Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 01:29
Behavioral task
behavioral1
Sample
85972855ff977c521b1a717a32593fdd_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
85972855ff977c521b1a717a32593fdd_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
85972855ff977c521b1a717a32593fdd_JaffaCakes118.exe
-
Size
37KB
-
MD5
85972855ff977c521b1a717a32593fdd
-
SHA1
b0144dfb8130083922e35b70152edd83739359a9
-
SHA256
4b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e
-
SHA512
1c81a09c3e562bbe462690d899499d187e3b52fd5d5ec759482d7dda5136c4af54f5c806d246db8a331effb633f96754987a8af03238b7cda5019c5fd17c849f
-
SSDEEP
384:k4qBkiyjnDNGRn5IyUvapIrPbh+/VsIFzbrAF+rMRTyN/0L+EcoinblneHQM3epa:v35M5jUvairANsItrM+rMRa8NuaPt
Malware Config
Extracted
njrat
im523
HacKer
91.232.111.212:7777
47f152bbb0d9981b492589085b7b7e18
-
reg_key
47f152bbb0d9981b492589085b7b7e18
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2624 netsh.exe -
Drops startup file 2 IoCs
Processes:
svhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\47f152bbb0d9981b492589085b7b7e18.exe svhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\47f152bbb0d9981b492589085b7b7e18.exe svhost.exe -
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 2324 svhost.exe -
Loads dropped DLL 1 IoCs
Processes:
85972855ff977c521b1a717a32593fdd_JaffaCakes118.exepid process 1504 85972855ff977c521b1a717a32593fdd_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\47f152bbb0d9981b492589085b7b7e18 = "\"C:\\Users\\Admin\\svhost.exe\" .." svhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\47f152bbb0d9981b492589085b7b7e18 = "\"C:\\Users\\Admin\\svhost.exe\" .." svhost.exe -
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
svhost.exedescription ioc process File opened for modification C:\autorun.inf svhost.exe File created D:\autorun.inf svhost.exe File created F:\autorun.inf svhost.exe File opened for modification F:\autorun.inf svhost.exe File created C:\autorun.inf svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2548 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svhost.exepid process 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe 2324 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svhost.exepid process 2324 svhost.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
svhost.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2324 svhost.exe Token: SeDebugPrivilege 2548 taskkill.exe Token: 33 2324 svhost.exe Token: SeIncBasePriorityPrivilege 2324 svhost.exe Token: 33 2324 svhost.exe Token: SeIncBasePriorityPrivilege 2324 svhost.exe Token: 33 2324 svhost.exe Token: SeIncBasePriorityPrivilege 2324 svhost.exe Token: 33 2324 svhost.exe Token: SeIncBasePriorityPrivilege 2324 svhost.exe Token: 33 2324 svhost.exe Token: SeIncBasePriorityPrivilege 2324 svhost.exe Token: 33 2324 svhost.exe Token: SeIncBasePriorityPrivilege 2324 svhost.exe Token: 33 2324 svhost.exe Token: SeIncBasePriorityPrivilege 2324 svhost.exe Token: 33 2324 svhost.exe Token: SeIncBasePriorityPrivilege 2324 svhost.exe Token: 33 2324 svhost.exe Token: SeIncBasePriorityPrivilege 2324 svhost.exe Token: 33 2324 svhost.exe Token: SeIncBasePriorityPrivilege 2324 svhost.exe Token: 33 2324 svhost.exe Token: SeIncBasePriorityPrivilege 2324 svhost.exe Token: 33 2324 svhost.exe Token: SeIncBasePriorityPrivilege 2324 svhost.exe Token: 33 2324 svhost.exe Token: SeIncBasePriorityPrivilege 2324 svhost.exe Token: 33 2324 svhost.exe Token: SeIncBasePriorityPrivilege 2324 svhost.exe Token: 33 2324 svhost.exe Token: SeIncBasePriorityPrivilege 2324 svhost.exe Token: 33 2324 svhost.exe Token: SeIncBasePriorityPrivilege 2324 svhost.exe Token: 33 2324 svhost.exe Token: SeIncBasePriorityPrivilege 2324 svhost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
85972855ff977c521b1a717a32593fdd_JaffaCakes118.exesvhost.exedescription pid process target process PID 1504 wrote to memory of 2324 1504 85972855ff977c521b1a717a32593fdd_JaffaCakes118.exe svhost.exe PID 1504 wrote to memory of 2324 1504 85972855ff977c521b1a717a32593fdd_JaffaCakes118.exe svhost.exe PID 1504 wrote to memory of 2324 1504 85972855ff977c521b1a717a32593fdd_JaffaCakes118.exe svhost.exe PID 1504 wrote to memory of 2324 1504 85972855ff977c521b1a717a32593fdd_JaffaCakes118.exe svhost.exe PID 2324 wrote to memory of 2624 2324 svhost.exe netsh.exe PID 2324 wrote to memory of 2624 2324 svhost.exe netsh.exe PID 2324 wrote to memory of 2624 2324 svhost.exe netsh.exe PID 2324 wrote to memory of 2624 2324 svhost.exe netsh.exe PID 2324 wrote to memory of 2548 2324 svhost.exe taskkill.exe PID 2324 wrote to memory of 2548 2324 svhost.exe taskkill.exe PID 2324 wrote to memory of 2548 2324 svhost.exe taskkill.exe PID 2324 wrote to memory of 2548 2324 svhost.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\85972855ff977c521b1a717a32593fdd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\85972855ff977c521b1a717a32593fdd_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\svhost.exe"C:\Users\Admin\svhost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\svhost.exe" "svhost.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Exsample.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\svhost.exeFilesize
37KB
MD585972855ff977c521b1a717a32593fdd
SHA1b0144dfb8130083922e35b70152edd83739359a9
SHA2564b0f762e2935bd48524d835f4d6eb6289f20721241a362fb51a520150fdba95e
SHA5121c81a09c3e562bbe462690d899499d187e3b52fd5d5ec759482d7dda5136c4af54f5c806d246db8a331effb633f96754987a8af03238b7cda5019c5fd17c849f
-
memory/1504-0-0x0000000074511000-0x0000000074512000-memory.dmpFilesize
4KB
-
memory/1504-1-0x0000000074510000-0x0000000074ABB000-memory.dmpFilesize
5.7MB
-
memory/1504-2-0x0000000074510000-0x0000000074ABB000-memory.dmpFilesize
5.7MB
-
memory/1504-11-0x0000000074510000-0x0000000074ABB000-memory.dmpFilesize
5.7MB
-
memory/2324-12-0x0000000074510000-0x0000000074ABB000-memory.dmpFilesize
5.7MB
-
memory/2324-10-0x0000000074510000-0x0000000074ABB000-memory.dmpFilesize
5.7MB
-
memory/2324-22-0x0000000074510000-0x0000000074ABB000-memory.dmpFilesize
5.7MB