Analysis
-
max time kernel
148s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-06-2024 20:37
Static task
static1
Behavioral task
behavioral1
Sample
03cb57011a5d97ea77106542e0b52fa6_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
03cb57011a5d97ea77106542e0b52fa6_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
03cb57011a5d97ea77106542e0b52fa6_JaffaCakes118.exe
-
Size
45KB
-
MD5
03cb57011a5d97ea77106542e0b52fa6
-
SHA1
be45b9a381941b78abc74cb3589c04a13bd81761
-
SHA256
3cd2b93b5e1a87261fc6ac3f0a424ceb3cdf7bd967cbe9c23282743bcb143e19
-
SHA512
631fa33611753b1a71f57c73e10b7eaa7e87699c58a2df2af26bb0b1afc59f91c49764ca7528d2c9c039245efd3886f14cfaa61b49edf0644bbb2f1db186f78a
-
SSDEEP
768:BapD+Zwq3r1uFbaYh+Jnq7az+xRug+n2hpUE+fDNkQp6HwfYT4X9b1S5HeQMKz:BgD+HZuY5q7az+GgDbUfZkQTfA4Xl1SB
Malware Config
Extracted
njrat
0.7d
B HAT
1fcb8fb3a4794ae29f1b8ef01d138a35
-
reg_key
1fcb8fb3a4794ae29f1b8ef01d138a35
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
cr.exepid process 2120 cr.exe -
Loads dropped DLL 1 IoCs
Processes:
03cb57011a5d97ea77106542e0b52fa6_JaffaCakes118.exepid process 1932 03cb57011a5d97ea77106542e0b52fa6_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
03cb57011a5d97ea77106542e0b52fa6_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\helo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cr.exe" 03cb57011a5d97ea77106542e0b52fa6_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
cr.exedescription pid process Token: SeDebugPrivilege 2120 cr.exe Token: 33 2120 cr.exe Token: SeIncBasePriorityPrivilege 2120 cr.exe Token: 33 2120 cr.exe Token: SeIncBasePriorityPrivilege 2120 cr.exe Token: 33 2120 cr.exe Token: SeIncBasePriorityPrivilege 2120 cr.exe Token: 33 2120 cr.exe Token: SeIncBasePriorityPrivilege 2120 cr.exe Token: 33 2120 cr.exe Token: SeIncBasePriorityPrivilege 2120 cr.exe Token: 33 2120 cr.exe Token: SeIncBasePriorityPrivilege 2120 cr.exe Token: 33 2120 cr.exe Token: SeIncBasePriorityPrivilege 2120 cr.exe Token: 33 2120 cr.exe Token: SeIncBasePriorityPrivilege 2120 cr.exe Token: 33 2120 cr.exe Token: SeIncBasePriorityPrivilege 2120 cr.exe Token: 33 2120 cr.exe Token: SeIncBasePriorityPrivilege 2120 cr.exe Token: 33 2120 cr.exe Token: SeIncBasePriorityPrivilege 2120 cr.exe Token: 33 2120 cr.exe Token: SeIncBasePriorityPrivilege 2120 cr.exe Token: 33 2120 cr.exe Token: SeIncBasePriorityPrivilege 2120 cr.exe Token: 33 2120 cr.exe Token: SeIncBasePriorityPrivilege 2120 cr.exe Token: 33 2120 cr.exe Token: SeIncBasePriorityPrivilege 2120 cr.exe Token: 33 2120 cr.exe Token: SeIncBasePriorityPrivilege 2120 cr.exe Token: 33 2120 cr.exe Token: SeIncBasePriorityPrivilege 2120 cr.exe Token: 33 2120 cr.exe Token: SeIncBasePriorityPrivilege 2120 cr.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
03cb57011a5d97ea77106542e0b52fa6_JaffaCakes118.exedescription pid process target process PID 1932 wrote to memory of 2120 1932 03cb57011a5d97ea77106542e0b52fa6_JaffaCakes118.exe cr.exe PID 1932 wrote to memory of 2120 1932 03cb57011a5d97ea77106542e0b52fa6_JaffaCakes118.exe cr.exe PID 1932 wrote to memory of 2120 1932 03cb57011a5d97ea77106542e0b52fa6_JaffaCakes118.exe cr.exe PID 1932 wrote to memory of 2120 1932 03cb57011a5d97ea77106542e0b52fa6_JaffaCakes118.exe cr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\03cb57011a5d97ea77106542e0b52fa6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\03cb57011a5d97ea77106542e0b52fa6_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\cr.exe"C:\Users\Admin\AppData\Local\Temp\cr.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2120
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD5439fdb0ea7684930d847a93836493e62
SHA12224ae4623be5566c764447ed63883bf9c191b83
SHA256b59a407d6063dec7b0590e8bc38f8671f2407f03316433217a3cc175b926efbd
SHA5121bd6ceeda3e5240ba9c980a54f923963fc6a01f4183026ad882510117019c38877015bbb115a1d71819eddbcf9c72a0b1434ebcdbbe1d2cbca6d9e14650f86ec