Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-10-2024 14:12
Static task
static1
Behavioral task
behavioral1
Sample
3047a47ecd3436128b20f16c29d63550_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
3047a47ecd3436128b20f16c29d63550_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
3047a47ecd3436128b20f16c29d63550_JaffaCakes118.exe
-
Size
649KB
-
MD5
3047a47ecd3436128b20f16c29d63550
-
SHA1
a3b51245612735a44dc4b5ccb81829d05c9daf4f
-
SHA256
b684e8c6223d2ece39800ed26431e8bfc0b8198c515327de3270200a60aec07d
-
SHA512
e8c51d052454d42e339531fafdf39366b850125a4710c234ea820ed891bd1b24700929706258e3fc966b5de781fc8b2e07a2f8655565469518d67cc39c34534f
-
SSDEEP
12288:sO29h7ukziWy9EUKFTZdXTZdHXTZdXTZkCG644FFxHPvtS8ULd+mQb+mQwWhhhhx:sO29ESiWy9EFFTZdXTZdHXTZdXTZkL6U
Malware Config
Extracted
njrat
v2.0
HacKed
62.227.124.106:5552
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 3047a47ecd3436128b20f16c29d63550_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 3047a47ecd3436128b20f16c29d63550_JaffaCakes118.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk 3047a47ecd3436128b20f16c29d63550_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.exe -
Executes dropped EXE 3 IoCs
pid Process 4884 stub.exe 672 Payload.exe 1560 Payload.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe" 3047a47ecd3436128b20f16c29d63550_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4964 set thread context of 1344 4964 3047a47ecd3436128b20f16c29d63550_JaffaCakes118.exe 87 PID 672 set thread context of 1560 672 Payload.exe 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3047a47ecd3436128b20f16c29d63550_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3047a47ecd3436128b20f16c29d63550_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Payload.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Payload.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeBackupPrivilege 4408 dw20.exe Token: SeBackupPrivilege 4408 dw20.exe Token: SeDebugPrivilege 1560 Payload.exe Token: 33 1560 Payload.exe Token: SeIncBasePriorityPrivilege 1560 Payload.exe Token: 33 1560 Payload.exe Token: SeIncBasePriorityPrivilege 1560 Payload.exe Token: 33 1560 Payload.exe Token: SeIncBasePriorityPrivilege 1560 Payload.exe Token: 33 1560 Payload.exe Token: SeIncBasePriorityPrivilege 1560 Payload.exe Token: 33 1560 Payload.exe Token: SeIncBasePriorityPrivilege 1560 Payload.exe Token: 33 1560 Payload.exe Token: SeIncBasePriorityPrivilege 1560 Payload.exe Token: 33 1560 Payload.exe Token: SeIncBasePriorityPrivilege 1560 Payload.exe Token: 33 1560 Payload.exe Token: SeIncBasePriorityPrivilege 1560 Payload.exe Token: 33 1560 Payload.exe Token: SeIncBasePriorityPrivilege 1560 Payload.exe Token: 33 1560 Payload.exe Token: SeIncBasePriorityPrivilege 1560 Payload.exe Token: 33 1560 Payload.exe Token: SeIncBasePriorityPrivilege 1560 Payload.exe Token: 33 1560 Payload.exe Token: SeIncBasePriorityPrivilege 1560 Payload.exe Token: 33 1560 Payload.exe Token: SeIncBasePriorityPrivilege 1560 Payload.exe Token: 33 1560 Payload.exe Token: SeIncBasePriorityPrivilege 1560 Payload.exe Token: 33 1560 Payload.exe Token: SeIncBasePriorityPrivilege 1560 Payload.exe Token: 33 1560 Payload.exe Token: SeIncBasePriorityPrivilege 1560 Payload.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 4964 wrote to memory of 4884 4964 3047a47ecd3436128b20f16c29d63550_JaffaCakes118.exe 86 PID 4964 wrote to memory of 4884 4964 3047a47ecd3436128b20f16c29d63550_JaffaCakes118.exe 86 PID 4964 wrote to memory of 1344 4964 3047a47ecd3436128b20f16c29d63550_JaffaCakes118.exe 87 PID 4964 wrote to memory of 1344 4964 3047a47ecd3436128b20f16c29d63550_JaffaCakes118.exe 87 PID 4964 wrote to memory of 1344 4964 3047a47ecd3436128b20f16c29d63550_JaffaCakes118.exe 87 PID 4964 wrote to memory of 1344 4964 3047a47ecd3436128b20f16c29d63550_JaffaCakes118.exe 87 PID 4964 wrote to memory of 1344 4964 3047a47ecd3436128b20f16c29d63550_JaffaCakes118.exe 