Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-09-2024 15:53
Static task
static1
Behavioral task
behavioral1
Sample
d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe
-
Size
184KB
-
MD5
d4b8a82a729cdf72567046b7555a0922
-
SHA1
3f64f0fe9528075fd128d9a4d4591f15d095e268
-
SHA256
66a12501efa03a9f5963f7b5bef2a4062e0e534ecc1a496cdc00cf60470d2e16
-
SHA512
22304948535d84940b3f2aaf9ad6553865c3328c3ba897cc1c36928ec813127e41395a44dc5f2db3799bdeb7ae2491eeb6ffba8eff18d065860570839e19fb10
-
SSDEEP
3072:BrSXkyxAljyuORbYlpy6bTH32GhNvtTw3LXdKkFq:xSkuAljyutpyCX2GhN1mLP
Malware Config
Extracted
njrat
v2.0
HacKed
anunankis1.duckdns.org:1515
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Audio Realtek Driver.exe -
Executes dropped EXE 2 IoCs
pid Process 2256 Audio Realtek Driver.exe 2944 Audio Realtek Driver.exe -
Loads dropped DLL 2 IoCs
pid Process 3048 d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe 2256 Audio Realtek Driver.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Audio Realtek Driver.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Audio Realtek Driver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Audio Realtek Driver.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Audio Realtek Driver.exe" d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Audio Realtek Driver.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2096 set thread context of 3048 2096 d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe 31 PID 2256 set thread context of 2944 2256 Audio Realtek Driver.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Audio Realtek Driver.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Audio Realtek Driver.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 2944 Audio Realtek Driver.exe Token: 33 2944 Audio Realtek Driver.exe Token: SeIncBasePriorityPrivilege 2944 Audio Realtek Driver.exe Token: 33 2944 Audio Realtek Driver.exe Token: SeIncBasePriorityPrivilege 2944 Audio Realtek Driver.exe Token: 33 2944 Audio Realtek Driver.exe Token: SeIncBasePriorityPrivilege 2944 Audio Realtek Driver.exe Token: 33 2944 Audio Realtek Driver.exe Token: SeIncBasePriorityPrivilege 2944 Audio Realtek Driver.exe Token: 33 2944 Audio Realtek Driver.exe Token: SeIncBasePriorityPrivilege 2944 Audio Realtek Driver.exe Token: 33 2944 Audio Realtek Driver.exe Token: SeIncBasePriorityPrivilege 2944 Audio Realtek Driver.exe Token: 33 2944 Audio Realtek Driver.exe Token: SeIncBasePriorityPrivilege 2944 Audio Realtek Driver.exe Token: 33 2944 Audio Realtek Driver.exe Token: SeIncBasePriorityPrivilege 2944 Audio Realtek Driver.exe Token: 33 2944 Audio Realtek Driver.exe Token: SeIncBasePriorityPrivilege 2944 Audio Realtek Driver.exe Token: 33 2944 Audio Realtek Driver.exe Token: SeIncBasePriorityPrivilege 2944 Audio Realtek Driver.exe Token: 33 2944 Audio Realtek Driver.exe Token: SeIncBasePriorityPrivilege 2944 Audio Realtek Driver.exe Token: 33 2944 Audio Realtek Driver.exe Token: SeIncBasePriorityPrivilege 2944 Audio Realtek Driver.exe Token: 33 2944 Audio Realtek Driver.exe Token: SeIncBasePriorityPrivilege 2944 Audio Realtek Driver.exe Token: 33 2944 Audio Realtek Driver.exe Token: SeIncBasePriorityPrivilege 2944 Audio Realtek Driver.exe Token: 33 2944 Audio Realtek Driver.exe Token: SeIncBasePriorityPrivilege 2944 Audio Realtek Driver.exe Token: 33 2944 Audio Realtek Driver.exe Token: SeIncBasePriorityPrivilege 2944 Audio Realtek Driver.