Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 03:20
Static task
static1
Behavioral task
behavioral1
Sample
6d2b7843f0e9168704d4c71108cfdc50_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6d2b7843f0e9168704d4c71108cfdc50_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
6d2b7843f0e9168704d4c71108cfdc50_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
6d2b7843f0e9168704d4c71108cfdc50
-
SHA1
3fb8ed1bc9eb790af15c1f18486ac5461a44ed71
-
SHA256
f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e
-
SHA512
56622c990c77363bf709cba7684dd484fe96b24aa2f8f68828b494d556bb73d800955fc080a9d6e24d5f4c7f3c39a11d49d2870e1f0869a6912ef36fa67df0b0
-
SSDEEP
24576:NzPMEK/3JXKFN53ZVwK3FOn+rPcgVATn9LH4GkYsBHwEo:BPfWQjfY+bcgVmJQYsBHwR
Malware Config
Extracted
njrat
0.7d
coder
81.61.77.92:5553
890f73d3282170b26075ca7917951b6e
-
reg_key
890f73d3282170b26075ca7917951b6e
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 5100 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6d2b7843f0e9168704d4c71108cfdc50_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 6d2b7843f0e9168704d4c71108cfdc50_JaffaCakes118.exe -
Drops startup file 2 IoCs
Processes:
Data.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\890f73d3282170b26075ca7917951b6e.exe Data.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\890f73d3282170b26075ca7917951b6e.exe Data.exe -
Executes dropped EXE 1 IoCs
Processes:
Data.exepid process 2192 Data.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Data.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\890f73d3282170b26075ca7917951b6e = "\"C:\\Users\\Admin\\AppData\\Roaming\\Data.exe\" .." Data.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\890f73d3282170b26075ca7917951b6e = "\"C:\\Users\\Admin\\AppData\\Roaming\\Data.exe\" .." Data.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
Processes:
6d2b7843f0e9168704d4c71108cfdc50_JaffaCakes118.exeData.exepid process 1312 6d2b7843f0e9168704d4c71108cfdc50_JaffaCakes118.exe 2192 Data.exe 2192 Data.exe 2192 Data.exe 2192 Data.exe 2192 Data.exe 2192 Data.exe 2192 Data.exe 2192 Data.exe 2192 Data.exe 2192 Data.exe 2192 Data.exe 2192 Data.exe 2192 Data.exe 2192 Data.exe 2192 Data.exe 2192 Data.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
Data.exedescription pid process Token: SeDebugPrivilege 2192 Data.exe Token: 33 2192 Data.exe Token: SeIncBasePriorityPrivilege 2192 Data.exe Token: 33 2192 Data.exe Token: SeIncBasePriorityPrivilege 2192 Data.exe Token: 33 2192 Data.exe Token: SeIncBasePriorityPrivilege 2192 Data.exe Token: 33 2192 Data.exe Token: SeIncBasePriorityPrivilege 2192 Data.exe Token: 33 2192 Data.exe Token: SeIncBasePriorityPrivilege 2192 Data.exe Token: 33 2192 Data.exe Token: SeIncBasePriorityPrivilege 2192 Data.exe Token: 33 2192 Data.exe Token: SeIncBasePriorityPrivilege 2192 Data.exe Token: 33 2192 Data.exe Token: SeIncBasePriorityPrivilege 2192 Data.exe Token: 33 2192 Data.exe Token: SeIncBasePriorityPrivilege 2192 Data.exe Token: 33 2192 Data.exe Token: SeIncBasePriorityPrivilege 2192 Data.exe Token: 33 2192 Data.exe Token: SeIncBasePriorityPrivilege 2192 Data.exe Token: 33 2192 Data.exe Token: SeIncBasePriorityPrivilege 2192 Data.exe Token: 33 2192 Data.exe Token: SeIncBasePriorityPrivilege 2192 Data.exe Token: 33 2192 Data.exe Token: SeIncBasePriorityPrivilege 2192 Data.exe Token: 33 2192 Data.exe Token: SeIncBasePriorityPrivilege 2192 Data.exe Token: 33 2192 Data.exe Token: SeIncBasePriorityPrivilege 2192 Data.exe Token: 33 2192 Data.exe Token: SeIncBasePriorityPrivilege 2192 Data.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
