762bdc2c74c2a3e76e0deeef9992dc390f6e0fb28713ab13f4ec8f0550a07fc8

Analysis

max time kernel
150s
max time network
129s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 17:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
Size

3.3MB
MD5

2d294d4ddd3fe94d76a9b487c63721b2
SHA1

9ed13cc550a981de61280cbc85a5dade0d81359c
SHA256

762bdc2c74c2a3e76e0deeef9992dc390f6e0fb28713ab13f4ec8f0550a07fc8
SHA512

a165617ad10fea3607dcb9b6e9bad09855ba1e9a672ea4ff2eb1cb2634ba6e4aab4a9a983973483074bc34e43a910478cf43f6bb0dcbe1942856332bcf8d5308
SSDEEP

49152:lBMi0HM12fGEHLaJezoLwwrOJSbXdWNJ8TUxm6Yejhz0UH3sOu+2mm7sCHDMF8Qz:lyiG2cGuRkLww7+LmbocOu+Y9kNyPL

Score

8^/10

persistence privilege_escalation

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\nrdrvnt3.sys	nrinst03.exe
File created	C:\Windows\SysWOW64\DRIVERS\NCGUARD.SYS	ncclient.exe
File opened for modification	C:\Windows\SysWOW64\DRIVERS\NCGUARD.SYS	ncclient.exe

Executes dropped EXE 5 IoCs

pid	Process
2824	nckill.exe
1352	ncagent.exe
2168	ncstart.exe
2164	ncclient.exe
2240	nrinst03.exe

Loads dropped DLL 31 IoCs

pid	Process
2732	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
2732	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
1352	ncagent.exe
1352	ncagent.exe
2168	ncstart.exe
2168	ncstart.exe
2732	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
2732	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
2732	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
2164	ncclient.exe
2164	ncclient.exe
2164	ncclient.exe
2164	ncclient.exe
2164	ncclient.exe
2164	ncclient.exe
2164	ncclient.exe
2164	ncclient.exe
2164	ncclient.exe
2164	ncclient.exe
2164	ncclient.exe
2164	ncclient.exe
2164	ncclient.exe
2164	ncclient.exe
2164	ncclient.exe
2164	ncclient.exe
2164	ncclient.exe
2164	ncclient.exe
2164	ncclient.exe
2164	ncclient.exe
2164	ncclient.exe
2164	ncclient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NetClient RC Helper = "C:\\Windows\\SysWOW64\\NetClient40\\rc\\NrDeskHlp.exe"	ncclient.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\NetClient40\ncaumon.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\nipflt.sys	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\nswsearch.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\V3VName.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\rc\NRCX2.DLL	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\msvcprt4.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\n5rchk.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\ncblk.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\nciblk.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\NCPFLTV.sys	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\NSECUV.sys	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\rc\NrAlram.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\fsecuv.inf	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\ncaumon.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\Packet.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\SECU.vxd	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\rc\nrdrvnt1.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\msvcprt4.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\ncguard.sys	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\ncwhk.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\v3mngt.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\rc\hncrcm_kor.xml	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\rc\nrdrvnt3.sys	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\rc\nrdrvnt2.sys	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\rc\nrmon.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\ncinstudo.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\ncmon_org.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\ncmudist.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\NCPFLTV.sys	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\rc\CallC03.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\rc\DrFtc.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\SECU.SYS	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\v3alert.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\NSECU.VXD	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\NSECUV.sys	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\NCClientUI.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\netmessage_kor.bin	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\ncmsg.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\SECU.vxd	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\rc\Markup.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\rc\NETVXD.VXD	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\n5lgn.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\ncagent.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\NCCustUI.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\nchfinfo.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\ncmon.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\NCSurvey.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\rc\NETVXD.VXD	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\rc\Nrcdc1.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\ncwinmgr.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\NSECU.sys	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\nchfinfo.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\ncinstudo.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\ncipmgr.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\NCMakeId.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\ncwinmgr.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\NetUnzip.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\ncdatsec.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\NCGenDist.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\ncagent.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\ncdatsec.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\NCDISK.VXD	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\ncmon.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\ncnwkbk.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	nrinst03.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Modifies data under HKEY_USERS 21 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2824	nckill.exe
2824	nckill.exe
2168	ncstart.exe
2164	ncclient.exe

