Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 05:24
Behavioral task
behavioral1
Sample
83272ae366111201b532f0c5f22a6fe7_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
83272ae366111201b532f0c5f22a6fe7_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
83272ae366111201b532f0c5f22a6fe7_JaffaCakes118.exe
-
Size
29KB
-
MD5
83272ae366111201b532f0c5f22a6fe7
-
SHA1
7bf1f65586685bea1e0398c582968082728ade0e
-
SHA256
dacab3f01eaf2e8c59256124dc47ab03d472a46739918f707f752d9c8d473c1e
-
SHA512
5de81da902a88ce424684dbe6564c280378165b0399f17c40cf939298c7708d840a0a06dbfb08ea19c94529fd326e1e542f50acb81aebb3643271d80c3de94bc
-
SSDEEP
768:67JEWe4PVzdmBRbqELeuBKh0p29SgROu:67JbhmBRblrKhG29jOu
Malware Config
Extracted
njrat
0.6.4
Control
id7oomz.ddns.net:1177
07db318145681dc5e0cbb8c76a1a4fa9
-
reg_key
07db318145681dc5e0cbb8c76a1a4fa9
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2652 netsh.exe -
Drops startup file 2 IoCs
Processes:
Windows Defender.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\07db318145681dc5e0cbb8c76a1a4fa9.exe Windows Defender.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\07db318145681dc5e0cbb8c76a1a4fa9.exe Windows Defender.exe -
Executes dropped EXE 1 IoCs
Processes:
Windows Defender.exepid process 2516 Windows Defender.exe -
Loads dropped DLL 1 IoCs
Processes:
83272ae366111201b532f0c5f22a6fe7_JaffaCakes118.exepid process 2348 83272ae366111201b532f0c5f22a6fe7_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Windows Defender.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\07db318145681dc5e0cbb8c76a1a4fa9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Defender.exe\" .." Windows Defender.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\07db318145681dc5e0cbb8c76a1a4fa9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Defender.exe\" .." Windows Defender.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
Windows Defender.exepid process 2516 Windows Defender.exe 2516 Windows Defender.exe 2516 Windows Defender.exe 2516 Windows Defender.exe 2516 Windows Defender.exe 2516 Windows Defender.exe 2516 Windows Defender.exe 2516 Windows Defender.exe 2516 Windows Defender.exe 2516 Windows Defender.exe 2516 Windows Defender.exe 2516 Windows Defender.exe 2516 Windows Defender.exe 2516 Windows Defender.exe 2516 Windows Defender.exe 2516 Windows Defender.exe 2516 Windows Defender.exe 2516 Windows Defender.exe 2516 Windows Defender.exe 2516 Windows Defender.exe 2516 Windows Defender.exe 2516 Windows Defender.exe 2516 Windows Defender.exe 2516 Windows Defender.exe 2516 Windows Defender.exe 2516 Windows Defender.exe 2516 Windows Defender.exe 2516 Windows Defender.exe 2516 Windows Defender.exe 2516 Windows Defender.exe 2516 Windows Defender.exe 2516 Windows Defender.exe 2516 Windows Defender.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Windows Defender.exedescription pid process Token: SeDebugPrivilege 2516 Windows Defender.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
83272ae366111201b532f0c5f22a6fe7_JaffaCakes118.exeWindows Defender.exedescription pid process target process PID 2348 wrote to memory of 2516 2348 83272ae366111201b532f0c5f22a6fe7_JaffaCakes118.exe Windows Defender.exe PID 2348 wrote to memory of 2516 2348 83272ae366111201b532f0c5f22a6fe7_JaffaCakes118.exe Windows Defender.exe PID 2348 wrote to memory of 2516 2348 83272ae366111201b532f0c5f22a6fe7_JaffaCakes118.exe Windows Defender.exe PID 2348 wrote to memory of 2516 2348 83272ae366111201b532f0c5f22a6fe7_JaffaCakes118.exe Windows Defender.exe PID 2516 wrote to memory of 2652 2516 Windows Defender.exe netsh.exe PID 2516 wrote to memory of 2652 2516 Windows Defender.exe netsh.exe PID 2516 wrote to memory of 2652 2516 Windows Defender.exe netsh.exe PID 2516 wrote to memory of 2652 2516 Windows Defender.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\83272ae366111201b532f0c5f22a6fe7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\83272ae366111201b532f0c5f22a6fe7_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe" "Windows Defender.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2652
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD583272ae366111201b532f0c5f22a6fe7
SHA17bf1f65586685bea1e0398c582968082728ade0e
SHA256dacab3f01eaf2e8c59256124dc47ab03d472a46739918f707f752d9c8d473c1e
SHA5125de81da902a88ce424684dbe6564c280378165b0399f17c40cf939298c7708d840a0a06dbfb08ea19c94529fd326e1e542f50acb81aebb3643271d80c3de94bc