Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28-09-2024 05:48
Static task
static1
Behavioral task
behavioral1
Sample
fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe
-
Size
415KB
-
MD5
fba04ac6840b68018f2e34cb163cf37b
-
SHA1
bb4991c7815bf2b1c2e411b4d7cf74261194d65f
-
SHA256
775e884c62bdb526eb6a26abdd14221782ada4ba4a572741a78757d981e997dc
-
SHA512
d04c749ff6a86c87e012d200720f0ebc9a661ef0b046f5436c8bba788d562e12d0566731163fecf95c532fb1217f51fcce2218805702a5263fdb374a30f747a5
-
SSDEEP
6144:5dRVzSkGTxSLD8uq5CaOPs47bhqUdUtX+t49fkR05tvEAK7/QWzBWJ4:5hqxSLo5C1Ps4XhitX+t498RgtMAYdzB
Malware Config
Extracted
njrat
0.6.4
HacKed
lptrojan.duckdns.org:1177
83e01e55971481266f4aa1ab6ece4b17
-
reg_key
83e01e55971481266f4aa1ab6ece4b17
-
splitter
|'|'|
Extracted
redline
FiveMMM
185.215.113.55:36801
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/2604-58-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2604-57-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2604-55-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2604-52-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2604-50-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
SectopRAT payload 5 IoCs
resource yara_rule behavioral1/memory/2604-58-0x0000000000400000-0x0000000000422000-memory.dmp family_sectoprat behavioral1/memory/2604-57-0x0000000000400000-0x0000000000422000-memory.dmp family_sectoprat behavioral1/memory/2604-55-0x0000000000400000-0x0000000000422000-memory.dmp family_sectoprat behavioral1/memory/2604-52-0x0000000000400000-0x0000000000422000-memory.dmp family_sectoprat behavioral1/memory/2604-50-0x0000000000400000-0x0000000000422000-memory.dmp family_sectoprat -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2344 netsh.exe -
Executes dropped EXE 4 IoCs
pid Process 3028 1.exe 2284 Server.exe 2908 css.exe 2604 1.exe -
Loads dropped DLL 10 IoCs
pid Process 2376 fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe 2376 fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe 2376 fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe 2376 fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe 2376 fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe 2376 fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe 2376 fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe 2376 fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe 2284 Server.exe 3028 1.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\83e01e55971481266f4aa1ab6ece4b17 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\css.exe\" .." css.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\83e01e55971481266f4aa1ab6ece4b17 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\css.exe\" .." css.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3028 set thread context of 2604 3028 1.exe 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language css.exe -
Suspicious behavior: EnumeratesProcesses 45 IoCs
pid Process 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe 2908 css.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2908 css.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2376 wrote to memory of 3028 2376 fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe 31 PID 2376 wrote to memory of 3028 2376 fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe 31 PID 2376 wrote to memory of 3028 2376 fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe 31 PID 2376 wrote to memory of 3028 2376 fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe 31 PID 2376 wrote to memory of 2284 2376 fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe 32 PID 2376 wrote to memory of 2284 2376 fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe 32 PID 2376 wrote to memory of 2284 2376 fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe 32 PID 2376 wrote to memory of 2284 2376 fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe 32 PID 2284 wrote to memory of 2908 2284 Server.exe 34 PID 2284 wrote to memory of 2908 2284 Server.exe 34 PID 2284 wrote to memory of 2908 2284 Server.exe 34 PID 2284 wrote to memory of 2908 2284 Server.exe 34 PID 2908 wrote to memory of 2344 2908 css.exe 35 PID 2908 wrote to memory of 2344 2908 css.exe 35 PID 2908 wrote to memory of 2344 2908 css.exe 35 PID 2908 wrote to memory of 2344 2908 css.exe 35 PID 3028 wrote to memory of 2604 3028 1.exe 37 PID 3028 wrote to memory of 2604 3028 1.exe 37 PID 3028 wrote to memory of 2604 3028 1.exe 37 PID 3028 wrote to memory of 2604 3028 1.exe 37 PID 3028 wrote to memory of 2604 3028 1.exe 37 PID 3028 wrote to memory of 2604 3028 1.exe 37 PID 3028 wrote to memory of 2604 3028 1.exe 37 PID 3028 wrote to memory of 2604 3028 1.exe 37 PID 3028 wrote to memory of 2604 3028 1.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fba04ac6840b68018f2e34cb163cf37b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\1.exeC:\Users\Admin\AppData\Local\Temp\1.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2604
-
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\css.exe"C:\Users\Admin\AppData\Local\Temp\css.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\css.exe" "css.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2344
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD5c69f5c53bbd00f5d124cdfc040313adc
SHA19c60bbc168a25d7179022b696b6f8eda6df6f54a
SHA256dac36b2a874ef4894c59374759dc454bc3c85d1a1f9321798168195390111857
SHA512a7f8fac7b4a76db0f4b7af0f3b2fc5af9d096af6fac4a0fa299a8c164c846b4190bfce83e38801f70ee6fc990d88cfd111afedcbcdfe278e78387ea8df5b80ed
-
Filesize
432KB
MD5524cf73258298aea3f30b4fc69fe8133
SHA1e3aee9709dd93b56d7ac07cae1cc17892406f711
SHA256c08cd89bc38d96922bc6c900afd041de7b55d6cec276cc5c7a79eb1869f2b1e5
SHA5120fbd32bbe4f63b8ef0b78c7d28bcfc1e2c6fd8054a56f42b2bbf396a818f70d2c4e3c18caf5758affb8aff134a28be18fc6a863e4f03bc2dc2fc6275f8dd1179