Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
28-05-2024 21:29
Static task
static1
Behavioral task
behavioral1
Sample
7e771790005bf4bd41d8917e15ee449f_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
7e771790005bf4bd41d8917e15ee449f_JaffaCakes118.exe
-
Size
33KB
-
MD5
7e771790005bf4bd41d8917e15ee449f
-
SHA1
b4dfb1ada3a3d84ab60b1a7e13e0632fb20ca27b
-
SHA256
70f3eaa129fa11addaf5f9a2c8f4dd51b54171af82efe9d15626e94fa066da3d
-
SHA512
6beed852f9276647dcdf22c3329f6a6ede80584031e2c3d7461127986a17330e376bc5b7b7976483b309119004d40b1cbaaaa11a74eaeb5e35ecd42fa7bdd019
-
SSDEEP
768:VvTJ6v6kk5ftm4uw4yNUHOhEl23GJJRH+jcnuVTiNeVRT:tJY6kk5ftjuw4y+ssSGH1QcGDVRT
Malware Config
Extracted
njrat
0.7d
HacKed
127.0.0.1:1177
Windows Update
-
reg_key
Windows Update
-
splitter
|'|'|
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2612 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2612 AcroRd32.exe 2612 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
7e771790005bf4bd41d8917e15ee449f_JaffaCakes118.exerundll32.exedescription pid process target process PID 780 wrote to memory of 2552 780 7e771790005bf4bd41d8917e15ee449f_JaffaCakes118.exe rundll32.exe PID 780 wrote to memory of 2552 780 7e771790005bf4bd41d8917e15ee449f_JaffaCakes118.exe rundll32.exe PID 780 wrote to memory of 2552 780 7e771790005bf4bd41d8917e15ee449f_JaffaCakes118.exe rundll32.exe PID 2552 wrote to memory of 2612 2552 rundll32.exe AcroRd32.exe PID 2552 wrote to memory of 2612 2552 rundll32.exe AcroRd32.exe PID 2552 wrote to memory of 2612 2552 rundll32.exe AcroRd32.exe PID 2552 wrote to memory of 2612 2552 rundll32.exe AcroRd32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7e771790005bf4bd41d8917e15ee449f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7e771790005bf4bd41d8917e15ee449f_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\patsh2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\patsh"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD57e771790005bf4bd41d8917e15ee449f
SHA1b4dfb1ada3a3d84ab60b1a7e13e0632fb20ca27b
SHA25670f3eaa129fa11addaf5f9a2c8f4dd51b54171af82efe9d15626e94fa066da3d
SHA5126beed852f9276647dcdf22c3329f6a6ede80584031e2c3d7461127986a17330e376bc5b7b7976483b309119004d40b1cbaaaa11a74eaeb5e35ecd42fa7bdd019
-
Filesize
3KB
MD5ae765a562855d836d331a6c52bd41903
SHA19adfa45fffcc19842ea96d5c4dba5132aced153d
SHA256cc73d312133f3f2113b3dd884e1b26e9aaf2ac0f1b43debb0d9fce2dbf0e153b
SHA5127283bde188d9de7d9e113ee83931d576a3ac8dd0d8e3bd33e3c6144ef230dd9150f27f16e7af90a609b083b7fe841b278aad6fa2afc4a9eeb2678b9097604038