Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 21:56
Behavioral task
behavioral1
Sample
8f914d5a9f21e8193bb07c48be79f907_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
8f914d5a9f21e8193bb07c48be79f907_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
8f914d5a9f21e8193bb07c48be79f907_JaffaCakes118.exe
-
Size
239KB
-
MD5
8f914d5a9f21e8193bb07c48be79f907
-
SHA1
d58b6dd6bfe262ad7e99166743731be4675e4793
-
SHA256
91e7faa49400b67d8ec0436d209298b02208555ca6f8a2ea89c6933fcf46d550
-
SHA512
f02a94d37f8941484a494fbfde8a19e64aaffb5922ba36f1e8aa60f04e34e9585544047e4dea2e5d7c07e28a9ee4e5cffc2824d1998b91163a833841617fb9ad
-
SSDEEP
3072:71VRbim6jKYX38RcNdyb9KsfzPec0CI1eqytasor9nPYbx4nznYB4W:75bi1Tdybw2ac0CQ0KAxd
Malware Config
Extracted
njrat
0.6.4
تم الاختراق من قبل دكتور الغربية #
Dr187.ddns.net:999
59e66e4fd01ed7a53bb65713760bdb7d
-
reg_key
59e66e4fd01ed7a53bb65713760bdb7d
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2664 netsh.exe -
Drops startup file 2 IoCs
Processes:
Google Root.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59e66e4fd01ed7a53bb65713760bdb7d.exe Google Root.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59e66e4fd01ed7a53bb65713760bdb7d.exe Google Root.exe -
Executes dropped EXE 3 IoCs
Processes:
TempWest.exeTempROOT.exeGoogle Root.exepid process 1812 TempWest.exe 2676 TempROOT.exe 2764 Google Root.exe -
Loads dropped DLL 3 IoCs
Processes:
8f914d5a9f21e8193bb07c48be79f907_JaffaCakes118.exeTempWest.exepid process 1640 8f914d5a9f21e8193bb07c48be79f907_JaffaCakes118.exe 1640 8f914d5a9f21e8193bb07c48be79f907_JaffaCakes118.exe 1812 TempWest.exe -
Obfuscated with Agile.Net obfuscator 4 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1640-1-0x0000000000370000-0x00000000003B4000-memory.dmp agile_net \Users\Admin\AppData\Local\TempWest.exe agile_net behavioral1/memory/1812-18-0x0000000000C80000-0x0000000000CB8000-memory.dmp agile_net behavioral1/memory/2764-26-0x00000000000C0000-0x00000000000F8000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Google Root.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\59e66e4fd01ed7a53bb65713760bdb7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Root.exe\" .." Google Root.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\59e66e4fd01ed7a53bb65713760bdb7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Root.exe\" .." Google Root.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
Google Root.exepid process 2764 Google Root.exe 2764 Google Root.exe 2764 Google Root.exe 2764 Google Root.exe 2764 Google Root.exe 2764 Google Root.exe 2764 Google Root.exe 2764 Google Root.exe 2764 Google Root.exe 2764 Google Root.exe 2764 Google Root.exe 2764 Google Root.exe 2764 Google Root.exe 2764 Google Root.exe 2764 Google Root.exe 2764 Google Root.exe 2764 Google Root.exe 2764 Google Root.exe 2764 Google Root.exe 2764 Google Root.exe 2764 Google Root.exe 2764 Google Root.exe 2764 Google Root.exe 2764 Google Root.exe 2764 Google Root.exe 2764 Google Root.exe 2764 Google Root.exe 2764 Google Root.exe 2764 Google Root.exe 2764 Google Root.exe 2764 Google Root.exe 2764 Google Root.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Google Root.exedescription pid process Token: SeDebugPrivilege 2764 Google Root.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
