njrat | 2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-12-2024 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
Size

166KB
MD5

4f0a15b2f8d3bc8dd261b28b71685bc3
SHA1

7cef8b2f229d2319145f3728682f581935d1d2ca
SHA256

2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3
SHA512

9d9ccfc2335c88d0973a0ce0389612f8febee9213963196ba5b670faeae74dc6c334f9a1f842ccacc6a575ba9085eba64620e36f4c4227c8278b21f302660f51
SSDEEP

3072:nQBqZ/B+v0JqlfqkNTdQqm7J2E+vYCgbrJCVQhMdT:nQB0idqHogbWaMd

Score

10^/10

njrat discovery persistence trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Client.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe

Executes dropped EXE 3 IoCs

pid	Process
3012	Client.exe
448	Client.exe
380	Client.exe

Loads dropped DLL 1 IoCs

pid	Process
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Client.exe\" .."	Client.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Client.exe\" .."	Client.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	4.tcp.eu.ngrok.io
15	4.tcp.eu.ngrok.io
35	4.tcp.eu.ngrok.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Kills process with taskkill 8 IoCs

evasion

pid	Process
952	TASKKILL.exe
2920	TASKKILL.exe
2644	TASKKILL.exe
2808	TASKKILL.exe
856	TASKKILL.exe
336	TASKKILL.exe
2584	TASKKILL.exe
1368	TASKKILL.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1440	schtasks.exe
1492	schtasks.exe
1740	schtasks.exe
2816	schtasks.exe
2080	schtasks.exe
2736	schtasks.exe
2052	schtasks.exe
2940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
Token: SeDebugPrivilege	2808	TASKKILL.exe
Token: SeDebugPrivilege	2644	TASKKILL.exe
Token: SeDebugPrivilege	3012	Client.exe
Token: SeDebugPrivilege	336	TASKKILL.exe
Token: SeDebugPrivilege	856	TASKKILL.exe
Token: 33	3012	Client.exe
Token: SeIncBasePriorityPrivilege	3012	Client.exe
Token: 33	3012	Client.exe
Token: SeIncBasePriorityPrivilege	3012	Client.exe
Token: SeDebugPrivilege	448	Client.exe
Token: SeDebugPrivilege	2584	TASKKILL.exe
Token: SeDebugPrivilege	1368	TASKKILL.exe
Token: 33	3012	Client.exe
Token: SeIncBasePriorityPrivilege	3012	Client.exe
Token: 33	3012	Client.exe
Token: SeIncBasePriorityPrivilege	3012	Client.exe
Token: 33	3012	Client.exe
Token: SeIncBasePriorityPrivilege	3012	Client.exe
Token: 33	3012	Client.exe
Token: SeIncBasePriorityPrivilege	3012	Client.exe
Token: 33	3012	Client.exe
Token: SeIncBasePriorityPrivilege	3012	Client.exe
Token: 33	3012	Client.exe
Token: SeIncBasePriorityPrivilege	3012	Client.exe
Token: 33	3012	Client.exe
Token: SeIncBasePriorityPrivilege	3012	Client.exe
Token: SeDebugPrivilege	380	Client.exe
Token: SeDebugPrivilege	952	TASKKILL.exe
Token: SeDebugPrivilege	2920	TASKKILL.exe
Token: 33	3012	Client.exe
Token: SeIncBasePriorityPrivilege	3012	Client.exe
Token: 33	3012	Client.exe
Token: SeIncBasePriorityPrivilege	3012	Client.exe
Token: 33	3012	Client.exe
Token: SeIncBasePriorityPrivilege	3012	Client.exe
Token: 33	3012	Client.exe
Token: SeIncBasePriorityPrivilege	3012	Client.exe
Token: 33	3012	Client.exe
Token: SeIncBasePriorityPrivilege	3012	Client.exe
Token: 33	3012	Client.exe
Token: SeIncBasePriorityPrivilege	3012	Client.exe
Token: 33	3012	Client.exe
Token: SeIncBasePriorityPrivilege	3012	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2464	2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe	30
PID 2896 wrote to memory of 2464	2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe	30
PID 2896 wrote to memory of 2464	2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe	30
PID 2896 wrote to memory of 2464	2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe	30
PID 2896 wrote to memory of 2736	2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe	32
PID 2896 wrote to memory of 2736	2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe	32
PID 2896 wrote to memory of 2736	2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe	32
PID 2896 wrote to memory of 2736	2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe	32
PID 2896 wrote to memory of 2808	2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe	34
PID 2896 wrote to memory of 2808	2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe	34
PID 2896 wrote to memory of 2808	2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe	34
PID 2896 wrote to memory of 2808	2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe	34
PID 2896 wrote to memory of 2644	2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe	35
PID 2896 wrote to memory of 2644	2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe	35
PID 2896 wrote to memory of 2644	2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe	35
PID 2896 wrote to memory of 2644	2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe	35
PID 2896 wrote to memory of 2080	2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe	39
PID 2896 wrote to memory of 2080	2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe	39
PID 2896 wrote to memory of 2080	2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe	39
PID 2896 wrote to memory of 2080	2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe	39
PID 2896 wrote to memory of 2052	2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe	41
PID 2896 wrote to memory of 2052	2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe	41
PID 2896 wrote to memory of 2052	2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe	41
PID 2896 wrote to memory of 2052	2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe	41
PID 2896 wrote to memory of 3012	2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe	43
PID 2896 wrote to memory of 3012	2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe	43
PID 2896 wrote to memory of 3012	2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe	43
PID 2896 wrote to memory of 3012	2896	JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe	43
PID 3012 wrote to memory of 2924	3012	Client.exe	44
PID 3012 wrote to memory of 2924	3012	Client.exe	44
PID 3012 wrote to memory of 2924	3012	Client.exe	44
PID 3012 wrote to memory of 2924	3012	Client.exe	44
PID 3012 wrote to memory of 2940	3012	Client.exe	46
PID 3012 wrote to memory of 2940	3012	Client.exe	46
PID 3012 wrote to memory of 2940	3012	Client.exe	46
PID 3012 wrote to memory of 2940	3012	Client.exe	46
PID 3012 wrote to memory of 856	3012	Client.exe	48
PID 3012 wrote to memory of 856	3012	Client.exe	48
PID 3012 wrote to memory of 856	3012	Client.exe	48
PID 3012 wrote to memory of 856	3012	Client.exe	48
PID 3012 wrote to memory of 336	3012	Client.exe	49
PID 3012 wrote to memory of 336	3012	Client.exe	49
PID 3012 wrote to memory of 336	3012	Client.exe	49
PID 3012 wrote to memory of 336	3012	Client.exe	49
PID 3012 wrote to memory of 2436	3012	Client.exe	52
PID 3012 wrote to memory of 2436	3012	Client.exe	52
PID 3012 wrote to memory of 2436	3012	Client.exe	52
PID 3012 wrote to memory of 2436	3012	Client.exe	52
PID 3012 wrote to memory of 1440	3012	Client.exe	54
PID 3012 wrote to memory of 1440	3012	Client.exe	54
PID 3012 wrote to memory of 1440	3012	Client.exe	54
PID 3012 wrote to memory of 1440	3012	Client.exe	54
PID 1660 wrote to memory of 448	1660	taskeng.exe	58
PID 1660 wrote to memory of 448	1660	taskeng.exe	58
PID 1660 wrote to memory of 448	1660	taskeng.exe	58
PID 1660 wrote to memory of 448	1660	taskeng.exe	58
PID 448 wrote to memory of 3060	448	Client.exe	59
PID 448 wrote to memory of 3060	448	Client.exe	59
PID 448 wrote to memory of 3060	448	Client.exe	59
PID 448 wrote to memory of 3060	448	Client.exe	59
PID 448 wrote to memory of 1492	448	Client.exe	61
PID 448 wrote to memory of 1492	448	Client.exe	61
PID 448 wrote to memory of 1492	448	Client.exe	61
PID 448 wrote to memory of 1492	448	Client.exe	61