Suspicious behavior: LoadsDriver 12 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2240	nrinst03.exe
Token: SeRestorePrivilege	2240	nrinst03.exe
Token: SeRestorePrivilege	2240	nrinst03.exe
Token: SeRestorePrivilege	2240	nrinst03.exe
Token: SeRestorePrivilege	2240	nrinst03.exe
Token: SeRestorePrivilege	2240	nrinst03.exe
Token: SeRestorePrivilege	2240	nrinst03.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2824	2732	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2824	2732	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2824	2732	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2824	2732	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe	30
PID 1352 wrote to memory of 2168	1352	ncagent.exe	32
PID 1352 wrote to memory of 2168	1352	ncagent.exe	32
PID 1352 wrote to memory of 2168	1352	ncagent.exe	32
PID 1352 wrote to memory of 2168	1352	ncagent.exe	32
PID 2168 wrote to memory of 2164	2168	ncstart.exe	33
PID 2168 wrote to memory of 2164	2168	ncstart.exe	33
PID 2168 wrote to memory of 2164	2168	ncstart.exe	33
PID 2168 wrote to memory of 2164	2168	ncstart.exe	33
PID 2164 wrote to memory of 2112	2164	ncclient.exe	34
PID 2164 wrote to memory of 2112	2164	ncclient.exe	34
PID 2164 wrote to memory of 2112	2164	ncclient.exe	34
PID 2164 wrote to memory of 2112	2164	ncclient.exe	34
PID 2732 wrote to memory of 2240	2732	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe	35
PID 2732 wrote to memory of 2240	2732	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe	35
PID 2732 wrote to memory of 2240	2732	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe	35
PID 2732 wrote to memory of 2240	2732	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe	35
PID 2164 wrote to memory of 656	2164	ncclient.exe	36
PID 2164 wrote to memory of 656	2164	ncclient.exe	36
PID 2164 wrote to memory of 656	2164	ncclient.exe	36
PID 2164 wrote to memory of 656	2164	ncclient.exe	36
PID 2164 wrote to memory of 1432	2164	ncclient.exe	37
PID 2164 wrote to memory of 1432	2164	ncclient.exe	37
PID 2164 wrote to memory of 1432	2164	ncclient.exe	37
PID 2164 wrote to memory of 1432	2164	ncclient.exe	37
PID 2164 wrote to memory of 1668	2164	ncclient.exe	38
PID 2164 wrote to memory of 1668	2164	ncclient.exe	38
PID 2164 wrote to memory of 1668	2164	ncclient.exe	38
PID 2164 wrote to memory of 1668	2164	ncclient.exe	38
PID 2164 wrote to memory of 2448	2164	ncclient.exe	39
PID 2164 wrote to memory of 2448	2164	ncclient.exe	39
PID 2164 wrote to memory of 2448	2164	ncclient.exe	39
PID 2164 wrote to memory of 2448	2164	ncclient.exe	39

C:\Users\Admin\AppData\Local\Temp\2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\AppData\Local\Temp\nckill.exe
  C:\Users\Admin\AppData\Local\Temp\nckill.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2824
- C:\Windows\SysWOW64\NetClient40\RC\nrinst03.exe
  C:\Windows\system32\NetClient40\RC\nrinst03.exe -silent -i
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2240

