Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
23-06-2024 12:53
Static task
static1
Behavioral task
behavioral1
Sample
061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe
-
Size
8.7MB
-
MD5
061a8d9824446f45d5112cbdd803f173
-
SHA1
f9ba93c1f7fa8adc7b7565f222d937ec56b97f75
-
SHA256
da61cd60682f6d7b95972d59830d9ac6d39690d1de4047f4768b0bfc572b78fa
-
SHA512
a69702e0dbe35accccba436af507557af5caeff0dba4040e56a22f109977c15147c83bc49b30dde9c94b92d11170659d260ae7d389f6aa871383267d2b2a0524
-
SSDEEP
196608:SNBr/hpKFNfXtF0lbCR7QrWwrueSpEarKOa1oe8fv:SNxCFVXD0o/wrZiEaVa1ol
Malware Config
Extracted
njrat
0.7d
pwtknew1
pwtk02.ddns.net:5552
25181c9f909bd4441f2b53785cd683a2
-
reg_key
25181c9f909bd4441f2b53785cd683a2
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2828 netsh.exe -
Drops startup file 2 IoCs
Processes:
javaupdate.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\25181c9f909bd4441f2b53785cd683a2.exe javaupdate.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\25181c9f909bd4441f2b53785cd683a2.exe javaupdate.exe -
Executes dropped EXE 6 IoCs
Processes:
pwtk.exehuecheats.exepwtk.exejavaupdate.exejavaupdate.exepid process 1796 pwtk.exe 2748 huecheats.exe 3044 pwtk.exe 1188 2004 javaupdate.exe 2480 javaupdate.exe -
Loads dropped DLL 11 IoCs
Processes:
061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exepwtk.exepwtk.exejavaupdate.exeWerFault.exepid process 2068 061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe 2068 061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe 2068 061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe 2068 061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe 2068 061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe 1796 pwtk.exe 3044 pwtk.exe 2004 javaupdate.exe 2260 WerFault.exe 2260 WerFault.exe 2260 WerFault.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
javaupdate.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\25181c9f909bd4441f2b53785cd683a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\javaupdate.exe\" .." javaupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\25181c9f909bd4441f2b53785cd683a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\javaupdate.exe\" .." javaupdate.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
huecheats.exepid process 2748 huecheats.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
pwtk.exejavaupdate.exedescription pid process target process PID 1796 set thread context of 3044 1796 pwtk.exe pwtk.exe PID 2004 set thread context of 2480 2004 javaupdate.exe javaupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
huecheats.exepid process 2748 huecheats.exe 2748 huecheats.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
javaupdate.exedescription pid process Token: SeDebugPrivilege 2480 javaupdate.exe Token: 33 2480 javaupdate.exe Token: SeIncBasePriorityPrivilege 2480 javaupdate.exe Token: 33 2480 javaupdate.exe Token: SeIncBasePriorityPrivilege 2480 javaupdate.exe Token: 33 2480 javaupdate.exe Token: SeIncBasePriorityPrivilege 2480 javaupdate.exe Token: 33 2480 javaupdate.exe Token: SeIncBasePriorityPrivilege 2480 javaupdate.exe Token: 33 2480 javaupdate.exe Token: SeIncBasePriorityPrivilege 2480 javaupdate.exe Token: 33 2480 javaupdate.exe Token: SeIncBasePriorityPrivilege 2480 javaupdate.exe Token: 33 2480 javaupdate.exe Token: SeIncBasePriorityPrivilege 2480 javaupdate.exe Token: 33 2480 javaupdate.exe Token: SeIncBasePriorityPrivilege 2480 javaupdate.exe Token: 33 2480 javaupdate.exe Token: SeIncBasePriorityPrivilege 2480 javaupdate.exe Token: 33 2480 javaupdate.exe Token: SeIncBasePriorityPrivilege 2480 javaupdate.exe Token: 33 2480 javaupdate.exe Token: SeIncBasePriorityPrivilege 2480 javaupdate.exe Token: 33 2480 javaupdate.exe Token: SeIncBasePriorityPrivilege 2480 javaupdate.exe Token: 33 2480 javaupdate.exe Token: SeIncBasePriorityPrivilege 2480 javaupdate.exe Token: 33 2480 javaupdate.exe Token: SeIncBasePriorityPrivilege 2480 javaupdate.exe Token: 33 2480 javaupdate.exe Token: SeIncBasePriorityPrivilege 2480 javaupdate.exe Token: 33 2480 javaupdate.exe Token: SeIncBasePriorityPrivilege 2480 javaupdate.exe Token: 33 2480 javaupdate.exe Token: SeIncBasePriorityPrivilege 2480 javaupdate.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
