Resubmissions
03-06-2024 05:29
240603-f62bjadb7xGeneral
-
Target
90b0dacdb9974cb1f970960e3c082167_JaffaCakes118
-
Size
211KB
-
Sample
240604-vrn5zsec32
-
MD5
90b0dacdb9974cb1f970960e3c082167
-
SHA1
921e17c1f9b6803ec6be7b4cde70e81e1163fd3d
-
SHA256
071fc19802f6780857fc4a516f64df6673cadba104828d7b2f11ed5fdf8e43c3
-
SHA512
798ab85ccb0be6e565552321feb3bb71e45d8de0028e2ce6a37c2411341ab8b036f60febcc1199eab4e645727498310ea6737e9d7eedf582aebc8173ea6f80b2
-
SSDEEP
6144:8+0qeo57l6zMm3CRT9qyfdiQgInzZOBT:8PqeMwzXC2+4Yd
Behavioral task
behavioral1
Sample
90b0dacdb9974cb1f970960e3c082167_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
njrat
0.6.4
تم الاختراق من قبل دكتور الغربية #
Dr187.ddns.net:999
59e66e4fd01ed7a53bb65713760bdb7d
-
reg_key
59e66e4fd01ed7a53bb65713760bdb7d
-
splitter
|'|'|
Targets
-
-
Target
90b0dacdb9974cb1f970960e3c082167_JaffaCakes118
-
Size
211KB
-
MD5
90b0dacdb9974cb1f970960e3c082167
-
SHA1
921e17c1f9b6803ec6be7b4cde70e81e1163fd3d
-
SHA256
071fc19802f6780857fc4a516f64df6673cadba104828d7b2f11ed5fdf8e43c3
-
SHA512
798ab85ccb0be6e565552321feb3bb71e45d8de0028e2ce6a37c2411341ab8b036f60febcc1199eab4e645727498310ea6737e9d7eedf582aebc8173ea6f80b2
-
SSDEEP
6144:8+0qeo57l6zMm3CRT9qyfdiQgInzZOBT:8PqeMwzXC2+4Yd
-
Drops file in Drivers directory
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Registers COM server for autorun
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application
-
Blocklisted process makes network request
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Event Triggered Execution
1Change Default File Association
1Defense Evasion
Subvert Trust Controls
2SIP and Trust Provider Hijacking
1Install Root Certificate
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
4