Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29/11/2024, 03:44
Static task
static1
Behavioral task
behavioral1
Sample
aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe
-
Size
2.7MB
-
MD5
aeaea6351755710c58f417cb3950fa2c
-
SHA1
f70dd0ef55453aab682d9e7e7efb87c690160a9d
-
SHA256
e8648c12edb71ba951b2306a7b235dbdc474f26e33319e8ba7219e4a50dd99bd
-
SHA512
8f25389fdf030c6e432fffb73920f7c00bb4343c5f96e7c14743b277edf34f94ee40001912837f268d7191f1b6918d6c21e44d34e95eb6bdf673fd81b95af6ee
-
SSDEEP
49152:dJZoQrbTFZY1iacKz58Fcw8uaFKnS3Ubv/Ukd1Zau86XwNjI+zJD9PEe7M:dtrbTA1jr8smMkdDd86XwJXdd7M
Malware Config
Extracted
njrat
0.6.4
JØoker ĦäằäCkèr
hsn85.no-ip.biz:555
8100c3226482ae95a43914b125e72414
-
reg_key
8100c3226482ae95a43914b125e72414
-
splitter
|'|'|
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 308 netsh.exe -
Executes dropped EXE 4 IoCs
pid Process 2748 System.exe 2740 Setup_FacebookPasswordHack 2014.exe 2520 TempNajaf.exe 2280 Update.exe -
Loads dropped DLL 8 IoCs
pid Process 2124 aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe 2124 aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe 2740 Setup_FacebookPasswordHack 2014.exe 2740 Setup_FacebookPasswordHack 2014.exe 2740 Setup_FacebookPasswordHack 2014.exe 2740 Setup_FacebookPasswordHack 2014.exe 2748 System.exe 2520 TempNajaf.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\8100c3226482ae95a43914b125e72414 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.exe\" .." Update.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\8100c3226482ae95a43914b125e72414 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.exe\" .." Update.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new System.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new System.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TempNajaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language System.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup_FacebookPasswordHack 2014.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x0004000000011ba1-10.dat nsis_installer_1 behavioral1/files/0x0004000000011ba1-10.dat nsis_installer_2 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe 2748 System.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2748 System.exe 2740 Setup_FacebookPasswordHack 2014.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2748 System.exe Token: SeDebugPrivilege 2280 Update.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2748 2124 aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe 30 PID 2124 wrote to memory of 2748 2124 aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe 30 PID 2124 wrote to memory of 2748 2124 aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe 30 PID 2124 wrote to memory of 2748 2124 aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe 30 PID 2124 wrote to memory of 2740 2124 aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe 31 PID 2124 wrote to memory of 2740 2124 aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe 31 PID 2124 wrote to memory of 2740 2124 aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe 31 PID 2124 wrote to memory of 2740 2124 aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe 31 PID 2124 wrote to memory of 2740 2124 aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe 31 PID 2124 wrote to memory of 2740 2124 aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe 31 PID 2124 wrote to memory of 2740 2124 aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe 31 PID 2748 wrote to memory of 2520 2748 System.exe 32 PID 2748 wrote to memory of 2520 2748 System.exe 32 PID 2748 wrote to memory of 2520 2748 System.exe 32 PID 2748 wrote to memory of 2520 2748 System.exe 32 PID 2520 wrote to memory of 2280 2520 TempNajaf.exe 33 PID 2520 wrote to memory of 2280 2520 TempNajaf.exe 33 PID 2520 wrote to memory of 2280 2520 TempNajaf.exe 33 PID 2520 wrote to memory of 2280 2520 TempNajaf.exe 33 PID 2520 wrote to memory of 2280 2520 TempNajaf.exe 33 PID 2520 wrote to memory of 2280 2520 TempNajaf.exe 33 PID 2520 wrote to memory of 2280 2520 TempNajaf.exe 33 PID 2280 wrote to memory of 308 2280 Update.exe 34 PID 2280 wrote to memory of 308 2280 Update.exe 34 PID 2280 wrote to memory of 308 2280 Update.exe 34 PID 2280 wrote to memory of 308 2280 Update.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\aeaea6351755710c58f417cb3950fa2c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\System.exeC:\Users\Admin\AppData\Local\Temp/System.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Users\Admin\AppData\Local\TempNajaf.exe"C:\Users\Admin\AppData\Local\TempNajaf.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\Update.exe"C:\Users\Admin\AppData\Local\Temp\Update.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Update.exe" "Update.exe" ENABLE5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:308
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Setup_FacebookPasswordHack 2014.exe"C:\Users\Admin\AppData\Local\Temp/Setup_FacebookPasswordHack 2014.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2740
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5ee3ea9d01b1202549d0ea19da285eb68
SHA1721027a19f98e12ef3c3d851875bde3827f3c496
SHA25683bdd3882cfd3d5ac6a08ea79dc0be51d301300e03b23b7200881d3b690de8d5
SHA51239f77797bc6840ad835319224f3dcd7cc200eb79d4b6fa3f15b72e9ea790bc29f6c0b552810a156d602414e38f4be11ca110cfb6ea4ae009d4f818150bdb702e
-
Filesize
411B
MD568eaa46eb15f8edece48b6d51eeed5df
SHA171daf56cf69f41bd2814d654c6d2595e0444925d
SHA256fd80a9dbad3bd98c976cd6fda8fa834f66aa35af521385ded6c55de48c980d67
SHA5128d329fb77ac98536653c6787c5756eff47ec2732b222b27f8a1d57345556b2c30536d849a0153fab3b7dd07e170b4ab69b45e3be8e9f8c71f21e316c72f5aad1
-
Filesize
424B
MD59ddd03cf72bb3d6b73e5b5d160733482
SHA193a54958fa3f00ff0f0a5b281fb8e968767f5ebb
SHA2563d48d3ad900f8a1be8a453975f659e2e5b948d3185621ae4ddad5b6fb89f577e
SHA5128eb66127805a5a19e8115216fffc10f1fab8e3b123ee0083b1321b9c2acb1cb448df25360ad816db2abfa3090eaeb30d67f13f3b67bacd8332f8a05826d9463a
-
Filesize
29KB
MD5d9ed25466a77bc9106d5dedf76292e47
SHA1ea583053caca2e0fa7187cab072dad3affa3a5d9
SHA256755b1e8ec6fa24ffc9cd18dfca43dce46f05abd236e34b1cd16af9522b8a7989
SHA5126de60891f5ae3ac2148b348c82d79b0d205cc7ed838616e5f73c2c25e9fd823d8b1475a87d688c895d27a02265dbe5b6053f54df73932455371997f00f50c485
-
Filesize
53KB
MD56cf518f1d8ad355c81a88efb28b69295
SHA1661136e0c9b252f61d12f14d854fc32688ccce13
SHA2563c8d24ac4e77862e89e74732d94b37b2bf776610b5ed26634256ea96dd0322fc
SHA512cbd3522d154c05251e3930d4694ce8f34f7dfc2b72b032107850ab891912c114286dfa7d88224e217a3b1fb3f20aa2c857323b214feabb760e954b5f5be12366
-
Filesize
14KB
MD5325b008aec81e5aaa57096f05d4212b5
SHA127a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA51218362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf