Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
28-05-2024 03:03
Static task
static1
Behavioral task
behavioral1
Sample
7b777263642cd694415accdb45b19de6_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
7b777263642cd694415accdb45b19de6_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
7b777263642cd694415accdb45b19de6_JaffaCakes118.exe
-
Size
223KB
-
MD5
7b777263642cd694415accdb45b19de6
-
SHA1
157c6b950a34e59a575c943955d4a6347f484b2b
-
SHA256
23ce7d714e8ccd6fe40a1b10803b587e2cf4dbb61e8ee4624654d7fd2c38bdf7
-
SHA512
525a71dd76441cb2f25706594217ddff2300fb1c177f821334993c46e041a8ac3416031183f013083397ec270a15e0b98cb28579ed891a003a58321c52e55e6a
-
SSDEEP
1536:SoqdjhPaj/r8YOQLFCdZt5W8SOMIOGZ+qqeydYNAX5Jo/FRKP6ecRiTn:Od0jjNfgZt5Wpkee/C
Malware Config
Extracted
njrat
0.7d
cb4cb4
cb4cb4.ddns.net:1604
2b4311709f49c1773d2dd641126cf3dd
-
reg_key
2b4311709f49c1773d2dd641126cf3dd
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 1728 netsh.exe -
Executes dropped EXE 2 IoCs
Processes:
server.exeserver.exepid process 2592 server.exe 2968 server.exe -
Loads dropped DLL 2 IoCs
Processes:
7b777263642cd694415accdb45b19de6_JaffaCakes118.exeserver.exepid process 2612 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe 2592 server.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RegSvc = "\"ApplicationData\\RegSvc.exe.exe\"" server.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
7b777263642cd694415accdb45b19de6_JaffaCakes118.exeserver.exedescription pid process target process PID 1148 set thread context of 2612 1148 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe PID 2592 set thread context of 2968 2592 server.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
7b777263642cd694415accdb45b19de6_JaffaCakes118.exeserver.exepid process 1148 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe 1148 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe 1148 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe 1148 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe 1148 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe 1148 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe 2592 server.exe 2592 server.exe 2592 server.exe 2592 server.exe 2592 server.exe 2592 server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
7b777263642cd694415accdb45b19de6_JaffaCakes118.exeserver.exeserver.exedescription pid process Token: SeDebugPrivilege 1148 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe Token: SeDebugPrivilege 2592 server.exe Token: SeDebugPrivilege 2968 server.exe Token: 33 2968 server.exe Token: SeIncBasePriorityPrivilege 2968 server.exe Token: 33 2968 server.exe Token: SeIncBasePriorityPrivilege 2968 server.exe Token: 33 2968 server.exe Token: SeIncBasePriorityPrivilege 2968 server.exe Token: 33 2968 server.exe Token: SeIncBasePriorityPrivilege 2968 server.exe Token: 33 2968 server.exe Token: SeIncBasePriorityPrivilege 2968 server.exe Token: 33 2968 server.exe Token: SeIncBasePriorityPrivilege 2968 server.exe Token: 33 2968 server.exe Token: SeIncBasePriorityPrivilege 2968 server.exe Token: 33 2968 server.exe Token: SeIncBasePriorityPrivilege 2968 server.exe Token: 33 2968 server.exe Token: SeIncBasePriorityPrivilege 2968 server.exe Token: 33 2968 server.exe Token: SeIncBasePriorityPrivilege 2968 server.exe Token: 33 2968 server.exe Token: SeIncBasePriorityPrivilege 2968 server.exe Token: 33 2968 server.exe Token: SeIncBasePriorityPrivilege 2968 server.exe Token: 33 2968 server.exe Token: SeIncBasePriorityPrivilege 2968 server.exe Token: 33 2968 server.exe Token: SeIncBasePriorityPrivilege 2968 server.exe Token: 33 2968 server.exe Token: SeIncBasePriorityPrivilege 2968 server.exe Token: 33 2968 server.exe Token: SeIncBasePriorityPrivilege 2968 server.exe Token: 33 2968 server.exe Token: SeIncBasePriorityPrivilege 2968 server.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
7b777263642cd694415accdb45b19de6_JaffaCakes118.exe7b777263642cd694415accdb45b19de6_JaffaCakes118.exeserver.exeserver.exedescription pid process target process PID 1148 wrote to memory of 2612 1148 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe PID 1148 wrote to memory of 2612 1148 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe PID 1148 wrote to memory of 2612 1148 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe PID 1148 wrote to memory of 2612 1148 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe PID 1148 wrote to memory of 2612 1148 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe PID 1148 wrote to memory of 2612 1148 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe PID 1148 wrote to memory of 2612 1148 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe PID 1148 wrote to memory of 2612 1148 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe PID 1148 wrote to memory of 2612 1148 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe PID 2612 wrote to memory of 2592 2612 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe server.exe PID 2612 wrote to memory of 2592 2612 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe server.exe PID 2612 wrote to memory of 2592 2612 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe server.exe PID 2612 wrote to memory of 2592 2612 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe server.exe PID 2592 wrote to memory of 2968 2592 server.exe server.exe PID 2592 wrote to memory of 2968 2592 server.exe server.exe PID 2592 wrote to memory of 2968 2592 server.exe server.exe PID 2592 wrote to memory of 2968 2592 server.exe server.exe PID 2592 wrote to memory of 2968 2592 server.exe server.exe PID 2592 wrote to memory of 2968 2592 server.exe server.exe PID 2592 wrote to memory of 2968 2592 server.exe server.exe PID 2592 wrote to memory of 2968 2592 server.exe server.exe PID 2592 wrote to memory of 2968 2592 server.exe server.exe PID 2968 wrote to memory of 1728 2968 server.exe netsh.exe PID 2968 wrote to memory of 1728 2968 server.exe netsh.exe PID 2968 wrote to memory of 1728 2968 server.exe netsh.exe PID 2968 wrote to memory of 1728 2968 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b777263642cd694415accdb45b19de6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7b777263642cd694415accdb45b19de6_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Users\Admin\AppData\Local\Temp\7b777263642cd694415accdb45b19de6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7b777263642cd694415accdb45b19de6_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE5⤵
- Modifies Windows Firewall
PID:1728
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223KB
MD57b777263642cd694415accdb45b19de6
SHA1157c6b950a34e59a575c943955d4a6347f484b2b
SHA25623ce7d714e8ccd6fe40a1b10803b587e2cf4dbb61e8ee4624654d7fd2c38bdf7
SHA512525a71dd76441cb2f25706594217ddff2300fb1c177f821334993c46e041a8ac3416031183f013083397ec270a15e0b98cb28579ed891a003a58321c52e55e6a