Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-06-2024 12:53
Static task
static1
Behavioral task
behavioral1
Sample
061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe
-
Size
8.7MB
-
MD5
061a8d9824446f45d5112cbdd803f173
-
SHA1
f9ba93c1f7fa8adc7b7565f222d937ec56b97f75
-
SHA256
da61cd60682f6d7b95972d59830d9ac6d39690d1de4047f4768b0bfc572b78fa
-
SHA512
a69702e0dbe35accccba436af507557af5caeff0dba4040e56a22f109977c15147c83bc49b30dde9c94b92d11170659d260ae7d389f6aa871383267d2b2a0524
-
SSDEEP
196608:SNBr/hpKFNfXtF0lbCR7QrWwrueSpEarKOa1oe8fv:SNxCFVXD0o/wrZiEaVa1ol
Malware Config
Extracted
njrat
0.7d
pwtknew1
pwtk02.ddns.net:5552
25181c9f909bd4441f2b53785cd683a2
-
reg_key
25181c9f909bd4441f2b53785cd683a2
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2452 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exepwtk.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation pwtk.exe -
Drops startup file 2 IoCs
Processes:
javaupdate.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\25181c9f909bd4441f2b53785cd683a2.exe javaupdate.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\25181c9f909bd4441f2b53785cd683a2.exe javaupdate.exe -
Executes dropped EXE 5 IoCs
Processes:
pwtk.exehuecheats.exepwtk.exejavaupdate.exejavaupdate.exepid process 4088 pwtk.exe 2596 huecheats.exe 2648 pwtk.exe 1880 javaupdate.exe 1480 javaupdate.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
javaupdate.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\25181c9f909bd4441f2b53785cd683a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\javaupdate.exe\" .." javaupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\25181c9f909bd4441f2b53785cd683a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\javaupdate.exe\" .." javaupdate.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
huecheats.exepid process 2596 huecheats.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
pwtk.exejavaupdate.exedescription pid process target process PID 4088 set thread context of 2648 4088 pwtk.exe pwtk.exe PID 1880 set thread context of 1480 1880 javaupdate.exe javaupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
huecheats.exepid process 2596 huecheats.exe 2596 huecheats.exe 2596 huecheats.exe 2596 huecheats.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
javaupdate.exedescription pid process Token: SeDebugPrivilege 1480 javaupdate.exe Token: 33 1480 javaupdate.exe Token: SeIncBasePriorityPrivilege 1480 javaupdate.exe Token: 33 1480 javaupdate.exe Token: SeIncBasePriorityPrivilege 1480 javaupdate.exe Token: 33 1480 javaupdate.exe Token: SeIncBasePriorityPrivilege 1480 javaupdate.exe Token: 33 1480 javaupdate.exe Token: SeIncBasePriorityPrivilege 1480 javaupdate.exe Token: 33 1480 javaupdate.exe Token: SeIncBasePriorityPrivilege 1480 javaupdate.exe Token: 33 1480 javaupdate.exe Token: SeIncBasePriorityPrivilege 1480 javaupdate.exe Token: 33 1480 javaupdate.exe Token: SeIncBasePriorityPrivilege 1480 javaupdate.exe Token: 33 1480 javaupdate.exe Token: SeIncBasePriorityPrivilege 1480 javaupdate.exe Token: 33 1480 javaupdate.exe Token: SeIncBasePriorityPrivilege 1480 javaupdate.exe Token: 33 1480 javaupdate.exe Token: SeIncBasePriorityPrivilege 1480 javaupdate.exe Token: 33 1480 javaupdate.exe Token: SeIncBasePriorityPrivilege 1480 javaupdate.exe Token: 33 1480 javaupdate.exe Token: SeIncBasePriorityPrivilege 1480 javaupdate.exe Token: 33 1480 javaupdate.exe Token: SeIncBasePriorityPrivilege 1480 javaupdate.exe Token: 33 1480 javaupdate.exe Token: SeIncBasePriorityPrivilege 1480 javaupdate.exe Token: 33 1480 javaupdate.exe Token: SeIncBasePriorityPrivilege 1480 javaupdate.exe Token: 33 1480 javaupdate.exe Token: SeIncBasePriorityPrivilege 1480 javaupdate.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