6d2b7843f0e9168704d4c71108cfdc50_JaffaCakes118.exeData.exepid process 1312 6d2b7843f0e9168704d4c71108cfdc50_JaffaCakes118.exe 2192 Data.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
6d2b7843f0e9168704d4c71108cfdc50_JaffaCakes118.exeData.exedescription pid process target process PID 1312 wrote to memory of 2192 1312 6d2b7843f0e9168704d4c71108cfdc50_JaffaCakes118.exe Data.exe PID 1312 wrote to memory of 2192 1312 6d2b7843f0e9168704d4c71108cfdc50_JaffaCakes118.exe Data.exe PID 1312 wrote to memory of 2192 1312 6d2b7843f0e9168704d4c71108cfdc50_JaffaCakes118.exe Data.exe PID 2192 wrote to memory of 5100 2192 Data.exe netsh.exe PID 2192 wrote to memory of 5100 2192 Data.exe netsh.exe PID 2192 wrote to memory of 5100 2192 Data.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d2b7843f0e9168704d4c71108cfdc50_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6d2b7843f0e9168704d4c71108cfdc50_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Data.exe"C:\Users\Admin\AppData\Roaming\Data.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Data.exe" "Data.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Data.exeFilesize
1.1MB
MD56d2b7843f0e9168704d4c71108cfdc50
SHA13fb8ed1bc9eb790af15c1f18486ac5461a44ed71
SHA256f2efdb91127d45b051573b56d5390401a0067eb015f2db95a65563dea235555e
SHA51256622c990c77363bf709cba7684dd484fe96b24aa2f8f68828b494d556bb73d800955fc080a9d6e24d5f4c7f3c39a11d49d2870e1f0869a6912ef36fa67df0b0
-
memory/1312-20-0x0000000000930000-0x0000000000CAE000-memory.dmpFilesize
3.5MB
-
memory/1312-5-0x0000000006410000-0x00000000069B4000-memory.dmpFilesize
5.6MB
-
memory/1312-0-0x0000000000930000-0x0000000000CAE000-memory.dmpFilesize
3.5MB
-
memory/1312-4-0x0000000005DC0000-0x0000000005E5C000-memory.dmpFilesize
624KB
-
memory/1312-2-0x0000000000930000-0x0000000000CAE000-memory.dmpFilesize
3.5MB
-
memory/1312-1-0x00000000742EE000-0x00000000742EF000-memory.dmpFilesize
4KB
-
memory/1312-3-0x0000000003290000-0x000000000329A000-memory.dmpFilesize
40KB
-
memory/2192-23-0x00000000742E0000-0x0000000074A90000-memory.dmpFilesize
7.7MB
-
memory/2192-17-0x0000000000B30000-0x0000000000EAE000-memory.dmpFilesize
3.5MB
-
memory/2192-22-0x0000000000B30000-0x0000000000EAE000-memory.dmpFilesize
3.5MB
-
memory/2192-21-0x0000000000B30000-0x0000000000EAE000-memory.dmpFilesize
3.5MB
-
memory/2192-25-0x0000000005920000-0x00000000059B2000-memory.dmpFilesize
584KB
-
memory/2192-26-0x00000000742E0000-0x0000000074A90000-memory.dmpFilesize
7.7MB
-
memory/2192-27-0x0000000005820000-0x000000000582A000-memory.dmpFilesize
40KB
-
memory/2192-30-0x0000000000B30000-0x0000000000EAE000-memory.dmpFilesize
3.5MB
-
memory/2192-31-0x00000000742E0000-0x0000000074A90000-memory.dmpFilesize
7.7MB
-
memory/2192-33-0x00000000742E0000-0x0000000074A90000-memory.dmpFilesize
7.7MB