87 PID 4964 wrote to memory of 1344 4964 3047a47ecd3436128b20f16c29d63550_JaffaCakes118.exe 87 PID 4964 wrote to memory of 1344 4964 3047a47ecd3436128b20f16c29d63550_JaffaCakes118.exe 87 PID 4964 wrote to memory of 1344 4964 3047a47ecd3436128b20f16c29d63550_JaffaCakes118.exe 87 PID 4884 wrote to memory of 4408 4884 stub.exe 88 PID 4884 wrote to memory of 4408 4884 stub.exe 88 PID 1344 wrote to memory of 672 1344 3047a47ecd3436128b20f16c29d63550_JaffaCakes118.exe 90 PID 1344 wrote to memory of 672 1344 3047a47ecd3436128b20f16c29d63550_JaffaCakes118.exe 90 PID 1344 wrote to memory of 672 1344 3047a47ecd3436128b20f16c29d63550_JaffaCakes118.exe 90 PID 1344 wrote to memory of 1880 1344 3047a47ecd3436128b20f16c29d63550_JaffaCakes118.exe 91 PID 1344 wrote to memory of 1880 1344 3047a47ecd3436128b20f16c29d63550_JaffaCakes118.exe 91 PID 1344 wrote to memory of 1880 1344 3047a47ecd3436128b20f16c29d63550_JaffaCakes118.exe 91 PID 672 wrote to memory of 1560 672 Payload.exe 93 PID 672 wrote to memory of 1560 672 Payload.exe 93 PID 672 wrote to memory of 1560 672 Payload.exe 93 PID 672 wrote to memory of 1560 672 Payload.exe 93 PID 672 wrote to memory of 1560 672 Payload.exe 93 PID 672 wrote to memory of 1560 672 Payload.exe 93 PID 672 wrote to memory of 1560 672 Payload.exe 93 PID 672 wrote to memory of 1560 672 Payload.exe 93 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1880 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3047a47ecd3436128b20f16c29d63550_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3047a47ecd3436128b20f16c29d63550_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Users\Admin\AppData\Local\Temp\stub.exe"C:\Users\Admin\AppData\Local\Temp\stub.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 7363⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4408
-
-
-
C:\Users\Admin\AppData\Local\Temp\3047a47ecd3436128b20f16c29d63550_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3047a47ecd3436128b20f16c29d63550_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Users\Admin\AppData\Local\Temp\Payload.exe"C:\Users\Admin\AppData\Local\Temp\Payload.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Users\Admin\AppData\Local\Temp\Payload.exe"C:\Users\Admin\AppData\Local\Temp\Payload.exe"4⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1880
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3047a47ecd3436128b20f16c29d63550_JaffaCakes118.exe.log
Filesize617B
MD5e07efe3f1e4fcc39483a46d0644e1750
SHA1083566e513d8090982a8f2d2c57864f7e5eea721
SHA256d35da5dbc639e94852448d93722de5260388abf8a0a6b80d947d8acf02209617
SHA512e29fac6efce55130598dd9ca0be18e2934d8ed417087848f4c80c1754312f1dae2eb0fc3e85e58aa11abde23a221bdf8f6b80df3a9acad4891626f667f05b474
-
Filesize
649KB
MD53047a47ecd3436128b20f16c29d63550
SHA1a3b51245612735a44dc4b5ccb81829d05c9daf4f
SHA256b684e8c6223d2ece39800ed26431e8bfc0b8198c515327de3270200a60aec07d
SHA512e8c51d052454d42e339531fafdf39366b850125a4710c234ea820ed891bd1b24700929706258e3fc966b5de781fc8b2e07a2f8655565469518d67cc39c34534f
-
Filesize
237KB
MD5541a97219a94deaff2f3fad462ccaf0b
SHA1aa76d0a36b0ce118c1bb5d81e4d3ad4cb39c9c12
SHA256a8a01af1b5b629ce9c2866cba6459fc05052b77d70f3a93012ecc69e4ed209d6
SHA512d18bf28d9b817c144ba5e9184a3f6d256ab990eb1b90b6be9a77b8edab158ab6e8b3b8047adb28385b5859474433b5270d29b9ef3389ed5b009ef0255d00d581
-
Filesize
1KB
MD5c93c9cb631e70617ef969bf10ec6a947
SHA15c2c61522527bdaafeaf376e17f4286d715be292
SHA256c79d96f9ff9635ae78c444031cfb70b7aa1fc1f653096455bf9e49e0df5763ba
SHA5122506e6bad6d859529b4060c4ad681e72ea3f172fd7e6fad1e5276d8d91363655abf43bd28d1aeb20b87ad5abb19ffce990cc1543929078105d8e6987e4e27a92
-
Filesize
1KB
MD5466108acaac9cbd368b9e12b3f05d314
SHA14b9c3c327627a38b380604c7cb3129c02f289a48
SHA256c3dd8622bff4aec6474d9001f569e7f41b39c0d10efa2ebdd25f136da5ba7c4d
SHA512bf6798f5b7549259a21de1f7442fd728bc191c6b4cef11e47bdd85b8fb7d6f9cb2936120707542da141c8080f50f5c0e89a50c1d11829dc58f7106ff6e0ba5c5