Overview

overview

10

Static

static

3

7ef58fae65...18.exe

windows7-x64

10

7ef58fae65...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    56s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    01-08-2024 03:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ef58fae6597873eb9ddc200749efb54_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    7ef58fae6597873eb9ddc200749efb54

  • SHA1

    01b74eb79082d0465ab8654b6a71c8570ac8743a

  • SHA256

    046af6ee479e05559a9830dc541785559e7a006cc1761c1f9f6acd6b9fbef0e9

  • SHA512

    97bcd602af86fdab80368e376712739dc96535026b77b87b6ff5e5f53796c0f39f6ec33954b8655aff64b8ca3bf7faa7e666f8aa5790d8a974c8ca408d0be14f

  • SSDEEP

    24576:4DTCwXMdaEkx9Tod/Z/Va9nVFMG17y+g3LZjQsW2l9r/ArJf4q0/9xAN6:L4E0odR/SnVKaux3LZssW2lF4Ff43s6

Score
10/10
darkcometdarktracknanocorenjratgoogleserverhelperdiscoveryevasionkeyloggerpersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

popeyeth.mooo.com:27010

Mutex

1d4a6f46-b018-458b-86f2-d747c268ef19

Attributes
  • activate_away_mode

    false

  • backup_connection_host

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2018-06-11T15:40:07.342134236Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    27010

  • default_group

    cloud

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    1d4a6f46-b018-458b-86f2-d747c268ef19

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    popeyeth.mooo.com

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    5000

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

njrat

Version

0.7d

Botnet

GoogleServerHelper

C2

popeyeth.mooo.com:2222

Mutex

f12a535306e6106cec8bd5b7e630e4c4

Attributes
  • reg_key

    f12a535306e6106cec8bd5b7e630e4c4

  • splitter

    |'|'|

Signatures

  • DarkTrack

    DarkTrack is a remote administration tool written in delphi.

    ratstealerdarktrack
  • DarkTrack payload 7 IoCs
  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 24 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ef58fae6597873eb9ddc200749efb54_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7ef58fae6597873eb9ddc200749efb54_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2752
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\70CD.tmp\70CE.bat C:\Users\Admin\AppData\Local\Temp\7ef58fae6597873eb9ddc200749efb54_JaffaCakes118.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2900
      • C:\Users\Admin\AppData\Local\Temp\70CD.tmp\WindowsSeverHelper.pif
        WindowsSeverHelper.pif
        3⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1168
        • C:\Users\Admin\AppData\Local\Temp\CIOUD.EXE
          "C:\Users\Admin\AppData\Local\Temp\CIOUD.EXE"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          PID:2276
        • C:\Users\Admin\AppData\Local\Temp\GOOGLESERVERHELPER.EXE
          "C:\Users\Admin\AppData\Local\Temp\GOOGLESERVERHELPER.EXE"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:2800
          • C:\Users\Admin\AppData\Roaming\GoogleServerHelper.exe
            "C:\Users\Admin\AppData\Roaming\GoogleServerHelper.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2992
            • C:\Windows\SysWOW64\netsh.exe
              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\GoogleServerHelper.exe" "GoogleServerHelper.exe" ENABLE
              6⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              PID:696
        • C:\Users\Admin\AppData\Local\Temp\RUNTIME BROKER.EXE
          "C:\Users\Admin\AppData\Local\Temp\RUNTIME BROKER.EXE"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2988
          • C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
            "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of WriteProcessMemory
            PID:2388
            • C:\Windows\SysWOW64\notepad.exe
              notepad
              6⤵
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              PID:2140
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1836
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 5
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2292
        • C:\Users\Admin\AppData\Roaming\MSDCSC\WindowsShellHelper.exe
          "C:\Users\Admin\AppData\Roaming\MSDCSC\WindowsShellHelper.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2304
          • C:\Users\Admin\AppData\Local\Temp\CIOUD.EXE
            "C:\Users\Admin\AppData\Local\Temp\CIOUD.EXE"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:3048
          • C:\Users\Admin\AppData\Local\Temp\GOOGLESERVERHELPER.EXE
            "C:\Users\Admin\AppData\Local\Temp\GOOGLESERVERHELPER.EXE"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2000
          • C:\Users\Admin\AppData\Local\Temp\RUNTIME BROKER.EXE
            "C:\Users\Admin\AppData\Local\Temp\RUNTIME BROKER.EXE"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:1296
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
            5⤵
            • Loads dropped DLL
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:560
            • C:\Users\Admin\AppData\Local\Temp\CIOUD.EXE
              "C:\Users\Admin\AppData\Local\Temp\CIOUD.EXE"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:3060
            • C:\Users\Admin\AppData\Local\Temp\GOOGLESERVERHELPER.EXE
              "C:\Users\Admin\AppData\Local\Temp\GOOGLESERVERHELPER.EXE"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:1908
            • C:\Users\Admin\AppData\Local\Temp\RUNTIME BROKER.EXE
              "C:\Users\Admin\AppData\Local\Temp\RUNTIME BROKER.EXE"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:2396

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Modify Registry

2
T1112

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Credential Access

Discovery

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\70CD.tmp\1.bat
    Filesize