8f914d5a9f21e8193bb07c48be79f907_JaffaCakes118.exeTempWest.exeGoogle Root.exedescription pid process target process PID 1640 wrote to memory of 1812 1640 8f914d5a9f21e8193bb07c48be79f907_JaffaCakes118.exe TempWest.exe PID 1640 wrote to memory of 1812 1640 8f914d5a9f21e8193bb07c48be79f907_JaffaCakes118.exe TempWest.exe PID 1640 wrote to memory of 1812 1640 8f914d5a9f21e8193bb07c48be79f907_JaffaCakes118.exe TempWest.exe PID 1640 wrote to memory of 1812 1640 8f914d5a9f21e8193bb07c48be79f907_JaffaCakes118.exe TempWest.exe PID 1640 wrote to memory of 2676 1640 8f914d5a9f21e8193bb07c48be79f907_JaffaCakes118.exe TempROOT.exe PID 1640 wrote to memory of 2676 1640 8f914d5a9f21e8193bb07c48be79f907_JaffaCakes118.exe TempROOT.exe PID 1640 wrote to memory of 2676 1640 8f914d5a9f21e8193bb07c48be79f907_JaffaCakes118.exe TempROOT.exe PID 1640 wrote to memory of 2676 1640 8f914d5a9f21e8193bb07c48be79f907_JaffaCakes118.exe TempROOT.exe PID 1812 wrote to memory of 2764 1812 TempWest.exe Google Root.exe PID 1812 wrote to memory of 2764 1812 TempWest.exe Google Root.exe PID 1812 wrote to memory of 2764 1812 TempWest.exe Google Root.exe PID 2764 wrote to memory of 2664 2764 Google Root.exe netsh.exe PID 2764 wrote to memory of 2664 2764 Google Root.exe netsh.exe PID 2764 wrote to memory of 2664 2764 Google Root.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f914d5a9f21e8193bb07c48be79f907_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8f914d5a9f21e8193bb07c48be79f907_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Users\Admin\AppData\Local\TempWest.exe"C:\Users\Admin\AppData\Local\TempWest.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Users\Admin\AppData\Local\Temp\Google Root.exe"C:\Users\Admin\AppData\Local\Temp\Google Root.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Google Root.exe" "Google Root.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:2664 -
C:\Users\Admin\AppData\Local\TempROOT.exe"C:\Users\Admin\AppData\Local\TempROOT.exe"2⤵
- Executes dropped EXE
PID:2676
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\TempROOT.exeFilesize
18KB
MD56f876277688096dda31b8b94edb18633
SHA1ea4fc7d7f842a3d899a2c29f6f3a318214e94605
SHA256ff9a661b36f8b5e98e477d9329b05d1c450e1f95004d5bd026f70dc645ab54f6
SHA51284c96829996725478d70ff9e66cc2f0bd1f90f2f5c8531bcd04b7593384b4bcdd60eec2e2ae421ab223632e0fa23a6b2558312fe19c77157d981d50624877888
-
\Users\Admin\AppData\Local\TempWest.exeFilesize
204KB
MD5ba77100528225b8eafa4e0764f643392
SHA13b4551444129a72c51c360ffca5c6304bfb7ef66
SHA256c30c72155e291ba9e42ff165718f21888083fd94d317476d90085fe76fd64334
SHA512f994027f1387d18a57ba4b8116456697f12d12f5c3f9109c12219e1309e657f70c851213924dd3a223f90ef0ce4e70667d94d38d374f6068a4b063247ab8f1d7
-
memory/1640-0-0x00000000745DE000-0x00000000745DF000-memory.dmpFilesize
4KB
-
memory/1640-1-0x0000000000370000-0x00000000003B4000-memory.dmpFilesize
272KB
-
memory/1640-2-0x00000000745D0000-0x0000000074CBE000-memory.dmpFilesize
6.9MB
-
memory/1640-28-0x00000000745DE000-0x00000000745DF000-memory.dmpFilesize
4KB
-
memory/1640-29-0x00000000745D0000-0x0000000074CBE000-memory.dmpFilesize
6.9MB
-
memory/1812-16-0x000007FEF5963000-0x000007FEF5964000-memory.dmpFilesize
4KB
-
memory/1812-18-0x0000000000C80000-0x0000000000CB8000-memory.dmpFilesize
224KB
-
memory/1812-19-0x00000000004C0000-0x00000000004CE000-memory.dmpFilesize
56KB
-
memory/2676-17-0x00000000010F0000-0x00000000010FC000-memory.dmpFilesize
48KB
-
memory/2764-26-0x00000000000C0000-0x00000000000F8000-memory.dmpFilesize
224KB