fc591bce83ce604
-
SSDEEP
6144:/Puw1LRQ2l67whSrkbo2F3S1NfyKT00m3UVwBmTVi/VxG:Huw1Lm2l6VM0II1UHVVx
Malware Config
Extracted
njrat
0.6.4
تم الاختراق من قبل دكتور الغربية #
Dr187.ddns.net:999
59e66e4fd01ed7a53bb65713760bdb7d
-
reg_key
59e66e4fd01ed7a53bb65713760bdb7d
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2676 netsh.exe -
Drops startup file 2 IoCs
Processes:
Google Root.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59e66e4fd01ed7a53bb65713760bdb7d.exe Google Root.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59e66e4fd01ed7a53bb65713760bdb7d.exe Google Root.exe -
Executes dropped EXE 1 IoCs
Processes:
Google Root.exepid process 2936 Google Root.exe -
Loads dropped DLL 1 IoCs
Processes:
53cd92f44b837f835fe4e3ab7a53dda1_JaffaCakes118.exepid process 2276 53cd92f44b837f835fe4e3ab7a53dda1_JaffaCakes118.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/2276-1-0x00000000008B0000-0x00000000008EE000-memory.dmp agile_net \Users\Admin\AppData\Local\Temp\Google Root.exe agile_net behavioral1/memory/2936-11-0x0000000000B30000-0x0000000000B6E000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Google Root.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\59e66e4fd01ed7a53bb65713760bdb7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Root.exe\" .." Google Root.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\59e66e4fd01ed7a53bb65713760bdb7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Root.exe\" .." Google Root.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
Google Root.exepid process 2936 Google Root.exe 2936 Google Root.exe 2936 Google Root.exe 2936 Google Root.exe 2936 Google Root.exe 2936 Google Root.exe 2936 Google Root.exe 2936 Google Root.exe 2936 Google Root.exe 2936 Google Root.exe 2936 Google Root.exe 2936 Google Root.exe 2936 Google Root.exe 2936 Google Root.exe 2936 Google Root.exe 2936 Google Root.exe 2936 Google Root.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Google Root.exedescription pid process Token: SeDebugPrivilege 2936 Google Root.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
53cd92f44b837f835fe4e3ab7a53dda1_JaffaCakes118.exeGoogle Root.exedescription pid process target process PID 2276 wrote to memory of 2936 2276 53cd92f44b837f835fe4e3ab7a53dda1_JaffaCakes118.exe Google Root.exe PID 2276 wrote to memory of 2936 2276 53cd92f44b837f835fe4e3ab7a53dda1_JaffaCakes118.exe Google Root.exe PID 2276 wrote to memory of 2936 2276 53cd92f44b837f835fe4e3ab7a53dda1_JaffaCakes118.exe Google Root.exe PID 2276 wrote to memory of 2936 2276 53cd92f44b837f835fe4e3ab7a53dda1_JaffaCakes118.exe Google Root.exe PID 2936 wrote to memory of 2676 2936 Google Root.exe netsh.exe PID 2936 wrote to memory of 2676 2936 Google Root.exe netsh.exe PID 2936 wrote to memory of 2676 2936 Google Root.exe netsh.exe PID 2936 wrote to memory of 2676 2936 Google Root.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\53cd92f44b837f835fe4e3ab7a53dda1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\53cd92f44b837f835fe4e3ab7a53dda1_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Google Root.exe"C:\Users\Admin\AppData\Local\Temp\Google Root.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Google Root.exe" "Google Root.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\Google Root.exeFilesize
228KB
MD553cd92f44b837f835fe4e3ab7a53dda1
SHA1c054c5568ecbf3eb7535670a0b5de3cc2763b476
SHA25624edc3ee97543e44ed48c91413aa4a34a57866cee28c86b1187ecdcddc52983c
SHA5123d7319303af1f68f80e08769925a7c5a435d127b3dc529657a90c1b43a99d09fb1281110136a64186b11f5b79d9d4b69555ddf433c22d0527fc591bce83ce604
-
memory/2276-0-0x000000007420E000-0x000000007420F000-memory.dmpFilesize
4KB
-
memory/2276-1-0x00000000008B0000-0x00000000008EE000-memory.dmpFilesize
248KB
-
memory/2276-3-0x0000000074200000-0x00000000748EE000-memory.dmpFilesize
6.9MB
-
memory/2276-2-0x0000000000230000-0x000000000023E000-memory.dmpFilesize
56KB
-
memory/2276-15-0x0000000074200000-0x00000000748EE000-memory.dmpFilesize
6.9MB
-
memory/2936-12-0x0000000074200000-0x00000000748EE000-memory.dmpFilesize
6.9MB
-
memory/2936-11-0x0000000000B30000-0x0000000000B6E000-memory.dmpFilesize
248KB
-
memory/2936-13-0x0000000074200000-0x00000000748EE000-memory.dmpFilesize
6.9MB
-
memory/2936-16-0x0000000074200000-0x00000000748EE000-memory.dmpFilesize
6.9MB
-
memory/2936-17-0x0000000074200000-0x00000000748EE000-memory.dmpFilesize
6.9MB