huecheats.exepid process 2596 huecheats.exe 2596 huecheats.exe 2596 huecheats.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exepwtk.exepwtk.exejavaupdate.exejavaupdate.exedescription pid process target process PID 2064 wrote to memory of 4088 2064 061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe pwtk.exe PID 2064 wrote to memory of 4088 2064 061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe pwtk.exe PID 2064 wrote to memory of 4088 2064 061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe pwtk.exe PID 2064 wrote to memory of 2596 2064 061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe huecheats.exe PID 2064 wrote to memory of 2596 2064 061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe huecheats.exe PID 4088 wrote to memory of 2648 4088 pwtk.exe pwtk.exe PID 4088 wrote to memory of 2648 4088 pwtk.exe pwtk.exe PID 4088 wrote to memory of 2648 4088 pwtk.exe pwtk.exe PID 4088 wrote to memory of 2648 4088 pwtk.exe pwtk.exe PID 4088 wrote to memory of 2648 4088 pwtk.exe pwtk.exe PID 4088 wrote to memory of 2648 4088 pwtk.exe pwtk.exe PID 4088 wrote to memory of 2648 4088 pwtk.exe pwtk.exe PID 4088 wrote to memory of 2648 4088 pwtk.exe pwtk.exe PID 2648 wrote to memory of 1880 2648 pwtk.exe javaupdate.exe PID 2648 wrote to memory of 1880 2648 pwtk.exe javaupdate.exe PID 2648 wrote to memory of 1880 2648 pwtk.exe javaupdate.exe PID 1880 wrote to memory of 1480 1880 javaupdate.exe javaupdate.exe PID 1880 wrote to memory of 1480 1880 javaupdate.exe javaupdate.exe PID 1880 wrote to memory of 1480 1880 javaupdate.exe javaupdate.exe PID 1880 wrote to memory of 1480 1880 javaupdate.exe javaupdate.exe PID 1880 wrote to memory of 1480 1880 javaupdate.exe javaupdate.exe PID 1880 wrote to memory of 1480 1880 javaupdate.exe javaupdate.exe PID 1880 wrote to memory of 1480 1880 javaupdate.exe javaupdate.exe PID 1880 wrote to memory of 1480 1880 javaupdate.exe javaupdate.exe PID 1480 wrote to memory of 2452 1480 javaupdate.exe netsh.exe PID 1480 wrote to memory of 2452 1480 javaupdate.exe netsh.exe PID 1480 wrote to memory of 2452 1480 javaupdate.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\061a8d9824446f45d5112cbdd803f173_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\AppData\Roaming\pwtk.exe"C:\Users\Admin\AppData\Roaming\pwtk.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Users\Admin\AppData\Roaming\pwtk.exe"{path}"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\javaupdate.exe"C:\Users\Admin\AppData\Local\Temp\javaupdate.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Users\Admin\AppData\Local\Temp\javaupdate.exe"{path}"5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\javaupdate.exe" "javaupdate.exe" ENABLE6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2452 -
C:\Users\Admin\AppData\Roaming\huecheats.exe"C:\Users\Admin\AppData\Roaming\huecheats.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2596
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3124,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3908 /prefetch:81⤵PID:1096
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
418B
MD598eea38457c9976c0ec48b5a70964041
SHA1281ec6ada096be89ade13852ca86edfe42ffe3c1
SHA2564a7455429d6f3c7390f97bc406d0bcc7d64ddff6bee5ffa9e88c5a75f806bfcf
SHA512adb7bb4e1434d743932890aede4daa55c6e9f091415292775313dd172949fbd415f124c97e017a8204aab530b6184f196ab5cce005781b0853ffccc620f07530
-
Filesize
9.7MB
MD503670a3264a00379a2e6497c0cc84660
SHA1f8be2b1dbf5f22777e6bfff45e250bccd90f6eb8
SHA25677cd28421b67137b653eb7722bb5879690530027aea63ba94746cda16524a906
SHA51254fcb14598c542af6697ed1741caa319dfb34d2b4ba1c666b651795101789a83b39ef71d501860867129e8132212b64c186dd1697c3d0bca61d41702a9b3aed9
-
Filesize
40KB
MD50cf4d99ef9305450bc818fc7ce941e91
SHA113d217d800e9003f458f340d72305e7672996ec7
SHA256172bf347e03f7acb22546dd068ac7e9a49e7882bdc30f4e170e28c9ba4119883
SHA51243a755aa165518024326b41cf5c1bbdc1b3ebd2fb2012fcaac5ecb162b14de901b128590c13fed58c8c5e74153a9191f97f73d535ab73f9d8c49a57d5a42249c