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2096 wrote to memory of 3048 2096 d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe 31 PID 2096 wrote to memory of 3048 2096 d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe 31 PID 2096 wrote to memory of 3048 2096 d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe 31 PID 2096 wrote to memory of 3048 2096 d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe 31 PID 2096 wrote to memory of 3048 2096 d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe 31 PID 2096 wrote to memory of 3048 2096 d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe 31 PID 2096 wrote to memory of 3048 2096 d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe 31 PID 2096 wrote to memory of 3048 2096 d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe 31 PID 2096 wrote to memory of 3048 2096 d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe 31 PID 3048 wrote to memory of 2256 3048 d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe 32 PID 3048 wrote to memory of 2256 3048 d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe 32 PID 3048 wrote to memory of 2256 3048 d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe 32 PID 3048 wrote to memory of 2256 3048 d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe 32 PID 3048 wrote to memory of 2328 3048 d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe 33 PID 3048 wrote to memory of 2328 3048 d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe 33 PID 3048 wrote to memory of 2328 3048 d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe 33 PID 3048 wrote to memory of 2328 3048 d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe 33 PID 2256 wrote to memory of 2944 2256 Audio Realtek Driver.exe 35 PID 2256 wrote to memory of 2944 2256 Audio Realtek Driver.exe 35 PID 2256 wrote to memory of 2944 2256 Audio Realtek Driver.exe 35 PID 2256 wrote to memory of 2944 2256 Audio Realtek Driver.exe 35 PID 2256 wrote to memory of 2944 2256 Audio Realtek Driver.exe 35 PID 2256 wrote to memory of 2944 2256 Audio Realtek Driver.exe 35 PID 2256 wrote to memory of 2944 2256 Audio Realtek Driver.exe 35 PID 2256 wrote to memory of 2944 2256 Audio Realtek Driver.exe 35 PID 2256 wrote to memory of 2944 2256 Audio Realtek Driver.exe 35 PID 2944 wrote to memory of 2628 2944 Audio Realtek Driver.exe 36 PID 2944 wrote to memory of 2628 2944 Audio Realtek Driver.exe 36 PID 2944 wrote to memory of 2628 2944 Audio Realtek Driver.exe 36 PID 2944 wrote to memory of 2628 2944 Audio Realtek Driver.exe 36 PID 2944 wrote to memory of 2636 2944 Audio Realtek Driver.exe 37 PID 2944 wrote to memory of 2636 2944 Audio Realtek Driver.exe 37 PID 2944 wrote to memory of 2636 2944 Audio Realtek Driver.exe 37 PID 2944 wrote to memory of 2636 2944 Audio Realtek Driver.exe 37 -
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 2328 attrib.exe 2628 attrib.exe 2636 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d4b8a82a729cdf72567046b7555a0922_JaffaCakes118.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe"C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe"C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"5⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2628
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"5⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2636
-
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Audio Realtek Driver.exe"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2328
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
184KB
MD5d4b8a82a729cdf72567046b7555a0922
SHA13f64f0fe9528075fd128d9a4d4591f15d095e268
SHA25666a12501efa03a9f5963f7b5bef2a4062e0e534ecc1a496cdc00cf60470d2e16
SHA51222304948535d84940b3f2aaf9ad6553865c3328c3ba897cc1c36928ec813127e41395a44dc5f2db3799bdeb7ae2491eeb6ffba8eff18d065860570839e19fb10
-
Filesize
1KB
MD5aab0594dc0ccf72394edb0350a86b3f1
SHA1213f977d9d4b23d8ad554e86c2993d373bab6302
SHA256cbd65a8650c6b50d91ccdede66a06aaf39709cbe2a8e18d0c96c7d5cbd8506ca
SHA512dc4fd43d6641c93aed49613704bffab906cbc10f2aa7a3945ce02e6eff299c165cd459e8b047e836ae38871517bfdfe9b2e1fa59b45f9e28d429866b739da16e
-
Filesize
1018B
MD5e1d45e45044687dab3a6d0632db13944
SHA1899a5d21fc82511f1958f529f7a8cb07fca318a9
SHA256cf1c0a075333927031717773ab95451514e865ea03dfbbadfb4ec20316af0149
SHA5127643e22b5b86ef3847ca78aa6c6bd6f00823e5277832750cf4bf00975088a7dfb4143ab97c50ebbac4698b062e452aaf01efc070fc3801cb82659800bed66690