    48B

    MD5

    55b802862d9eaffe7b7fb6eeae66d729

    SHA1

    b014e037b3849cf206bdd4d2910e9a1803dfe5e0

    SHA256

    1491837dd6978e9323d1f2e7b3bcb6da5e7eb5373245ec569a8f2624ede90ba0

    SHA512

    90f86153716997025a105d64286e2ad6c8ea06951278def6d8f39b76518e966c3ac62e45f986bf4ad9cf3d11264f0ecbe65c42f78cb3fb9096b25a36a341001c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\70CD.tmp\70CE.bat
    Filesize

    33B

    MD5

    8a018ca11acfbd81dc4b301fbbcd58d5

    SHA1

    c8e8f856dd9f2c1b904df66c183e3674625b28f4

    SHA256

    b5823db59fcf22262591aecb537ad79764a62925b7ed409615d0cb8d7b37272d

    SHA512

    b7e9f1b6c668f2e6aede983d485979cbed363d15fcf135af9fa8fd949483f3410b17ce383006dfad43243cc884da9b3fcadbfc60a872901e3f1e6e0889f6f028

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\70CD.tmp\WindowsSeverHelper.pif
    Filesize

    1.0MB

    MD5

    5aa470a6aefd43f2bb371c6d4ff0e81c

    SHA1

    1ff99e88b23fe31798176d7de1dc0fab8891bed8

    SHA256

    4070967cb1326a2685821810479dd8b2c5c3db8c2de1177a5ae42edd7263ac69

    SHA512

    69fa0cf4e2fe5b98b696b50bd9fc429036a01d54b66bd707ddf550fa7003950874c8ea1dc2fbcc7f3f023ef6a44d0f727b59f3a393a199c68910cfc5c876d655

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
    Filesize

    94B

    MD5

    165c230a71f50740f1f1755ccc760fe2

    SHA1

    1c74b929653450d07175f9a724671151b0395cd4

    SHA256

    8de17d7bbb12c2159c623937b06582d53e6d8f0826ece5bfcdf59a51884e63af

    SHA512

    739c9d8e4daed43f6e9b200b543ccadbc0a058e922a84d5d533e55c617d66894d7168f59ed98a31d83b5049d4e9e280a6abc6d5ea08e5164a411686e6c19fa61

    Download Submit
  • \Users\Admin\AppData\Local\Temp\CIOUD.EXE
    Filesize

    595KB

    MD5

    890e94388a40a56ef27d6d1d94b72290

    SHA1

    310a196df36bd06ab6660daaf7bdfd6f2aa6b403

    SHA256

    da403e7a6dd93e9357f6fa630a4b2edcc1558174802cad90330365db79d223fc

    SHA512

    53d4914ef2e1c4395e63891d7aec07f5c11dbb1e0a1599adfabbc306a5c17d796c1fc8d290bf4b5e2b0d9b0f99924f0257c045dab13cf4092525a38ff501f754

    Download Submit
  • \Users\Admin\AppData\Local\Temp\GOOGLESERVERHELPER.EXE
    Filesize

    33KB

    MD5

    03a9d8b71175a13df468482dd8c28f70

    SHA1

    bc1b0a9973274d4281b81657cb9e8b65466a58fe

    SHA256

    7804b4f4792567cef30f25bf4c2c9d8248c283f46412e24f6896f25968788d75

    SHA512

    f91bd85c80af299691921068a9dcc8de5af5911be2405276b00f05e0aa9a00fb27d9c56d9b22c4960d11b846cb1879218c38b740f42266ddaebc2a51ff74709a

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RUNTIME BROKER.EXE
    Filesize

    627KB

    MD5

    f6c8aff612013d1b6cf238f51b0fee1c

    SHA1

    8bef1fe8cafd7c99289f8ed666116a454af825be

    SHA256

    847cd3461fd87a7d4b3c9c221ebadaedd03838fd9b4c618f0684436473a8d51d

    SHA512

    a49390f3de6a17e18a1bd1541b0f49f4b3ff0bb187f1d13dead813549b6558cec3e8a3959c45df828a1bc0004593aa78797c123c8abfe5715ca28b49c857e816

    Download Submit
  • memory/560-201-0x0000000000400000-0x0000000000600000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/1168-235-0x00000000045E0000-0x00000000047E0000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/1168-180-0x00000000045E0000-0x00000000047E0000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/1168-75-0x0000000000240000-0x0000000000241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1168-74-0x0000000000400000-0x0000000000600000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/1168-179-0x0000000000400000-0x0000000000600000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/1296-199-0x0000000000400000-0x00000000004A8000-memory.dmp
    Filesize

    672KB

    Download
  • memory/2140-119-0x0000000000080000-0x0000000000081000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2140-159-0x00000000001B0000-0x00000000001B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2304-181-0x0000000000400000-0x0000000000600000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/2304-203-0x0000000000400000-0x0000000000600000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/2388-233-0x0000000000400000-0x00000000004A8000-memory.dmp
    Filesize

    672KB

    Download
  • memory/2396-220-0x0000000000400000-0x00000000004A8000-memory.dmp
    Filesize

    672KB

    Download
  • memory/2988-117-0x0000000000400000-0x00000000004A8000-memory.dmp
    Filesize

    672KB

    Download