Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-06-2024 12:53

General

  • Target

    061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe

  • Size

    8.7MB

  • MD5

    061a8d9824446f45d5112cbdd803f173

  • SHA1

    f9ba93c1f7fa8adc7b7565f222d937ec56b97f75

  • SHA256

    da61cd60682f6d7b95972d59830d9ac6d39690d1de4047f4768b0bfc572b78fa

  • SHA512

    a69702e0dbe35accccba436af507557af5caeff0dba4040e56a22f109977c15147c83bc49b30dde9c94b92d11170659d260ae7d389f6aa871383267d2b2a0524

  • SSDEEP

    196608:SNBr/hpKFNfXtF0lbCR7QrWwrueSpEarKOa1oe8fv:SNxCFVXD0o/wrZiEaVa1ol

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

pwtknew1

C2

pwtk02.ddns.net:5552

Mutex

25181c9f909bd4441f2b53785cd683a2

Attributes
  • reg_key

    25181c9f909bd4441f2b53785cd683a2

  • splitter

    |'|'|

Signatures

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Users\Admin\AppData\Roaming\pwtk.exe
      "C:\Users\Admin\AppData\Roaming\pwtk.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4088
      • C:\Users\Admin\AppData\Roaming\pwtk.exe
        "{path}"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2648
        • C:\Users\Admin\AppData\Local\Temp\javaupdate.exe
          "C:\Users\Admin\AppData\Local\Temp\javaupdate.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1880
          • C:\Users\Admin\AppData\Local\Temp\javaupdate.exe
            "{path}"
            5⤵
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1480
            • C:\Windows\SysWOW64\netsh.exe
              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\javaupdate.exe" "javaupdate.exe" ENABLE
              6⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              PID:2452
    • C:\Users\Admin\AppData\Roaming\huecheats.exe
      "C:\Users\Admin\AppData\Roaming\huecheats.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2596
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3124,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3908 /prefetch:8
    1⤵
      PID:1096

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pwtk.exe.log

      Filesize

      418B

      MD5

      98eea38457c9976c0ec48b5a70964041

      SHA1

      281ec6ada096be89ade13852ca86edfe42ffe3c1

      SHA256

      4a7455429d6f3c7390f97bc406d0bcc7d64ddff6bee5ffa9e88c5a75f806bfcf

      SHA512

      adb7bb4e1434d743932890aede4daa55c6e9f091415292775313dd172949fbd415f124c97e017a8204aab530b6184f196ab5cce005781b0853ffccc620f07530

    • C:\Users\Admin\AppData\Roaming\huecheats.exe

      Filesize

      9.7MB

      MD5

      03670a3264a00379a2e6497c0cc84660

      SHA1

      f8be2b1dbf5f22777e6bfff45e250bccd90f6eb8

      SHA256

      77cd28421b67137b653eb7722bb5879690530027aea63ba94746cda16524a906

      SHA512

      54fcb14598c542af6697ed1741caa319dfb34d2b4ba1c666b651795101789a83b39ef71d501860867129e8132212b64c186dd1697c3d0bca61d41702a9b3aed9

    • C:\Users\Admin\AppData\Roaming\pwtk.exe

      Filesize

      40KB

      MD5

      0cf4d99ef9305450bc818fc7ce941e91

      SHA1

      13d217d800e9003f458f340d72305e7672996ec7

      SHA256

      172bf347e03f7acb22546dd068ac7e9a49e7882bdc30f4e170e28c9ba4119883

      SHA512

      43a755aa165518024326b41cf5c1bbdc1b3ebd2fb2012fcaac5ecb162b14de901b128590c13fed58c8c5e74153a9191f97f73d535ab73f9d8c49a57d5a42249c

    • memory/1480-62-0x00000000058D0000-0x00000000058DA000-memory.dmp

      Filesize

      40KB

    • memory/1480-61-0x0000000005970000-0x0000000005A02000-memory.dmp

      Filesize

      584KB

    • memory/2596-36-0x00007FFDF2720000-0x00007FFDF2722000-memory.dmp

      Filesize

      8KB

    • memory/2596-33-0x00007FFDF0230000-0x00007FFDF0232000-memory.dmp

      Filesize

      8KB

    • memory/2596-59-0x00000143249A0000-0x0000014324AB5000-memory.dmp

      Filesize

      1.1MB

    • memory/2596-29-0x00007FFDF26F0000-0x00007FFDF26F2000-memory.dmp

      Filesize

      8KB

    • memory/2596-30-0x00007FFDF2700000-0x00007FFDF2702000-memory.dmp

      Filesize

      8KB

    • memory/2596-31-0x00007FFDF07C0000-0x00007FFDF07C2000-memory.dmp

      Filesize

      8KB

    • memory/2596-32-0x00007FFDF07D0000-0x00007FFDF07D2000-memory.dmp

      Filesize

      8KB

    • memory/2596-35-0x00007FFDF2710000-0x00007FFDF2712000-memory.dmp

      Filesize

      8KB

    • memory/2596-34-0x00007FFDF0240000-0x00007FFDF0242000-memory.dmp

      Filesize

      8KB

    • memory/2648-26-0x0000000000400000-0x000000000040C000-memory.dmp

      Filesize

      48KB

    • memory/4088-25-0x00000000058D0000-0x000000000596C000-memory.dmp

      Filesize

      624KB

    • memory/4088-24-0x00000000057C0000-0x00000000057CC000-memory.dmp

      Filesize

      48KB

    • memory/4088-23-0x0000000005D30000-0x00000000062D4000-memory.dmp

      Filesize

      5.6MB

    • memory/4088-22-0x0000000000E60000-0x0000000000E70000-memory.dmp

      Filesize

      64KB

    • memory/4088-19-0x000000007258E000-0x000000007258F000-memory.dmp

      Filesize

      4KB