Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 07:26
Behavioral task
behavioral1
Sample
593b3910c7e97e6d426e6334f94a4ba1_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
593b3910c7e97e6d426e6334f94a4ba1_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
593b3910c7e97e6d426e6334f94a4ba1_JaffaCakes118.exe
-
Size
58KB
-
MD5
593b3910c7e97e6d426e6334f94a4ba1
-
SHA1
5a965364feb9ffa80fbacde302a7d85e835d2749
-
SHA256
ed72d5b85be09ea8d6da3f34c867224f996306e76732026fa30d45c6e9c83f46
-
SHA512
efc0581a3a82137f9763fa785ef9df3cdae54a99bd884c03b05e087816dd0e5eb16f4361292508ee59e3c596887e44063737a8fc09f99f79e5eaee4e27a107be
-
SSDEEP
1536:IKYQ3VQByoCI9sVc1lFODeQXYZoIQkKhlW83:vF3VkyoDsC/FODjIQkKq83
Malware Config
Extracted
njrat
0.6.4
تم الاختراق من قبل دكتور الغربية #
Dr187.ddns.net:999
59e66e4fd01ed7a53bb65713760bdb7d
-
reg_key
59e66e4fd01ed7a53bb65713760bdb7d
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 1732 netsh.exe -
Drops startup file 2 IoCs
Processes:
Google Root.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59e66e4fd01ed7a53bb65713760bdb7d.exe Google Root.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59e66e4fd01ed7a53bb65713760bdb7d.exe Google Root.exe -
Executes dropped EXE 1 IoCs
Processes:
Google Root.exepid process 2360 Google Root.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/2348-1-0x0000000001140000-0x0000000001154000-memory.dmp agile_net C:\Users\Admin\AppData\Local\Temp\Google Root.exe agile_net behavioral1/memory/2360-8-0x00000000013E0000-0x00000000013F4000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Google Root.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\59e66e4fd01ed7a53bb65713760bdb7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Root.exe\" .." Google Root.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\59e66e4fd01ed7a53bb65713760bdb7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Root.exe\" .." Google Root.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
Google Root.exepid process 2360 Google Root.exe 2360 Google Root.exe 2360 Google Root.exe 2360 Google Root.exe 2360 Google Root.exe 2360 Google Root.exe 2360 Google Root.exe 2360 Google Root.exe 2360 Google Root.exe 2360 Google Root.exe 2360 Google Root.exe 2360 Google Root.exe 2360 Google Root.exe 2360 Google Root.exe 2360 Google Root.exe 2360 Google Root.exe 2360 Google Root.exe 2360 Google Root.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Google Root.exedescription pid process Token: SeDebugPrivilege 2360 Google Root.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
593b3910c7e97e6d426e6334f94a4ba1_JaffaCakes118.exeGoogle Root.exedescription pid process target process PID 2348 wrote to memory of 2360 2348 593b3910c7e97e6d426e6334f94a4ba1_JaffaCakes118.exe Google Root.exe PID 2348 wrote to memory of 2360 2348 593b3910c7e97e6d426e6334f94a4ba1_JaffaCakes118.exe Google Root.exe PID 2348 wrote to memory of 2360 2348 593b3910c7e97e6d426e6334f94a4ba1_JaffaCakes118.exe Google Root.exe PID 2360 wrote to memory of 1732 2360 Google Root.exe netsh.exe PID 2360 wrote to memory of 1732 2360 Google Root.exe netsh.exe PID 2360 wrote to memory of 1732 2360 Google Root.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\593b3910c7e97e6d426e6334f94a4ba1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\593b3910c7e97e6d426e6334f94a4ba1_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\Google Root.exe"C:\Users\Admin\AppData\Local\Temp\Google Root.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Google Root.exe" "Google Root.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1732
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Google Root.exeFilesize
58KB
MD5593b3910c7e97e6d426e6334f94a4ba1
SHA15a965364feb9ffa80fbacde302a7d85e835d2749
SHA256ed72d5b85be09ea8d6da3f34c867224f996306e76732026fa30d45c6e9c83f46
SHA512efc0581a3a82137f9763fa785ef9df3cdae54a99bd884c03b05e087816dd0e5eb16f4361292508ee59e3c596887e44063737a8fc09f99f79e5eaee4e27a107be
-
memory/2348-0-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmpFilesize
4KB
-
memory/2348-1-0x0000000001140000-0x0000000001154000-memory.dmpFilesize
80KB
-
memory/2348-2-0x00000000001D0000-0x00000000001DE000-memory.dmpFilesize
56KB
-
memory/2360-8-0x00000000013E0000-0x00000000013F4000-memory.dmpFilesize
80KB
-
memory/2360-10-0x000007FEF5F80000-0x000007FEF696C000-memory.dmpFilesize
9.9MB
-
memory/2360-11-0x000007FEF5F80000-0x000007FEF696C000-memory.dmpFilesize
9.9MB
-
memory/2360-12-0x000007FEF5F80000-0x000007FEF696C000-memory.dmpFilesize
9.9MB
-
memory/2360-13-0x000007FEF5F80000-0x000007FEF696C000-memory.dmpFilesize
9.9MB