C:\Windows\SysWOW64\NetClient40\ncagent.exe
C:\Windows\SysWOW64\NetClient40\ncagent.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\SysWOW64\NetClient40\ncstart.exe
  C:\Windows\SysWOW64\NetClient40\ncstart.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\SysWOW64\NetClient40\ncclient.exe
    C:\Windows\SysWOW64\NetClient40\ncclient.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\SysWOW64\netsh.exe
      netsh -c firewall add allowedprogram program="C:\Windows\SysWOW64\NetClient40\ncclient.exe" name="NetClient1"
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      Modifies data under HKEY_USERS
      PID:2112
  - - C:\Windows\SysWOW64\netsh.exe
      netsh -c firewall add allowedprogram program="C:\Windows\SysWOW64\NetClient40\NetChat.exe" name="NetClient2"
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      Modifies data under HKEY_USERS
      PID:656
  - - C:\Windows\SysWOW64\netsh.exe
      netsh -c firewall add allowedprogram program="C:\Windows\SysWOW64\NetClient40\rc\DrFtc.exe" name="NetClient3"
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      Modifies data under HKEY_USERS
      PID:1432
  - - C:\Windows\SysWOW64\netsh.exe
      netsh -c firewall add allowedprogram program="C:\Windows\SysWOW64\NetClient40\rc\NrHost.exe" name="NetClient4"
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      Modifies data under HKEY_USERS
      PID:1668
  - - C:\Windows\SysWOW64\netsh.exe
      netsh -c firewall set icmpsetting type=8 mode=ENABLE profile=STANDARD
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      Modifies data under HKEY_USERS
      PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\NetClient40\NCGUARD.SYS

Filesize
17KB

MD5
708d7915c244823d4ed14b1145145ea4

SHA1
0535bc2c5d852ea1d49beea2fb47f7a59ba1e1a3

SHA256
3ebec61ee6a180e2d5c29358e394d23d4a42b444de5d8ba85e2b1c398e0ece55

SHA512
126f719c10dbd76e0a645fd21f3af0611bc5a90fd0378fc895e5a78b56766ebba629275af06c243f74c6367bea1db4e1ba4f4e3b33853d9012869805a4a57888

Download Submit
C:\Windows\SysWOW64\NetClient40\RC\nrdrvnt3.dll

Filesize
11KB

MD5
366b0ecc6a26035a34f619d061634f2e

SHA1
cbe3edb195f8f4b0f6fba342ec6bf3dcbfaa532f

SHA256
9b22d0eb2de909d8670b849f2f4c4b15db9f5ccf2d36085f41e0c2073fa17ceb

SHA512
8f720e28c2ffd973552062fcd88adc8e4e82e307150de7a9e8a80df1471459b4f84f1c2e2e066473257e6bb32e1490d81404aa8c9050ec5a1731682c48429bc9

Download Submit
C:\Windows\SysWOW64\NetClient40\RC\nrdrvnt3.sys

Filesize
8KB

MD5
be9a8898d0ecbace759ba05f6990882a

SHA1
9c69e304a1159e75178cb7e3bc7e95d90e4737fa

SHA256
8b6cc22781a6f0409fb9ffe0536af9083d18cd180a6ffc0142621a50302b25d2

SHA512
cf4c44d31e260c008d934a775d0c9aadb13205846908fadee8f0b58d089a1eaeccadbace7347a1de483b8df7d19b7cfe8657b77cdae84f6527fcf0ba206b4fd8

Download Submit
C:\Windows\SysWOW64\NetClient40\ncagent.exe

Filesize
32KB

MD5
f754f8fa1bef20474786cd5f4b6a7f12

SHA1
42de82b7b6c2a7c995e9217a73595366e21f69ca

SHA256
6f87eba04f7ae065eed44634fb94aefb71fed8a8c8cfc2ae5d1d746727e87cd4

SHA512
0288632dd9785b46679163c029d7c9c39c55809a181cdc077866a2a399f10689787a0f46f9d7cd8c0f8825e95e02c7d5f56ecb22c9d40348b3ba8bb52f1b1296

