Resubmissions
03-06-2024 05:29
240603-f62bjadb7xAnalysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 05:29
Behavioral task
behavioral1
Sample
90b0dacdb9974cb1f970960e3c082167_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
90b0dacdb9974cb1f970960e3c082167_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
90b0dacdb9974cb1f970960e3c082167_JaffaCakes118.exe
-
Size
211KB
-
MD5
90b0dacdb9974cb1f970960e3c082167
-
SHA1
921e17c1f9b6803ec6be7b4cde70e81e1163fd3d
-
SHA256
071fc19802f6780857fc4a516f64df6673cadba104828d7b2f11ed5fdf8e43c3
-
SHA512
798ab85ccb0be6e565552321feb3bb71e45d8de0028e2ce6a37c2411341ab8b036f60febcc1199eab4e645727498310ea6737e9d7eedf582aebc8173ea6f80b2
-
SSDEEP
6144:8+0qeo57l6zMm3CRT9qyfdiQgInzZOBT:8PqeMwzXC2+4Yd
Malware Config
Extracted
njrat
0.6.4
تم الاختراق من قبل دكتور الغربية #
Dr187.ddns.net:999
59e66e4fd01ed7a53bb65713760bdb7d
-
reg_key
59e66e4fd01ed7a53bb65713760bdb7d
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2780 netsh.exe -
Drops startup file 2 IoCs
Processes:
Google Root.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59e66e4fd01ed7a53bb65713760bdb7d.exe Google Root.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59e66e4fd01ed7a53bb65713760bdb7d.exe Google Root.exe -
Executes dropped EXE 1 IoCs
Processes:
Google Root.exepid process 3044 Google Root.exe -
Loads dropped DLL 1 IoCs
Processes:
90b0dacdb9974cb1f970960e3c082167_JaffaCakes118.exepid process 1508 90b0dacdb9974cb1f970960e3c082167_JaffaCakes118.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1508-1-0x00000000001A0000-0x00000000001DA000-memory.dmp agile_net \Users\Admin\AppData\Local\Temp\Google Root.exe agile_net behavioral1/memory/3044-12-0x0000000001090000-0x00000000010CA000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Google Root.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\59e66e4fd01ed7a53bb65713760bdb7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Root.exe\" .." Google Root.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\59e66e4fd01ed7a53bb65713760bdb7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Google Root.exe\" .." Google Root.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
Google Root.exepid process 3044 Google Root.exe 3044 Google Root.exe 3044 Google Root.exe 3044 Google Root.exe 3044 Google Root.exe 3044 Google Root.exe 3044 Google Root.exe 3044 Google Root.exe 3044 Google Root.exe 3044 Google Root.exe 3044 Google Root.exe 3044 Google Root.exe 3044 Google Root.exe 3044 Google Root.exe 3044 Google Root.exe 3044 Google Root.exe 3044 Google Root.exe 3044 Google Root.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Google Root.exedescription pid process Token: SeDebugPrivilege 3044 Google Root.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
90b0dacdb9974cb1f970960e3c082167_JaffaCakes118.exeGoogle Root.exedescription pid process target process PID 1508 wrote to memory of 3044 1508 90b0dacdb9974cb1f970960e3c082167_JaffaCakes118.exe Google Root.exe PID 1508 wrote to memory of 3044 1508 90b0dacdb9974cb1f970960e3c082167_JaffaCakes118.exe Google Root.exe PID 1508 wrote to memory of 3044 1508 90b0dacdb9974cb1f970960e3c082167_JaffaCakes118.exe Google Root.exe PID 3044 wrote to memory of 2780 3044 Google Root.exe netsh.exe PID 3044 wrote to memory of 2780 3044 Google Root.exe netsh.exe PID 3044 wrote to memory of 2780 3044 Google Root.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\90b0dacdb9974cb1f970960e3c082167_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\90b0dacdb9974cb1f970960e3c082167_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\Google Root.exe"C:\Users\Admin\AppData\Local\Temp\Google Root.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Google Root.exe" "Google Root.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2780
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\Google Root.exeFilesize
211KB
MD590b0dacdb9974cb1f970960e3c082167
SHA1921e17c1f9b6803ec6be7b4cde70e81e1163fd3d
SHA256071fc19802f6780857fc4a516f64df6673cadba104828d7b2f11ed5fdf8e43c3
SHA512798ab85ccb0be6e565552321feb3bb71e45d8de0028e2ce6a37c2411341ab8b036f60febcc1199eab4e645727498310ea6737e9d7eedf582aebc8173ea6f80b2
-
memory/1508-0-0x000007FEF5ED3000-0x000007FEF5ED4000-memory.dmpFilesize
4KB
-
memory/1508-1-0x00000000001A0000-0x00000000001DA000-memory.dmpFilesize
232KB
-
memory/1508-2-0x0000000000210000-0x000000000021E000-memory.dmpFilesize
56KB
-
memory/1508-3-0x000007FEF5ED0000-0x000007FEF68BC000-memory.dmpFilesize
9.9MB
-
memory/1508-10-0x000007FEF5ED0000-0x000007FEF68BC000-memory.dmpFilesize
9.9MB
-
memory/3044-12-0x0000000001090000-0x00000000010CA000-memory.dmpFilesize
232KB
-
memory/3044-11-0x000007FEF5ED0000-0x000007FEF68BC000-memory.dmpFilesize
9.9MB
-
memory/3044-14-0x000007FEF5ED0000-0x000007FEF68BC000-memory.dmpFilesize
9.9MB
-
memory/3044-15-0x000007FEF5ED0000-0x000007FEF68BC000-memory.dmpFilesize
9.9MB
-
memory/3044-16-0x000007FEF5ED0000-0x000007FEF68BC000-memory.dmpFilesize
9.9MB