Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 22:40
Static task
static1
Behavioral task
behavioral1
Sample
68e05f32c339585c1d415c35d805245f_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
68e05f32c339585c1d415c35d805245f_JaffaCakes118.exe
-
Size
72KB
-
MD5
68e05f32c339585c1d415c35d805245f
-
SHA1
d6917a7251b868bf957c12b8f3c03640f55b79c4
-
SHA256
ed6398ae88f980ec67453283ae2087086f98236250e7fe1d071fa39d0b0f966e
-
SHA512
aee88d6406b8c7e6453fb236940adb25f0164ea53ee81256a30303610c4821bd47eac86aa5d2e795f700801c6d7f9b43f2ee1995de7caa80c5dd5b6ac02fdcb3
-
SSDEEP
1536:D3eJG53G73mxdvddLYh7TYOVZkH+qYPTkU:D32GhNvzYhNu+qKkU
Malware Config
Extracted
njrat
0.7d
HacKed
cookiemac.ddns.net:1177
2e9be554f9032c4fbb4dfe992747084c
-
reg_key
2e9be554f9032c4fbb4dfe992747084c
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3588 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
68e05f32c339585c1d415c35d805245f_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 68e05f32c339585c1d415c35d805245f_JaffaCakes118.exe -
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2e9be554f9032c4fbb4dfe992747084c.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2e9be554f9032c4fbb4dfe992747084c.exe svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 3532 svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
68e05f32c339585c1d415c35d805245f_JaffaCakes118.exesvchost.exedescription pid process Token: SeDebugPrivilege 3096 68e05f32c339585c1d415c35d805245f_JaffaCakes118.exe Token: SeDebugPrivilege 3532 svchost.exe Token: 33 3532 svchost.exe Token: SeIncBasePriorityPrivilege 3532 svchost.exe Token: 33 3532 svchost.exe Token: SeIncBasePriorityPrivilege 3532 svchost.exe Token: 33 3532 svchost.exe Token: SeIncBasePriorityPrivilege 3532 svchost.exe Token: 33 3532 svchost.exe Token: SeIncBasePriorityPrivilege 3532 svchost.exe Token: 33 3532 svchost.exe Token: SeIncBasePriorityPrivilege 3532 svchost.exe Token: 33 3532 svchost.exe Token: SeIncBasePriorityPrivilege 3532 svchost.exe Token: 33 3532 svchost.exe Token: SeIncBasePriorityPrivilege 3532 svchost.exe Token: 33 3532 svchost.exe Token: SeIncBasePriorityPrivilege 3532 svchost.exe Token: 33 3532 svchost.exe Token: SeIncBasePriorityPrivilege 3532 svchost.exe Token: 33 3532 svchost.exe Token: SeIncBasePriorityPrivilege 3532 svchost.exe Token: 33 3532 svchost.exe Token: SeIncBasePriorityPrivilege 3532 svchost.exe Token: 33 3532 svchost.exe Token: SeIncBasePriorityPrivilege 3532 svchost.exe Token: 33 3532 svchost.exe Token: SeIncBasePriorityPrivilege 3532 svchost.exe Token: 33 3532 svchost.exe Token: SeIncBasePriorityPrivilege 3532 svchost.exe Token: 33 3532 svchost.exe Token: SeIncBasePriorityPrivilege 3532 svchost.exe Token: 33 3532 svchost.exe Token: SeIncBasePriorityPrivilege 3532 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
68e05f32c339585c1d415c35d805245f_JaffaCakes118.exesvchost.exedescription pid process target process PID 3096 wrote to memory of 3532 3096 68e05f32c339585c1d415c35d805245f_JaffaCakes118.exe svchost.exe PID 3096 wrote to memory of 3532 3096 68e05f32c339585c1d415c35d805245f_JaffaCakes118.exe svchost.exe PID 3096 wrote to memory of 3532 3096 68e05f32c339585c1d415c35d805245f_JaffaCakes118.exe svchost.exe PID 3532 wrote to memory of 3588 3532 svchost.exe netsh.exe PID 3532 wrote to memory of 3588 3532 svchost.exe netsh.exe PID 3532 wrote to memory of 3588 3532 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\68e05f32c339585c1d415c35d805245f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\68e05f32c339585c1d415c35d805245f_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
72KB
MD568e05f32c339585c1d415c35d805245f
SHA1d6917a7251b868bf957c12b8f3c03640f55b79c4
SHA256ed6398ae88f980ec67453283ae2087086f98236250e7fe1d071fa39d0b0f966e
SHA512aee88d6406b8c7e6453fb236940adb25f0164ea53ee81256a30303610c4821bd47eac86aa5d2e795f700801c6d7f9b43f2ee1995de7caa80c5dd5b6ac02fdcb3
-
memory/3096-0-0x000000007461E000-0x000000007461F000-memory.dmpFilesize
4KB
-
memory/3096-1-0x00000000005E0000-0x00000000005F8000-memory.dmpFilesize
96KB
-
memory/3096-2-0x0000000005530000-0x0000000005AD4000-memory.dmpFilesize
5.6MB
-
memory/3096-3-0x0000000005020000-0x00000000050B2000-memory.dmpFilesize
584KB
-
memory/3096-4-0x00000000050C0000-0x000000000515C000-memory.dmpFilesize
624KB
-
memory/3096-5-0x0000000004FB0000-0x0000000004FBA000-memory.dmpFilesize
40KB
-
memory/3096-6-0x0000000074610000-0x0000000074DC0000-memory.dmpFilesize
7.7MB
-
memory/3096-7-0x0000000007280000-0x000000000728C000-memory.dmpFilesize
48KB
-
memory/3096-20-0x0000000074610000-0x0000000074DC0000-memory.dmpFilesize
7.7MB
-
memory/3532-21-0x0000000074610000-0x0000000074DC0000-memory.dmpFilesize
7.7MB
-
memory/3532-23-0x0000000074610000-0x0000000074DC0000-memory.dmpFilesize
7.7MB