Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2024 02:36
Static task
static1
Behavioral task
behavioral1
Sample
c06aa970bd19848b1e30d7ef29b96db9_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c06aa970bd19848b1e30d7ef29b96db9_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
c06aa970bd19848b1e30d7ef29b96db9_JaffaCakes118.exe
-
Size
118KB
-
MD5
c06aa970bd19848b1e30d7ef29b96db9
-
SHA1
d00136054593fd2866a708ab0747a906a9329ddc
-
SHA256
a6f6e5c3c97c144017680125611d208180a11cbede998b814eccc003d19958c9
-
SHA512
e89b997a3c3c2209b27413a4d91e8e85832bfb8b0a5732194d92f6e7f0d3b17c2b3835bc00d54d2851ecaaee7c6dceb09c6263bdeba9f8865f775ab341afe655
-
SSDEEP
1536:u7f65g9OX2CLGAApICdOk/dYLAZXdlItBGTjeIOlnToIfqwqHTTarAW9ctzqmg1I:knlVICUkLrGGTINTBfqHHYcFqmaI
Malware Config
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2832 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation cscript.exe -
Executes dropped EXE 1 IoCs
pid Process 2336 ServerName.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c06aa970bd19848b1e30d7ef29b96db9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ServerName.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2336 ServerName.exe Token: 33 2336 ServerName.exe Token: SeIncBasePriorityPrivilege 2336 ServerName.exe Token: 33 2336 ServerName.exe Token: SeIncBasePriorityPrivilege 2336 ServerName.exe Token: 33 2336 ServerName.exe Token: SeIncBasePriorityPrivilege 2336 ServerName.exe Token: 33 2336 ServerName.exe Token: SeIncBasePriorityPrivilege 2336 ServerName.exe Token: 33 2336 ServerName.exe Token: SeIncBasePriorityPrivilege 2336 ServerName.exe Token: 33 2336 ServerName.exe Token: SeIncBasePriorityPrivilege 2336 ServerName.exe Token: 33 2336 ServerName.exe Token: SeIncBasePriorityPrivilege 2336 ServerName.exe Token: 33 2336 ServerName.exe Token: SeIncBasePriorityPrivilege 2336 ServerName.exe Token: 33 2336 ServerName.exe Token: SeIncBasePriorityPrivilege 2336 ServerName.exe Token: 33 2336 ServerName.exe Token: SeIncBasePriorityPrivilege 2336 ServerName.exe Token: 33 2336 ServerName.exe Token: SeIncBasePriorityPrivilege 2336 ServerName.exe Token: 33 2336 ServerName.exe Token: SeIncBasePriorityPrivilege 2336 ServerName.exe Token: 33 2336 ServerName.exe Token: SeIncBasePriorityPrivilege 2336 ServerName.exe Token: 33 2336 ServerName.exe Token: SeIncBasePriorityPrivilege 2336 ServerName.exe Token: 33 2336 ServerName.exe Token: SeIncBasePriorityPrivilege 2336 ServerName.exe Token: 33 2336 ServerName.exe Token: SeIncBasePriorityPrivilege 2336 ServerName.exe Token: 33 2336 ServerName.exe Token: SeIncBasePriorityPrivilege 2336 ServerName.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2216 wrote to memory of 3436 2216 c06aa970bd19848b1e30d7ef29b96db9_JaffaCakes118.exe 83 PID 2216 wrote to memory of 3436 2216 c06aa970bd19848b1e30d7ef29b96db9_JaffaCakes118.exe 83 PID 3436 wrote to memory of 2336 3436 cscript.exe 84 PID 3436 wrote to memory of 2336 3436 cscript.exe 84 PID 3436 wrote to memory of 2336 3436 cscript.exe 84 PID 2336 wrote to memory of 2832 2336 ServerName.exe 85 PID 2336 wrote to memory of 2832 2336 ServerName.exe 85 PID 2336 wrote to memory of 2832 2336 ServerName.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\c06aa970bd19848b1e30d7ef29b96db9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c06aa970bd19848b1e30d7ef29b96db9_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\system32\cscript.exe"C:\Windows\sysnative\cscript" C:\Users\Admin\AppData\Local\Temp\A7E8.tmp\A7E9.tmp\A7EA.vbs //Nologo2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Users\Admin\AppData\Roaming\ServerName.exe"C:\Users\Admin\AppData\Roaming\ServerName.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\ServerName.exe" "ServerName.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2832
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5b2cca365214a78a41e520385fe38ca6d
SHA1cc35acfe65dd34e10981a8a1b826d075ab73e558
SHA2565e3416c1f4df20a75410f322edacb3247fe2e270a6abd13765f243f9f82cdb5a
SHA5123c35f92f43e5a2cce29be8dd6d42a84a7436390224114c572c71dc4258b2beb35a1aea6ff4c9c82a60dc0ab3554da88fd880b5931204f450da30e6ac4ae3e384
-
Filesize
23KB
MD541131e8adc7272f892a2c93ef32a1c60
SHA1fe49f5293e0ec55720e9f1bb48666e513d16b81d
SHA25681fa732787973ee56d454a5b438b6495a1c855c47f6e86c4d44b1f35f163546b
SHA512006c21afcefaea738ab46939edbfb5c18fbf16e62afa2f2ff9d667a184a8f1eceeb65ae4c222245452fd1e016ce5849f4e1f5d2734f6684e9e9e8de59adc76ae