Analysis
-
max time kernel
145s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
13-12-2024 18:25
Static task
static1
Behavioral task
behavioral1
Sample
eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe
-
Size
127KB
-
MD5
eccd8b676bdc00e2bca6837225d0de82
-
SHA1
fcd9d9f947250d807d25e47f71b1e4d33a722c94
-
SHA256
4a16f3b48425de38d03e4c5f0d902ade1310b6f4ae413354b5a9949e7a895472
-
SHA512
702621e4aee8f0fac1535798abdc1d8e3c731f8449ce2b6c14657fddeecafb8ca17d9fd587e7c7ac0c4668dba40b98a8b77508981d6f30c2d8478396131a19ff
-
SSDEEP
3072:jn9ZdSp05IdUts+n+mI8/EUWnBLeQiv04/LvN6OdA/b1M5X:jZQ0FtsM8UkL8vJLpdy2X
Malware Config
Extracted
njrat
0.7d
110821
185.222.57.203:3333
f30d07865704fc19fcdc80f3519e44b8
-
reg_key
f30d07865704fc19fcdc80f3519e44b8
-
splitter
|'|'|
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2556 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BetrWin.exe eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BetrWin.exe eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2220 set thread context of 2192 2220 eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe 30 -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2192 RegSvcs.exe Token: 33 2192 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2192 RegSvcs.exe Token: 33 2192 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2192 RegSvcs.exe Token: 33 2192 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2192 RegSvcs.exe Token: 33 2192 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2192 RegSvcs.exe Token: 33 2192 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2192 RegSvcs.exe Token: 33 2192 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2192 RegSvcs.exe Token: 33 2192 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2192 RegSvcs.exe Token: 33 2192 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2192 RegSvcs.exe Token: 33 2192 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2192 RegSvcs.exe Token: 33 2192 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2192 RegSvcs.exe Token: 33 2192 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2192 RegSvcs.exe Token: 33 2192 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2192 RegSvcs.exe Token: 33 2192 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2192 RegSvcs.exe Token: 33 2192 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2192 RegSvcs.exe Token: 33 2192 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2192 RegSvcs.exe Token: 33 2192 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2192 RegSvcs.exe Token: 33 2192 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2192 RegSvcs.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2220 wrote to memory of 2192 2220 eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe 30 PID 2220 wrote to memory of 2192 2220 eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe 30 PID 2220 wrote to memory of 2192 2220 eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe 30 PID 2220 wrote to memory of 2192 2220 eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe 30 PID 2220 wrote to memory of 2192 2220 eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe 30 PID 2220 wrote to memory of 2192 2220 eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe 30 PID 2220 wrote to memory of 2192 2220 eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe 30 PID 2220 wrote to memory of 2192 2220 eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe 30 PID 2220 wrote to memory of 2192 2220 eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe 30 PID 2192 wrote to memory of 2556 2192 RegSvcs.exe 31 PID 2192 wrote to memory of 2556 2192 RegSvcs.exe 31 PID 2192 wrote to memory of 2556 2192 RegSvcs.exe 31 PID 2192 wrote to memory of 2556 2192 RegSvcs.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "RegSvcs.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2556
-
-