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Delete /tn NYANP /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2464
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe" /sc minute /mo 5
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2736
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /F /IM wscript.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /F /IM cmd.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Delete /tn NYAN /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2080
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3.exe" /sc minute /mo 1
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2052
- C:\Users\Admin\AppData\Roaming\Client.exe
  "C:\Users\Admin\AppData\Roaming\Client.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Delete /tn NYANP /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2924
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Roaming\Client.exe" /sc minute /mo 5
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2940
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /F /IM wscript.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:856
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /F /IM cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:336
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Delete /tn NYAN /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2436
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Roaming\Client.exe" /sc minute /mo 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1440

C:\Windows\system32\taskeng.exe
taskeng.exe {8186C1B1-E763-42AE-99A0-8FA91B929D43} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Roaming\Client.exe
  C:\Users\Admin\AppData\Roaming\Client.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Delete /tn NYANP /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3060
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Roaming\Client.exe" /sc minute /mo 5
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1492
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /F /IM wscript.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2584
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /F /IM cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1368
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Delete /tn NYAN /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1744
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Roaming\Client.exe" /sc minute /mo 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1740
- C:\Users\Admin\AppData\Roaming\Client.exe
  C:\Users\Admin\AppData\Roaming\Client.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:380
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Delete /tn NYANP /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1808
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Roaming\Client.exe" /sc minute /mo 5
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2816
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /F /IM wscript.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:952
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /F /IM cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2920
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Delete /tn NYAN /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2796
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Roaming\Client.exe" /sc minute /mo 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Client.exe

Filesize
166KB

MD5
4f0a15b2f8d3bc8dd261b28b71685bc3

SHA1
7cef8b2f229d2319145f3728682f581935d1d2ca

SHA256
2515a479e1b5aeebc313b0d337aa8be20a7d185414a5f1a76d98c0d31285f9a3

SHA512
9d9ccfc2335c88d0973a0ce0389612f8febee9213963196ba5b670faeae74dc6c334f9a1f842ccacc6a575ba9085eba64620e36f4c4227c8278b21f302660f51

Download Submit
memory/2896-0-0x0000000074131000-0x0000000074132000-memory.dmp

Filesize
4KB

Download
memory/2896-1-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download
memory/2896-2-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download
memory/2896-3-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download
memory/2896-13-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download
memory/2896-14-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download
memory/2896-22-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download