huecheats.exepid process 2748 huecheats.exe 2748 huecheats.exe -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exepwtk.exepwtk.exejavaupdate.exejavaupdate.exehuecheats.exedescription pid process target process PID 2068 wrote to memory of 1796 2068 061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe pwtk.exe PID 2068 wrote to memory of 1796 2068 061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe pwtk.exe PID 2068 wrote to memory of 1796 2068 061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe pwtk.exe PID 2068 wrote to memory of 1796 2068 061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe pwtk.exe PID 2068 wrote to memory of 1796 2068 061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe pwtk.exe PID 2068 wrote to memory of 1796 2068 061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe pwtk.exe PID 2068 wrote to memory of 1796 2068 061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe pwtk.exe PID 2068 wrote to memory of 2748 2068 061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe huecheats.exe PID 2068 wrote to memory of 2748 2068 061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe huecheats.exe PID 2068 wrote to memory of 2748 2068 061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe huecheats.exe PID 2068 wrote to memory of 2748 2068 061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe huecheats.exe PID 1796 wrote to memory of 3044 1796 pwtk.exe pwtk.exe PID 1796 wrote to memory of 3044 1796 pwtk.exe pwtk.exe PID 1796 wrote to memory of 3044 1796 pwtk.exe pwtk.exe PID 1796 wrote to memory of 3044 1796 pwtk.exe pwtk.exe PID 1796 wrote to memory of 3044 1796 pwtk.exe pwtk.exe PID 1796 wrote to memory of 3044 1796 pwtk.exe pwtk.exe PID 1796 wrote to memory of 3044 1796 pwtk.exe pwtk.exe PID 1796 wrote to memory of 3044 1796 pwtk.exe pwtk.exe PID 1796 wrote to memory of 3044 1796 pwtk.exe pwtk.exe PID 1796 wrote to memory of 3044 1796 pwtk.exe pwtk.exe PID 1796 wrote to memory of 3044 1796 pwtk.exe pwtk.exe PID 1796 wrote to memory of 3044 1796 pwtk.exe pwtk.exe PID 3044 wrote to memory of 2004 3044 pwtk.exe javaupdate.exe PID 3044 wrote to memory of 2004 3044 pwtk.exe javaupdate.exe PID 3044 wrote to memory of 2004 3044 pwtk.exe javaupdate.exe PID 3044 wrote to memory of 2004 3044 pwtk.exe javaupdate.exe PID 3044 wrote to memory of 2004 3044 pwtk.exe javaupdate.exe PID 3044 wrote to memory of 2004 3044 pwtk.exe javaupdate.exe PID 3044 wrote to memory of 2004 3044 pwtk.exe javaupdate.exe PID 2004 wrote to memory of 2480 2004 javaupdate.exe javaupdate.exe PID 2004 wrote to memory of 2480 2004 javaupdate.exe javaupdate.exe PID 2004 wrote to memory of 2480 2004 javaupdate.exe javaupdate.exe PID 2004 wrote to memory of 2480 2004 javaupdate.exe javaupdate.exe PID 2004 wrote to memory of 2480 2004 javaupdate.exe javaupdate.exe PID 2004 wrote to memory of 2480 2004 javaupdate.exe javaupdate.exe PID 2004 wrote to memory of 2480 2004 javaupdate.exe javaupdate.exe PID 2004 wrote to memory of 2480 2004 javaupdate.exe javaupdate.exe PID 2004 wrote to memory of 2480 2004 javaupdate.exe javaupdate.exe PID 2004 wrote to memory of 2480 2004 javaupdate.exe javaupdate.exe PID 2004 wrote to memory of 2480 2004 javaupdate.exe javaupdate.exe PID 2004 wrote to memory of 2480 2004 javaupdate.exe javaupdate.exe PID 2480 wrote to memory of 2828 2480 javaupdate.exe netsh.exe PID 2480 wrote to memory of 2828 2480 javaupdate.exe netsh.exe PID 2480 wrote to memory of 2828 2480 javaupdate.exe netsh.exe PID 2480 wrote to memory of 2828 2480 javaupdate.exe netsh.exe PID 2748 wrote to memory of 2260 2748 huecheats.exe WerFault.exe PID 2748 wrote to memory of 2260 2748 huecheats.exe WerFault.exe PID 2748 wrote to memory of 2260 2748 huecheats.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Roaming\pwtk.exe"C:\Users\Admin\AppData\Roaming\pwtk.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Users\Admin\AppData\Roaming\pwtk.exe"{path}"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Local\Temp\javaupdate.exe"C:\Users\Admin\AppData\Local\Temp\javaupdate.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Users\Admin\AppData\Local\Temp\javaupdate.exe"{path}"5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\javaupdate.exe" "javaupdate.exe" ENABLE6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2828 -
C:\Users\Admin\AppData\Roaming\huecheats.exe"C:\Users\Admin\AppData\Roaming\huecheats.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2748 -s 2803⤵
- Loads dropped DLL
PID:2260
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.7MB
MD503670a3264a00379a2e6497c0cc84660
SHA1f8be2b1dbf5f22777e6bfff45e250bccd90f6eb8
SHA25677cd28421b67137b653eb7722bb5879690530027aea63ba94746cda16524a906
SHA51254fcb14598c542af6697ed1741caa319dfb34d2b4ba1c666b651795101789a83b39ef71d501860867129e8132212b64c186dd1697c3d0bca61d41702a9b3aed9
-
Filesize
40KB
MD50cf4d99ef9305450bc818fc7ce941e91
SHA113d217d800e9003f458f340d72305e7672996ec7
SHA256172bf347e03f7acb22546dd068ac7e9a49e7882bdc30f4e170e28c9ba4119883
SHA51243a755aa165518024326b41cf5c1bbdc1b3ebd2fb2012fcaac5ecb162b14de901b128590c13fed58c8c5e74153a9191f97f73d535ab73f9d8c49a57d5a42249c