Analysis
-
max time kernel
150s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 10:10
Behavioral task
behavioral1
Sample
86a34e496ef63dd3402c1fcc25d7f757_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
86a34e496ef63dd3402c1fcc25d7f757_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
86a34e496ef63dd3402c1fcc25d7f757_JaffaCakes118.exe
-
Size
98KB
-
MD5
86a34e496ef63dd3402c1fcc25d7f757
-
SHA1
c8da716483fcbafe7eb9fa71b7e64a88189ec6f1
-
SHA256
56a571c098926202f99018b269d4ad834308919af35d78c17410dd934aa52bf9
-
SHA512
6da020710232c563a806de1c3c76e3f6151b5414df70b4900c3536347287537e79395c8a4b3745aeff8b6dad496ee070f558a1d090d3258012af29f4bccf7841
-
SSDEEP
3072:rfbmvdjA6iqZl8eAUo6Cgyy6DaGeSRHZLtz24j:/mLoay5nBXi4
Malware Config
Extracted
njrat
0.6.4
تم الاختراق من قبل دكتور الغربية #
Dr187.ddns.net:4444
59e66e4fd01ed7a53bb65713760bdb7d
-
reg_key
59e66e4fd01ed7a53bb65713760bdb7d
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 4464 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
86a34e496ef63dd3402c1fcc25d7f757_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation 86a34e496ef63dd3402c1fcc25d7f757_JaffaCakes118.exe -
Drops startup file 2 IoCs
Processes:
Google Root.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59e66e4fd01ed7a53bb65713760bdb7d.exe Google Root.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59e66e4fd01ed7a53bb65713760bdb7d.exe Google Root.exe -
Executes dropped EXE 1 IoCs
Processes:
Google Root.exepid process 1304 Google Root.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/3524-1-0x0000000000D90000-0x0000000000DAE000-memory.dmp agile_net C:\Users\Admin\AppData\Local\Temp\Google Root.exe agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Google Root.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\59e66e4fd01ed7a53bb65713760bdb7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Root.exe\" .." Google Root.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\59e66e4fd01ed7a53bb65713760bdb7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Root.exe\" .." Google Root.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
Google Root.exepid process 1304 Google Root.exe 1304 Google Root.exe 1304 Google Root.exe 1304 Google Root.exe 1304 Google Root.exe 1304 Google Root.exe 1304 Google Root.exe 1304 Google Root.exe 1304 Google Root.exe 1304 Google Root.exe 1304 Google Root.exe 1304 Google Root.exe 1304 Google Root.exe 1304 Google Root.exe 1304 Google Root.exe 1304 Google Root.exe 1304 Google Root.exe 1304 Google Root.exe 1304 Google Root.exe 1304 Google Root.exe 1304 Google Root.exe 1304 Google Root.exe 1304 Google Root.exe 1304 Google Root.exe 1304 Google Root.exe 1304 Google Root.exe 1304 Google Root.exe 1304 Google Root.exe 1304 Google Root.exe 1304 Google Root.exe 1304 Google Root.exe 1304 Google Root.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Google Root.exedescription pid process Token: SeDebugPrivilege 1304 Google Root.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
86a34e496ef63dd3402c1fcc25d7f757_JaffaCakes118.exeGoogle Root.exedescription pid process target process PID 3524 wrote to memory of 1304 3524 86a34e496ef63dd3402c1fcc25d7f757_JaffaCakes118.exe Google Root.exe PID 3524 wrote to memory of 1304 3524 86a34e496ef63dd3402c1fcc25d7f757_JaffaCakes118.exe Google Root.exe PID 3524 wrote to memory of 1304 3524 86a34e496ef63dd3402c1fcc25d7f757_JaffaCakes118.exe Google Root.exe PID 1304 wrote to memory of 4464 1304 Google Root.exe netsh.exe PID 1304 wrote to memory of 4464 1304 Google Root.exe netsh.exe PID 1304 wrote to memory of 4464 1304 Google Root.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\86a34e496ef63dd3402c1fcc25d7f757_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\86a34e496ef63dd3402c1fcc25d7f757_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Users\Admin\AppData\Local\Temp\Google Root.exe"C:\Users\Admin\AppData\Local\Temp\Google Root.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Google Root.exe" "Google Root.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:4464
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Google Root.exeFilesize
98KB
MD586a34e496ef63dd3402c1fcc25d7f757
SHA1c8da716483fcbafe7eb9fa71b7e64a88189ec6f1
SHA25656a571c098926202f99018b269d4ad834308919af35d78c17410dd934aa52bf9
SHA5126da020710232c563a806de1c3c76e3f6151b5414df70b4900c3536347287537e79395c8a4b3745aeff8b6dad496ee070f558a1d090d3258012af29f4bccf7841
-
memory/1304-26-0x0000000074CE0000-0x0000000075490000-memory.dmpFilesize
7.7MB
-
memory/1304-25-0x0000000074CE0000-0x0000000075490000-memory.dmpFilesize
7.7MB
-
memory/1304-24-0x0000000004BB0000-0x0000000004BBA000-memory.dmpFilesize
40KB
-
memory/1304-23-0x0000000004BF0000-0x0000000004C82000-memory.dmpFilesize
584KB
-
memory/1304-21-0x0000000074CE0000-0x0000000075490000-memory.dmpFilesize
7.7MB
-
memory/1304-20-0x0000000074CE0000-0x0000000075490000-memory.dmpFilesize
7.7MB
-
memory/3524-6-0x0000000005E40000-0x00000000063E4000-memory.dmpFilesize
5.6MB
-
memory/3524-0-0x0000000074CEE000-0x0000000074CEF000-memory.dmpFilesize
4KB
-
memory/3524-19-0x0000000074CE0000-0x0000000075490000-memory.dmpFilesize
7.7MB
-
memory/3524-5-0x0000000003120000-0x000000000312E000-memory.dmpFilesize
56KB
-
memory/3524-4-0x0000000074CE0000-0x0000000075490000-memory.dmpFilesize
7.7MB
-
memory/3524-3-0x0000000003110000-0x0000000003122000-memory.dmpFilesize
72KB
-
memory/3524-2-0x00000000057F0000-0x000000000588C000-memory.dmpFilesize
624KB
-
memory/3524-1-0x0000000000D90000-0x0000000000DAE000-memory.dmpFilesize
120KB