Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 03:20
Static task
static1
Behavioral task
behavioral1
Sample
6d2b7843f0e9168704d4c71108cfdc50_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6d2b7843f0e9168704d4c71108cfdc50_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
6d2b7843f0e9168704d4c71108cfdc50_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
6d2b7843f0e9168704d4c71108cfdc50
-
SHA1
3fb8ed1bc9eb790af15c1f18486ac5461a44ed71
-
SHA256
f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e
-
SHA512
56622c990c77363bf709cba7684dd484fe96b24aa2f8f68828b494d556bb73d800955fc080a9d6e24d5f4c7f3c39a11d49d2870e1f0869a6912ef36fa67df0b0
-
SSDEEP
24576:NzPMEK/3JXKFN53ZVwK3FOn+rPcgVATn9LH4GkYsBHwEo:BPfWQjfY+bcgVmJQYsBHwR
Malware Config
Extracted
njrat
0.7d
coder
81.61.77.92:5553
890f73d3282170b26075ca7917951b6e
-
reg_key
890f73d3282170b26075ca7917951b6e
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2720 netsh.exe -
Drops startup file 2 IoCs
Processes:
Data.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\890f73d3282170b26075ca7917951b6e.exe Data.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\890f73d3282170b26075ca7917951b6e.exe Data.exe -
Executes dropped EXE 1 IoCs
Processes:
Data.exepid process 2440 Data.exe -
Loads dropped DLL 1 IoCs
Processes:
6d2b7843f0e9168704d4c71108cfdc50_JaffaCakes118.exepid process 2220 6d2b7843f0e9168704d4c71108cfdc50_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Data.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\890f73d3282170b26075ca7917951b6e = "\"C:\\Users\\Admin\\AppData\\Roaming\\Data.exe\" .." Data.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\890f73d3282170b26075ca7917951b6e = "\"C:\\Users\\Admin\\AppData\\Roaming\\Data.exe\" .." Data.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 18 IoCs
Processes:
6d2b7843f0e9168704d4c71108cfdc50_JaffaCakes118.exeData.exepid process 2220 6d2b7843f0e9168704d4c71108cfdc50_JaffaCakes118.exe 2220 6d2b7843f0e9168704d4c71108cfdc50_JaffaCakes118.exe 2440 Data.exe 2440 Data.exe 2440 Data.exe 2440 Data.exe 2440 Data.exe 2440 Data.exe 2440 Data.exe 2440 Data.exe 2440 Data.exe 2440 Data.exe 2440 Data.exe 2440 Data.exe 2440 Data.exe 2440 Data.exe 2440 Data.exe 2440 Data.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
Data.exedescription pid process Token: SeDebugPrivilege 2440 Data.exe Token: 33 2440 Data.exe Token: SeIncBasePriorityPrivilege 2440 Data.exe Token: 33 2440 Data.exe Token: SeIncBasePriorityPrivilege 2440 Data.exe Token: 33 2440 Data.exe Token: SeIncBasePriorityPrivilege 2440 Data.exe Token: 33 2440 Data.exe Token: SeIncBasePriorityPrivilege 2440 Data.exe Token: 33 2440 Data.exe Token: SeIncBasePriorityPrivilege 2440 Data.exe Token: 33 2440 Data.exe Token: SeIncBasePriorityPrivilege 2440 Data.exe Token: 33 2440 Data.exe Token: SeIncBasePriorityPrivilege 2440 Data.exe Token: 33 2440 Data.exe Token: SeIncBasePriorityPrivilege 2440 Data.exe Token: 33 2440 Data.exe Token: SeIncBasePriorityPrivilege 2440 Data.exe Token: 33 2440 Data.exe Token: SeIncBasePriorityPrivilege 2440 Data.exe Token: 33 2440 