Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-11-2024 13:14
Behavioral task
behavioral1
Sample
9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe
-
Size
26KB
-
MD5
9bb86c8073900283af53b3f55d5fedf3
-
SHA1
73596fcaafdc6c178816c918d35a5b0167011435
-
SHA256
391ba9bd95b1804e47db8c8c115f1268173824ebd1111c190ea1ee4f26dfd67b
-
SHA512
1d972b1180dee6b566641ca662ecb27a2ff96294833d32b2d97d40fb3435d65e0c781207dab088f50deb10a41eba6da8020358a807aa4d151e22a04d42fc5a38
-
SSDEEP
384:qLJCnWzGgqhZArwvaGGuPh5BrM0AQk93vmhm7UMKmIEecKdbXTzm9bVhcalS6prZ:04vMAi0A/vMHTi9bDl
Malware Config
Extracted
njrat
v4.0
Super
favioserver.ddns.net:8081
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Njrat family
-
Drops startup file 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe chrome.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe attrib.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk 9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk chrome.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe chrome.exe -
Executes dropped EXE 1 IoCs
pid Process 2144 chrome.exe -
Loads dropped DLL 2 IoCs
pid Process 1224 9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe 1224 9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\chrome.exe" 9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" chrome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" chrome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chrome.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 2144 chrome.exe Token: 33 2144 chrome.exe Token: SeIncBasePriorityPrivilege 2144 chrome.exe Token: 33 2144 chrome.exe Token: SeIncBasePriorityPrivilege 2144 chrome.exe Token: 33 2144 chrome.exe Token: SeIncBasePriorityPrivilege 2144 chrome.exe Token: 33 2144 chrome.exe Token: SeIncBasePriorityPrivilege 2144 chrome.exe Token: 33 2144 chrome.exe Token: SeIncBasePriorityPrivilege 2144 chrome.exe Token: 33 2144 chrome.exe Token: SeIncBasePriorityPrivilege 2144 chrome.exe Token: 33 2144 chrome.exe Token: SeIncBasePriorityPrivilege 2144 chrome.exe Token: 33 2144 chrome.exe Token: SeIncBasePriorityPrivilege 2144 chrome.exe Token: 33 2144 chrome.exe Token: SeIncBasePriorityPrivilege 2144 chrome.exe Token: 33 2144 chrome.exe Token: SeIncBasePriorityPrivilege 2144 chrome.exe Token: 33 2144 chrome.exe Token: SeIncBasePriorityPrivilege 2144 chrome.exe Token: 33 2144 chrome.exe Token: SeIncBasePriorityPrivilege 2144 chrome.exe Token: 33 2144 chrome.exe Token: SeIncBasePriorityPrivilege 2144 chrome.exe Token: 33 2144 chrome.exe Token: SeIncBasePriorityPrivilege 2144 chrome.exe Token: 33 2144 chrome.exe Token: SeIncBasePriorityPrivilege 2144 chrome.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1224 wrote to memory of 2144 1224 9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe 31 PID 1224 wrote to memory of 2144 1224 9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe 31 PID 1224 wrote to memory of 2144 1224 9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe 31 PID 1224 wrote to memory of 2144 1224 9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe 31 PID 1224 wrote to memory of 2668 1224 9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe 32 PID 1224 wrote to memory of 2668 1224 9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe 32 PID 1224 wrote to memory of 2668 1224 9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe 32 PID 1224 wrote to memory of 2668 1224 9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe 32 PID 2144 wrote to memory of 2608 2144 chrome.exe 34 PID 2144 wrote to memory of 2608 2144 chrome.exe 34 PID 2144 wrote to memory of 2608 2144 chrome.exe 34 PID 2144 wrote to memory of 2608 2144 chrome.exe 34 PID 2144 wrote to memory of 2820 2144 chrome.exe 35 PID 2144 wrote to memory of 2820 2144 chrome.exe 35 PID 2144 wrote to memory of 2820 2144 chrome.exe 35 PID 2144 wrote to memory of 2820 2144 chrome.exe 35 -
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 2668 attrib.exe 2608 attrib.exe 2820 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9bb86c8073900283af53b3f55d5fedf3_JaffaCakes118.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\chrome.exe"C:\Users\Admin\AppData\Local\Temp\chrome.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"3⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2608
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2820
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\chrome.exe"2⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2668
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c7bacc12f165ab5dbbd5a2ae9f2dfca3
SHA1b5017a1d4edee7765391990b42e58043e84b5914
SHA256824baa52042f45bb6bf540719d4635dda57d85989086686e4cf765970847b90e
SHA512acc855362f306368ccbca867f73525e4f2f6cec6c8114e9a706766fdfbe58edcb7b3821b174ab0f22a820e79ecc6ea6a93e1508617745e17015807c2610a4cb7
-
Filesize
1018B
MD55ee8b0aaba1bbc7650be293e7ba97e38
SHA1fecdfe9bc6eb3dd1648d11d954fcd7222a2c8e05
SHA2563931dc1e16b459204b7301391b08fb84190b1bbe5721bb8b2d3a24fa2b37d474
SHA512a3c9ba8c5bebd4a9cddc2b43429a2d5824870e17288939d9bfa333ab35601f78da80405c34bde9a215f88ec5ca01ca4c6ee0d4af69bee4b0c130a1ac8be311ac
-
Filesize
26KB
MD59bb86c8073900283af53b3f55d5fedf3
SHA173596fcaafdc6c178816c918d35a5b0167011435
SHA256391ba9bd95b1804e47db8c8c115f1268173824ebd1111c190ea1ee4f26dfd67b
SHA5121d972b1180dee6b566641ca662ecb27a2ff96294833d32b2d97d40fb3435d65e0c781207dab088f50deb10a41eba6da8020358a807aa4d151e22a04d42fc5a38