Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-05-2024 03:03
Static task
static1
Behavioral task
behavioral1
Sample
7b777263642cd694415accdb45b19de6_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
7b777263642cd694415accdb45b19de6_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
7b777263642cd694415accdb45b19de6_JaffaCakes118.exe
-
Size
223KB
-
MD5
7b777263642cd694415accdb45b19de6
-
SHA1
157c6b950a34e59a575c943955d4a6347f484b2b
-
SHA256
23ce7d714e8ccd6fe40a1b10803b587e2cf4dbb61e8ee4624654d7fd2c38bdf7
-
SHA512
525a71dd76441cb2f25706594217ddff2300fb1c177f821334993c46e041a8ac3416031183f013083397ec270a15e0b98cb28579ed891a003a58321c52e55e6a
-
SSDEEP
1536:SoqdjhPaj/r8YOQLFCdZt5W8SOMIOGZ+qqeydYNAX5Jo/FRKP6ecRiTn:Od0jjNfgZt5Wpkee/C
Malware Config
Extracted
njrat
0.7d
cb4cb4
cb4cb4.ddns.net:1604
2b4311709f49c1773d2dd641126cf3dd
-
reg_key
2b4311709f49c1773d2dd641126cf3dd
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 112 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7b777263642cd694415accdb45b19de6_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
server.exeserver.exepid process 2756 server.exe 3276 server.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RegSvc = "\"ApplicationData\\RegSvc.exe.exe\"" server.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
7b777263642cd694415accdb45b19de6_JaffaCakes118.exeserver.exedescription pid process target process PID 2388 set thread context of 548 2388 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe PID 2756 set thread context of 3276 2756 server.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
7b777263642cd694415accdb45b19de6_JaffaCakes118.exeserver.exepid process 2388 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe 2388 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe 2388 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe 2388 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe 2388 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe 2388 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe 2756 server.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
7b777263642cd694415accdb45b19de6_JaffaCakes118.exeserver.exeserver.exedescription pid process Token: SeDebugPrivilege 2388 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe Token: SeDebugPrivilege 2756 server.exe Token: SeDebugPrivilege 3276 server.exe Token: 33 3276 server.exe Token: SeIncBasePriorityPrivilege 3276 server.exe Token: 33 3276 server.exe Token: SeIncBasePriorityPrivilege 3276 server.exe Token: 33 3276 server.exe Token: SeIncBasePriorityPrivilege 3276 server.exe Token: 33 3276 server.exe Token: SeIncBasePriorityPrivilege 3276 server.exe Token: 33 3276 server.exe Token: SeIncBasePriorityPrivilege 3276 server.exe Token: 33 3276 server.exe Token: SeIncBasePriorityPrivilege 3276 server.exe Token: 33 3276 server.exe Token: SeIncBasePriorityPrivilege 3276 server.exe Token: 33 3276 server.exe Token: SeIncBasePriorityPrivilege 3276 server.exe Token: 33 3276 server.exe Token: SeIncBasePriorityPrivilege 3276 server.exe Token: 33 3276 server.exe Token: SeIncBasePriorityPrivilege 3276 server.exe Token: 33 3276 server.exe Token: SeIncBasePriorityPrivilege 3276 server.exe Token: 33 3276 server.exe Token: SeIncBasePriorityPrivilege 3276 server.exe Token: 33 3276 server.exe Token: SeIncBasePriorityPrivilege 3276 server.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
7b777263642cd694415accdb45b19de6_JaffaCakes118.exe7b777263642cd694415accdb45b19de6_JaffaCakes118.exeserver.exeserver.exedescription pid process target process PID 2388 wrote to memory of 548 2388 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe PID 2388 wrote to memory of 548 2388 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe PID 2388 wrote to memory of 548 2388 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe PID 2388 wrote to memory of 548 2388 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe PID 2388 wrote to memory of 548 2388 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe PID 2388 wrote to memory of 548 2388 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe PID 2388 wrote to memory of 548 2388 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe PID 2388 wrote to memory of 548 2388 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe PID 548 wrote to memory of 2756 548 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe server.exe PID 548 wrote to memory of 2756 548 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe server.exe PID 548 wrote to memory of 2756 548 7b777263642cd694415accdb45b19de6_JaffaCakes118.exe server.exe PID 2756 wrote to memory of 3276 2756 server.exe server.exe PID 2756 wrote to memory of 3276 2756 server.exe server.exe PID 2756 wrote to memory of 3276 2756 server.exe server.exe PID 2756 wrote to memory of 3276 2756 server.exe server.exe PID 2756 wrote to memory of 3276 2756 server.exe server.exe PID 2756 wrote to memory of 3276 2756 server.exe server.exe PID 2756 wrote to memory of 3276 2756 server.exe server.exe PID 2756 wrote to memory of 3276 2756 server.exe server.exe PID 3276 wrote to memory of 112 3276 server.exe netsh.exe PID 3276 wrote to memory of 112 3276 server.exe netsh.exe PID 3276 wrote to memory of 112 3276 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b777263642cd694415accdb45b19de6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7b777263642cd694415accdb45b19de6_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Users\Admin\AppData\Local\Temp\7b777263642cd694415accdb45b19de6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7b777263642cd694415accdb45b19de6_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE5⤵
- Modifies Windows Firewall
PID:112
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4312 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:81⤵PID:3592
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\7b777263642cd694415accdb45b19de6_JaffaCakes118.exe.log
Filesize492B
MD5025b651197a4e2e1582d1b06958c1b91
SHA1824504eaa5092ab3834a2feba7fdfd1492c3e28a
SHA2561210ce1260f4f2db72186e5a5a7a094e3512876ca4b60263864250a0aebde2e7
SHA51229908a50ce65051eefe631a4938bc08c0967d3117c99120a9b0ffef35801bfef124165906b767e357a2656a7f584e85fb82c7e3f8b8084ff9756fd621c73a024
-
Filesize
223KB
MD57b777263642cd694415accdb45b19de6
SHA1157c6b950a34e59a575c943955d4a6347f484b2b
SHA25623ce7d714e8ccd6fe40a1b10803b587e2cf4dbb61e8ee4624654d7fd2c38bdf7
SHA512525a71dd76441cb2f25706594217ddff2300fb1c177f821334993c46e041a8ac3416031183f013083397ec270a15e0b98cb28579ed891a003a58321c52e55e6a