Data.exe Token: SeIncBasePriorityPrivilege 2440 Data.exe Token: 33 2440 Data.exe Token: SeIncBasePriorityPrivilege 2440 Data.exe Token: 33 2440 Data.exe Token: SeIncBasePriorityPrivilege 2440 Data.exe Token: 33 2440 Data.exe Token: SeIncBasePriorityPrivilege 2440 Data.exe Token: 33 2440 Data.exe Token: SeIncBasePriorityPrivilege 2440 Data.exe Token: 33 2440 Data.exe Token: SeIncBasePriorityPrivilege 2440 Data.exe Token: 33 2440 Data.exe Token: SeIncBasePriorityPrivilege 2440 Data.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
6d2b7843f0e9168704d4c71108cfdc50_JaffaCakes118.exeData.exepid process 2220 6d2b7843f0e9168704d4c71108cfdc50_JaffaCakes118.exe 2440 Data.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
6d2b7843f0e9168704d4c71108cfdc50_JaffaCakes118.exeData.exedescription pid process target process PID 2220 wrote to memory of 2440 2220 6d2b7843f0e9168704d4c71108cfdc50_JaffaCakes118.exe Data.exe PID 2220 wrote to memory of 2440 2220 6d2b7843f0e9168704d4c71108cfdc50_JaffaCakes118.exe Data.exe PID 2220 wrote to memory of 2440 2220 6d2b7843f0e9168704d4c71108cfdc50_JaffaCakes118.exe Data.exe PID 2220 wrote to memory of 2440 2220 6d2b7843f0e9168704d4c71108cfdc50_JaffaCakes118.exe Data.exe PID 2440 wrote to memory of 2720 2440 Data.exe netsh.exe PID 2440 wrote to memory of 2720 2440 Data.exe netsh.exe PID 2440 wrote to memory of 2720 2440 Data.exe netsh.exe PID 2440 wrote to memory of 2720 2440 Data.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d2b7843f0e9168704d4c71108cfdc50_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6d2b7843f0e9168704d4c71108cfdc50_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Data.exe"C:\Users\Admin\AppData\Roaming\Data.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Data.exe" "Data.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Roaming\Data.exeFilesize
1.1MB
MD56d2b7843f0e9168704d4c71108cfdc50
SHA13fb8ed1bc9eb790af15c1f18486ac5461a44ed71
SHA256f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e
SHA51256622c990c77363bf709cba7684dd484fe96b24aa2f8f68828b494d556bb73d800955fc080a9d6e24d5f4c7f3c39a11d49d2870e1f0869a6912ef36fa67df0b0
-
memory/2220-14-0x00000000010F0000-0x000000000146E000-memory.dmpFilesize
3.5MB
-
memory/2220-2-0x00000000010F0000-0x000000000146E000-memory.dmpFilesize
3.5MB
-
memory/2220-3-0x0000000000550000-0x000000000055A000-memory.dmpFilesize
40KB
-
memory/2220-1-0x000000007407E000-0x000000007407F000-memory.dmpFilesize
4KB
-
memory/2220-10-0x0000000005EB0000-0x000000000622E000-memory.dmpFilesize
3.5MB
-
memory/2220-0-0x00000000010F0000-0x000000000146E000-memory.dmpFilesize
3.5MB
-
memory/2440-13-0x0000000000C50000-0x0000000000FCE000-memory.dmpFilesize
3.5MB
-
memory/2440-15-0x0000000000C50000-0x0000000000FCE000-memory.dmpFilesize
3.5MB
-
memory/2440-16-0x0000000073FF0000-0x00000000746DE000-memory.dmpFilesize
6.9MB
-
memory/2440-18-0x0000000073FF0000-0x00000000746DE000-memory.dmpFilesize
6.9MB
-
memory/2440-21-0x0000000073FF0000-0x00000000746DE000-memory.dmpFilesize
6.9MB
-
memory/2440-23-0x0000000073FF0000-0x00000000746DE000-memory.dmpFilesize
6.9MB