Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 13:20
Static task
static1
Behavioral task
behavioral1
Sample
ae9a90540d79b7aa7f86b73562b7ac5c_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
ae9a90540d79b7aa7f86b73562b7ac5c_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
ae9a90540d79b7aa7f86b73562b7ac5c_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
ae9a90540d79b7aa7f86b73562b7ac5c
-
SHA1
c4bc6df18791d74eadabddaae5709244932987ee
-
SHA256
ab04fb658dad391322e1518d65e085ea34b4dba81db53520397c0b6e5ae7cff2
-
SHA512
d88c806e08250c3b8dd094a2f420a47e349adaec3ebc03159bdf3fa1af988dc9ffe749cd05406fb6333a24950573f006bb419e3f9ea7216cafa630c84318ee3f
-
SSDEEP
24576:teGpARnavJyU1m2IISC2PlP5kYDji6/AkzMYh7g6e:oGqkvJyLjmSlP5kYDpIOrh
Malware Config
Extracted
njrat
im523
HacKer
91.232.111.212:7777
4a3d67ee61b43118e4130164dec374f7
-
reg_key
4a3d67ee61b43118e4130164dec374f7
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2660 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ae9a90540d79b7aa7f86b73562b7ac5c_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation ae9a90540d79b7aa7f86b73562b7ac5c_JaffaCakes118.exe -
Drops startup file 2 IoCs
Processes:
expler.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4a3d67ee61b43118e4130164dec374f7.exe expler.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4a3d67ee61b43118e4130164dec374f7.exe expler.exe -
Executes dropped EXE 1 IoCs
Processes:
expler.exepid process 1968 expler.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
expler.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4a3d67ee61b43118e4130164dec374f7 = "\"C:\\Users\\Admin\\expler.exe\" .." expler.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4a3d67ee61b43118e4130164dec374f7 = "\"C:\\Users\\Admin\\expler.exe\" .." expler.exe -
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
expler.exedescription ioc process File created C:\autorun.inf expler.exe File opened for modification C:\autorun.inf expler.exe File created D:\autorun.inf expler.exe File created F:\autorun.inf expler.exe File opened for modification F:\autorun.inf expler.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
Processes:
ae9a90540d79b7aa7f86b73562b7ac5c_JaffaCakes118.exeexpler.exepid process 2184 ae9a90540d79b7aa7f86b73562b7ac5c_JaffaCakes118.exe 2184 ae9a90540d79b7aa7f86b73562b7ac5c_JaffaCakes118.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1352 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
expler.exepid process 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe 1968 expler.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
expler.exepid process 1968 expler.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
expler.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1968 expler.exe Token: SeDebugPrivilege 1352 taskkill.exe Token: 33 1968 expler.exe Token: SeIncBasePriorityPrivilege 1968 expler.exe Token: 33 1968 expler.exe Token: SeIncBasePriorityPrivilege 1968 expler.exe Token: 33 1968 expler.exe Token: SeIncBasePriorityPrivilege 1968 expler.exe Token: 33 1968 expler.exe Token: SeIncBasePriorityPrivilege 1968 expler.exe Token: 33 1968 expler.exe Token: SeIncBasePriorityPrivilege 1968 expler.exe Token: 33 1968 expler.exe Token: SeIncBasePriorityPrivilege 1968 expler.exe Token: 33 1968 expler.exe Token: SeIncBasePriorityPrivilege 1968 expler.exe Token: 33 1968 expler.exe Token: SeIncBasePriorityPrivilege 