Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 10:10
Behavioral task
behavioral1
Sample
86a34e496ef63dd3402c1fcc25d7f757_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
86a34e496ef63dd3402c1fcc25d7f757_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
86a34e496ef63dd3402c1fcc25d7f757_JaffaCakes118.exe
-
Size
98KB
-
MD5
86a34e496ef63dd3402c1fcc25d7f757
-
SHA1
c8da716483fcbafe7eb9fa71b7e64a88189ec6f1
-
SHA256
56a571c098926202f99018b269d4ad834308919af35d78c17410dd934aa52bf9
-
SHA512
6da020710232c563a806de1c3c76e3f6151b5414df70b4900c3536347287537e79395c8a4b3745aeff8b6dad496ee070f558a1d090d3258012af29f4bccf7841
-
SSDEEP
3072:rfbmvdjA6iqZl8eAUo6Cgyy6DaGeSRHZLtz24j:/mLoay5nBXi4
Malware Config
Extracted
njrat
0.6.4
تم الاختراق من قبل دكتور الغربية #
Dr187.ddns.net:4444
59e66e4fd01ed7a53bb65713760bdb7d
-
reg_key
59e66e4fd01ed7a53bb65713760bdb7d
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2572 netsh.exe -
Drops startup file 2 IoCs
Processes:
Google Root.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59e66e4fd01ed7a53bb65713760bdb7d.exe Google Root.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59e66e4fd01ed7a53bb65713760bdb7d.exe Google Root.exe -
Executes dropped EXE 1 IoCs
Processes:
Google Root.exepid process 2860 Google Root.exe -
Loads dropped DLL 1 IoCs
Processes:
86a34e496ef63dd3402c1fcc25d7f757_JaffaCakes118.exepid process 2872 86a34e496ef63dd3402c1fcc25d7f757_JaffaCakes118.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/2872-1-0x0000000000AE0000-0x0000000000AFE000-memory.dmp agile_net \Users\Admin\AppData\Local\Temp\Google Root.exe agile_net behavioral1/memory/2860-13-0x0000000000F70000-0x0000000000F8E000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Google Root.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\59e66e4fd01ed7a53bb65713760bdb7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Root.exe\" .." Google Root.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\59e66e4fd01ed7a53bb65713760bdb7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Root.exe\" .." Google Root.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
Google Root.exepid process 2860 Google Root.exe 2860 Google Root.exe 2860 Google Root.exe 2860 Google Root.exe 2860 Google Root.exe 2860 Google Root.exe 2860 Google Root.exe 2860 Google Root.exe 2860 Google Root.exe 2860 Google Root.exe 2860 Google Root.exe 2860 Google Root.exe 2860 Google Root.exe 2860 Google Root.exe 2860 Google Root.exe 2860 Google Root.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Google Root.exedescription pid process Token: SeDebugPrivilege 2860 Google Root.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
86a34e496ef63dd3402c1fcc25d7f757_JaffaCakes118.exeGoogle Root.exedescription pid process target process PID 2872 wrote to memory of 2860 2872 86a34e496ef63dd3402c1fcc25d7f757_JaffaCakes118.exe Google Root.exe PID 2872 wrote to memory of 2860 2872 86a34e496ef63dd3402c1fcc25d7f757_JaffaCakes118.exe Google Root.exe PID 2872 wrote to memory of 2860 2872 86a34e496ef63dd3402c1fcc25d7f757_JaffaCakes118.exe Google Root.exe PID 2872 wrote to memory of 2860 2872 86a34e496ef63dd3402c1fcc25d7f757_JaffaCakes118.exe Google Root.exe PID 2860 wrote to memory of 2572 2860 Google Root.exe netsh.exe PID 2860 wrote to memory of 2572 2860 Google Root.exe netsh.exe PID 2860 wrote to memory of 2572 2860 Google Root.exe netsh.exe PID 2860 wrote to memory of 2572 2860 Google Root.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\86a34e496ef63dd3402c1fcc25d7f757_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\86a34e496ef63dd3402c1fcc25d7f757_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Google Root.exe"C:\Users\Admin\AppData\Local\Temp\Google Root.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Google Root.exe" "Google Root.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\Google Root.exeFilesize
98KB
MD586a34e496ef63dd3402c1fcc25d7f757
SHA1c8da716483fcbafe7eb9fa71b7e64a88189ec6f1
SHA25656a571c098926202f99018b269d4ad834308919af35d78c17410dd934aa52bf9
SHA5126da020710232c563a806de1c3c76e3f6151b5414df70b4900c3536347287537e79395c8a4b3745aeff8b6dad496ee070f558a1d090d3258012af29f4bccf7841
-
memory/2860-14-0x0000000074330000-0x0000000074A1E000-memory.dmpFilesize
6.9MB
-
memory/2860-13-0x0000000000F70000-0x0000000000F8E000-memory.dmpFilesize
120KB
-
memory/2860-15-0x0000000074330000-0x0000000074A1E000-memory.dmpFilesize
6.9MB
-
memory/2860-17-0x0000000074330000-0x0000000074A1E000-memory.dmpFilesize
6.9MB
-
memory/2860-18-0x0000000074330000-0x0000000074A1E000-memory.dmpFilesize
6.9MB
-
memory/2872-0-0x000000007433E000-0x000000007433F000-memory.dmpFilesize
4KB
-
memory/2872-1-0x0000000000AE0000-0x0000000000AFE000-memory.dmpFilesize
120KB
-
memory/2872-2-0x0000000074330000-0x0000000074A1E000-memory.dmpFilesize
6.9MB
-
memory/2872-3-0x0000000000430000-0x0000000000442000-memory.dmpFilesize
72KB
-
memory/2872-4-0x0000000000440000-0x000000000044E000-memory.dmpFilesize
56KB
-
memory/2872-12-0x0000000074330000-0x0000000074A1E000-memory.dmpFilesize
6.9MB