Analysis
-
max time kernel
149s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 21:56
Behavioral task
behavioral1
Sample
8f914d5a9f21e8193bb07c48be79f907_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
8f914d5a9f21e8193bb07c48be79f907_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
8f914d5a9f21e8193bb07c48be79f907_JaffaCakes118.exe
-
Size
239KB
-
MD5
8f914d5a9f21e8193bb07c48be79f907
-
SHA1
d58b6dd6bfe262ad7e99166743731be4675e4793
-
SHA256
91e7faa49400b67d8ec0436d209298b02208555ca6f8a2ea89c6933fcf46d550
-
SHA512
f02a94d37f8941484a494fbfde8a19e64aaffb5922ba36f1e8aa60f04e34e9585544047e4dea2e5d7c07e28a9ee4e5cffc2824d1998b91163a833841617fb9ad
-
SSDEEP
3072:71VRbim6jKYX38RcNdyb9KsfzPec0CI1eqytasor9nPYbx4nznYB4W:75bi1Tdybw2ac0CQ0KAxd
Malware Config
Extracted
njrat
0.6.4
تم الاختراق من قبل دكتور الغربية #
Dr187.ddns.net:999
59e66e4fd01ed7a53bb65713760bdb7d
-
reg_key
59e66e4fd01ed7a53bb65713760bdb7d
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3728 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8f914d5a9f21e8193bb07c48be79f907_JaffaCakes118.exeTempWest.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 8f914d5a9f21e8193bb07c48be79f907_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation TempWest.exe -
Drops startup file 2 IoCs
Processes:
Google Root.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59e66e4fd01ed7a53bb65713760bdb7d.exe Google Root.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59e66e4fd01ed7a53bb65713760bdb7d.exe Google Root.exe -
Executes dropped EXE 3 IoCs
Processes:
TempWest.exeTempROOT.exeGoogle Root.exepid process 2640 TempWest.exe 1424 TempROOT.exe 4880 Google Root.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/4952-1-0x0000000000600000-0x0000000000644000-memory.dmp agile_net C:\Users\Admin\AppData\Local\TempWest.exe agile_net behavioral2/memory/2640-33-0x0000000000A60000-0x0000000000A98000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Google Root.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\59e66e4fd01ed7a53bb65713760bdb7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Root.exe\" .." Google Root.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\59e66e4fd01ed7a53bb65713760bdb7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Root.exe\" .." Google Root.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
Google Root.exepid process 4880 Google Root.exe 4880 Google Root.exe 4880 Google Root.exe 4880 Google Root.exe 4880 Google Root.exe 4880 Google Root.exe 4880 Google Root.exe 4880 Google Root.exe 4880 Google Root.exe 4880 Google Root.exe 4880 Google Root.exe 4880 Google Root.exe 4880 Google Root.exe 4880 Google Root.exe 4880 Google Root.exe 4880 Google Root.exe 4880 Google Root.exe 4880 Google Root.exe 4880 Google Root.exe 4880 Google Root.exe 4880 Google Root.exe 4880 Google Root.exe 4880 Google Root.exe 4880 Google Root.exe 4880 Google Root.exe 4880 Google Root.exe 4880 Google Root.exe 4880 Google Root.exe 4880 Google Root.exe 4880 Google Root.exe 4880 Google Root.exe 4880 Google Root.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Google Root.exedescription pid process Token: SeDebugPrivilege 4880 Google Root.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