1968 expler.exe Token: 33 1968 expler.exe Token: SeIncBasePriorityPrivilege 1968 expler.exe Token: 33 1968 expler.exe Token: SeIncBasePriorityPrivilege 1968 expler.exe Token: 33 1968 expler.exe Token: SeIncBasePriorityPrivilege 1968 expler.exe Token: 33 1968 expler.exe Token: SeIncBasePriorityPrivilege 1968 expler.exe Token: 33 1968 expler.exe Token: SeIncBasePriorityPrivilege 1968 expler.exe Token: 33 1968 expler.exe Token: SeIncBasePriorityPrivilege 1968 expler.exe Token: 33 1968 expler.exe Token: SeIncBasePriorityPrivilege 1968 expler.exe Token: 33 1968 expler.exe Token: SeIncBasePriorityPrivilege 1968 expler.exe Token: 33 1968 expler.exe Token: SeIncBasePriorityPrivilege 1968 expler.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ae9a90540d79b7aa7f86b73562b7ac5c_JaffaCakes118.exeexpler.exepid process 2184 ae9a90540d79b7aa7f86b73562b7ac5c_JaffaCakes118.exe 1968 expler.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
ae9a90540d79b7aa7f86b73562b7ac5c_JaffaCakes118.exeexpler.exedescription pid process target process PID 2184 wrote to memory of 1968 2184 ae9a90540d79b7aa7f86b73562b7ac5c_JaffaCakes118.exe expler.exe PID 2184 wrote to memory of 1968 2184 ae9a90540d79b7aa7f86b73562b7ac5c_JaffaCakes118.exe expler.exe PID 2184 wrote to memory of 1968 2184 ae9a90540d79b7aa7f86b73562b7ac5c_JaffaCakes118.exe expler.exe PID 1968 wrote to memory of 2660 1968 expler.exe netsh.exe PID 1968 wrote to memory of 2660 1968 expler.exe netsh.exe PID 1968 wrote to memory of 2660 1968 expler.exe netsh.exe PID 1968 wrote to memory of 1352 1968 expler.exe taskkill.exe PID 1968 wrote to memory of 1352 1968 expler.exe taskkill.exe PID 1968 wrote to memory of 1352 1968 expler.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae9a90540d79b7aa7f86b73562b7ac5c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ae9a90540d79b7aa7f86b73562b7ac5c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\expler.exe"C:\Users\Admin\expler.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\expler.exe" "expler.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Exsample.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\expler.exeFilesize
1.1MB
MD5ae9a90540d79b7aa7f86b73562b7ac5c
SHA1c4bc6df18791d74eadabddaae5709244932987ee
SHA256ab04fb658dad391322e1518d65e085ea34b4dba81db53520397c0b6e5ae7cff2
SHA512d88c806e08250c3b8dd094a2f420a47e349adaec3ebc03159bdf3fa1af988dc9ffe749cd05406fb6333a24950573f006bb419e3f9ea7216cafa630c84318ee3f
-
memory/1968-26-0x00000000746C0000-0x0000000074C71000-memory.dmpFilesize
5.7MB
-
memory/1968-41-0x00000000746C0000-0x0000000074C71000-memory.dmpFilesize
5.7MB
-
memory/1968-40-0x0000000000900000-0x0000000000C76000-memory.dmpFilesize
3.5MB
-
memory/1968-28-0x00000000746C0000-0x0000000074C71000-memory.dmpFilesize
5.7MB
-
memory/1968-22-0x0000000000900000-0x0000000000C76000-memory.dmpFilesize
3.5MB
-
memory/1968-25-0x00000000746C0000-0x0000000074C71000-memory.dmpFilesize
5.7MB
-
memory/2184-3-0x00000000746C0000-0x0000000074C71000-memory.dmpFilesize
5.7MB
-
memory/2184-27-0x00000000009F0000-0x0000000000D66000-memory.dmpFilesize
3.5MB
-
memory/2184-24-0x00000000746C0000-0x0000000074C71000-memory.dmpFilesize
5.7MB
-
memory/2184-0-0x00000000009F0000-0x0000000000D66000-memory.dmpFilesize
3.5MB
-
memory/2184-2-0x00000000746C0000-0x0000000074C71000-memory.dmpFilesize
5.7MB
-
memory/2184-1-0x00000000746C2000-0x00000000746C3000-memory.dmpFilesize
4KB