Download Submit
C:\Windows\SysWOW64\NetClient40\rc\nrinst03.exe

Filesize
69KB

MD5
6095b34e23378dd41a1600497b31c13d

SHA1
24ce72bed1bae7c20aa60b84d662bd15df03acdf

SHA256
a3b8f67773d918468ea74c9e6124709f84317393f27b811a4a675852985dc5d7

SHA512
b15f2c881eb2564840c6d4017e003255abf8bb3e36bbbb02ed588592d86b424cec1b89392bd0698ae2f95dbc0a4db9cf264eee5683f6e283f9926a75da0a77fb

Download Submit
\Users\Admin\AppData\Local\Temp\nckill.exe

Filesize
56KB

MD5
e752ff15dc8b962501a22b08554cb0f5

SHA1
d7d6c21be2cb6f9e9f1c2a453ef28d7c6698957b

SHA256
f0e975ddd0e66bb9ed3b0d9a4bf7970763ccd807243af1e8bf6df26496777c46

SHA512
5869b4ec760ddd49fd18654002bfda9e3e271e8ada6768051468beb6d67520e245744ffe4ea8a20f784b4bca6dafab03f285d77687dd75bcf991d8cbb3e80bd1

Download Submit
\Windows\SysWOW64\NetClient40\NCClient.exe

Filesize
272KB

MD5
8655f18c6eed30f8813a1a61df4a690c

SHA1
8eda977e1d56587469ca06dcecddd4d336380358

SHA256
431a49dbe4cacdd7fb9d9340e0f9f81b9670fbb9acc2ed2715532f82177830c8

SHA512
7c3d4753ad49f91881f6efe51686ccac7031dde9ad89006cc8a7ec79d969348716710c72f1e9f611f0ff4aee87568464ee2be41b97dd0d2096449b50d60fe580

Download Submit
\Windows\SysWOW64\NetClient40\NCClientUI.exe

Filesize
592KB

MD5
b6a665d0622bffe170cfa0d83e5d73a0

SHA1
90701e23141d8ea625f01a36fc7514a924a22b8a

SHA256
ffb9ec913f95082a702704f9d462d483864a5ae52d0fc59c78109b97f77c7b14

SHA512
fa58a553fb118f43a97ce748458bda246dca664f05c59db7243887918b7b787457c803bb0a52e8f5bfca0b9a4a3e19f167aa4126c230156b483e5e8a5d6c0b57

Download Submit
\Windows\SysWOW64\NetClient40\NCCustUI.exe

Filesize
168KB

MD5
74816fbf11c2955a8eaa248e0fbdc8d6

SHA1
936d9285e9bab2c16c6c45fe7014413dfa9f9d43

SHA256
75cafe6b1c2c41a2727f2aca8f8864cb5b2edf931d7529d8c1d8d7093a747781

SHA512
01507afcc4f6ce4d6834c8d16c939a922d7dc2e71b75ab9b1723ccba8aefe6ed07463ada8962505ec5f80223d9e12c5866fb130919649f90630d9ff6d0ed4182

Download Submit
\Windows\SysWOW64\NetClient40\ncstart.exe

Filesize
64KB

MD5
3d1e8b1be4cf5c13eab4e424204b34ab

SHA1
c54300fbb7e7759b04f23194756520d64771f740

SHA256
5d2158aa93fda80738b7a951111de3c7dc8a63c4394665af1d903c33afa883c0

SHA512
b680ee243c388b1c61c03ddc1f3e74a03024b615cef2d79bd4eda46026d4fd881099cfce25ad8f5c3f9f8de83bbf08086b450056111c52d0eb5b3ba25958cc55

Download Submit
memory/2164-238-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download
memory/2164-249-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download
memory/2164-226-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download
memory/2164-237-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download
memory/2164-236-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download
memory/2164-235-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download
memory/2164-242-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download
memory/2164-248-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download
memory/2164-250-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download
memory/2164-224-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download
memory/2164-252-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download
memory/2164-251-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download
memory/2164-253-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download
memory/2164-254-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download
memory/2164-261-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download
memory/2164-258-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download
memory/2164-257-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download