8f914d5a9f21e8193bb07c48be79f907_JaffaCakes118.exeTempWest.exeGoogle Root.exedescription pid process target process PID 4952 wrote to memory of 2640 4952 8f914d5a9f21e8193bb07c48be79f907_JaffaCakes118.exe TempWest.exe PID 4952 wrote to memory of 2640 4952 8f914d5a9f21e8193bb07c48be79f907_JaffaCakes118.exe TempWest.exe PID 4952 wrote to memory of 1424 4952 8f914d5a9f21e8193bb07c48be79f907_JaffaCakes118.exe TempROOT.exe PID 4952 wrote to memory of 1424 4952 8f914d5a9f21e8193bb07c48be79f907_JaffaCakes118.exe TempROOT.exe PID 4952 wrote to memory of 1424 4952 8f914d5a9f21e8193bb07c48be79f907_JaffaCakes118.exe TempROOT.exe PID 2640 wrote to memory of 4880 2640 TempWest.exe Google Root.exe PID 2640 wrote to memory of 4880 2640 TempWest.exe Google Root.exe PID 4880 wrote to memory of 3728 4880 Google Root.exe netsh.exe PID 4880 wrote to memory of 3728 4880 Google Root.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f914d5a9f21e8193bb07c48be79f907_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8f914d5a9f21e8193bb07c48be79f907_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\TempWest.exe"C:\Users\Admin\AppData\Local\TempWest.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Google Root.exe"C:\Users\Admin\AppData\Local\Temp\Google Root.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Google Root.exe" "Google Root.exe" ENABLE4⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\TempROOT.exe"C:\Users\Admin\AppData\Local\TempROOT.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\TempROOT.exeFilesize
18KB
MD56f876277688096dda31b8b94edb18633
SHA1ea4fc7d7f842a3d899a2c29f6f3a318214e94605
SHA256ff9a661b36f8b5e98e477d9329b05d1c450e1f95004d5bd026f70dc645ab54f6
SHA51284c96829996725478d70ff9e66cc2f0bd1f90f2f5c8531bcd04b7593384b4bcdd60eec2e2ae421ab223632e0fa23a6b2558312fe19c77157d981d50624877888
-
C:\Users\Admin\AppData\Local\TempWest.exeFilesize
204KB
MD5ba77100528225b8eafa4e0764f643392
SHA13b4551444129a72c51c360ffca5c6304bfb7ef66
SHA256c30c72155e291ba9e42ff165718f21888083fd94d317476d90085fe76fd64334
SHA512f994027f1387d18a57ba4b8116456697f12d12f5c3f9109c12219e1309e657f70c851213924dd3a223f90ef0ce4e70667d94d38d374f6068a4b063247ab8f1d7
-
memory/1424-53-0x0000000004E30000-0x0000000004E40000-memory.dmpFilesize
64KB
-
memory/1424-52-0x0000000074A8E000-0x0000000074A8F000-memory.dmpFilesize
4KB
-
memory/1424-36-0x0000000004E30000-0x0000000004E40000-memory.dmpFilesize
64KB
-
memory/1424-32-0x00000000002E0000-0x00000000002EC000-memory.dmpFilesize
48KB
-
memory/1424-31-0x0000000074A8E000-0x0000000074A8F000-memory.dmpFilesize
4KB
-
memory/2640-34-0x0000000002B90000-0x0000000002BA0000-memory.dmpFilesize
64KB
-
memory/2640-35-0x0000000001340000-0x000000000134E000-memory.dmpFilesize
56KB
-
memory/2640-33-0x0000000000A60000-0x0000000000A98000-memory.dmpFilesize
224KB
-
memory/2640-22-0x00007FF9D5273000-0x00007FF9D5275000-memory.dmpFilesize
8KB
-
memory/4952-5-0x0000000005010000-0x000000000501A000-memory.dmpFilesize
40KB
-
memory/4952-6-0x00000000052D0000-0x0000000005326000-memory.dmpFilesize
344KB
-
memory/4952-4-0x00000000050E0000-0x0000000005172000-memory.dmpFilesize
584KB
-
memory/4952-7-0x0000000074A80000-0x0000000075230000-memory.dmpFilesize
7.7MB
-
memory/4952-0-0x0000000074A8E000-0x0000000074A8F000-memory.dmpFilesize
4KB
-
memory/4952-3-0x0000000005690000-0x0000000005C34000-memory.dmpFilesize
5.6MB
-
memory/4952-50-0x0000000074A8E000-0x0000000074A8F000-memory.dmpFilesize
4KB
-
memory/4952-51-0x0000000074A80000-0x0000000075230000-memory.dmpFilesize
7.7MB
-
memory/4952-2-0x0000000005040000-0x00000000050DC000-memory.dmpFilesize
624KB
-
memory/4952-1-0x0000000000600000-0x0000000000644000-memory.dmpFilesize
272KB