Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-12-2024 18:25
Static task
static1
Behavioral task
behavioral1
Sample
eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe
-
Size
127KB
-
MD5
eccd8b676bdc00e2bca6837225d0de82
-
SHA1
fcd9d9f947250d807d25e47f71b1e4d33a722c94
-
SHA256
4a16f3b48425de38d03e4c5f0d902ade1310b6f4ae413354b5a9949e7a895472
-
SHA512
702621e4aee8f0fac1535798abdc1d8e3c731f8449ce2b6c14657fddeecafb8ca17d9fd587e7c7ac0c4668dba40b98a8b77508981d6f30c2d8478396131a19ff
-
SSDEEP
3072:jn9ZdSp05IdUts+n+mI8/EUWnBLeQiv04/LvN6OdA/b1M5X:jZQ0FtsM8UkL8vJLpdy2X
Malware Config
Extracted
njrat
0.7d
110821
185.222.57.203:3333
f30d07865704fc19fcdc80f3519e44b8
-
reg_key
f30d07865704fc19fcdc80f3519e44b8
-
splitter
|'|'|
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3452 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BetrWin.exe eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BetrWin.exe eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1668 set thread context of 1896 1668 eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe 84 -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2268 1668 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 1896 RegSvcs.exe Token: 33 1896 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1896 RegSvcs.exe Token: 33 1896 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1896 RegSvcs.exe Token: 33 1896 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1896 RegSvcs.exe Token: 33 1896 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1896 RegSvcs.exe Token: 33 1896 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1896 RegSvcs.exe Token: 33 1896 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1896 RegSvcs.exe Token: 33 1896 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1896 RegSvcs.exe Token: 33 1896 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1896 RegSvcs.exe Token: 33 1896 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1896 RegSvcs.exe Token: 33 1896 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1896 RegSvcs.exe Token: 33 1896 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1896 RegSvcs.exe Token: 33 1896 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1896 RegSvcs.exe Token: 33 1896 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1896 RegSvcs.exe Token: 33 1896 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1896 RegSvcs.exe Token: 33 1896 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1896 RegSvcs.exe Token: 33 1896 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1896 RegSvcs.exe Token: 33 1896 RegSvcs.exe Token: SeIncBasePriorityPrivilege 1896 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1668 wrote to memory of 1896 1668 eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe 84 PID 1668 wrote to memory of 1896 1668 eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe 84 PID 1668 wrote to memory of 1896 1668 eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe 84 PID 1668 wrote to memory of 1896 1668 eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe 84 PID 1668 wrote to memory of 1896 1668 eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe 84 PID 1896 wrote to memory of 3452 1896 RegSvcs.exe 89 PID 1896 wrote to memory of 3452 1896 RegSvcs.exe 89 PID 1896 wrote to memory of 3452 1896 RegSvcs.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eccd8b676bdc00e2bca6837225d0de82_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" "RegSvcs.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3452
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 2202⤵
- Program crash
PID:2268
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1668 -ip 16681⤵PID:1992