Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
20/05/2025, 11:37
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_0743c67aedde35b9fe3dc919ef56e880.exe
Resource
win10v2004-20250502-en
General
-
Target
JaffaCakes118_0743c67aedde35b9fe3dc919ef56e880.exe
-
Size
548KB
-
MD5
0743c67aedde35b9fe3dc919ef56e880
-
SHA1
09ae6635c99887099d8c09732f9c37af3e299dbd
-
SHA256
e28946d1082fb107cfcc9fa2d0dbae466d60b27b1d52600945aa93e4f0d7f266
-
SHA512
b098534ab13c7cb682a6dee23e730929beb90e34c4edad305a9077efa3a05e8b0ecab981e6795bcc921e6ee623167e2917521aa40252b6d8e26b2bb092a96cc0
-
SSDEEP
3072:8KV0mhIcFskWWn0LWHCcvPWRvAbxh/ybZiEOGx8Zm0QzrhN4gUvxU/LYUIsRVHNM:1ln0ECczqiGSeX4g+a/LY
Malware Config
Extracted
njrat
0.7d
HacKed0===
ahmaddddd362.zapto.org:1177
76d6a3cdfe0225f3ce7e5917efc89fff
-
reg_key
76d6a3cdfe0225f3ce7e5917efc89fff
-
splitter
|'|'|
Extracted
latentbot
ahmaddddd362.zapto.org
Signatures
-
Latentbot family
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3088 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\Control Panel\International\Geo\Nation JaffaCakes118_0743c67aedde35b9fe3dc919ef56e880.exe Key value queried \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\Control Panel\International\Geo\Nation Server.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\76d6a3cdfe0225f3ce7e5917efc89fff.exe system32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\76d6a3cdfe0225f3ce7e5917efc89fff.exe system32.exe -
Executes dropped EXE 8 IoCs
pid Process 2000 Server.exe 3056 Server.exe 1668 Server.exe 3568 Server.exe 4732 system32.exe 2244 system32.exe 4592 system32.exe 1576 system32.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe" JaffaCakes118_0743c67aedde35b9fe3dc919ef56e880.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kay = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe" JaffaCakes118_0743c67aedde35b9fe3dc919ef56e880.exe Set value (str) \REGISTRY\USER\S-1-5-21-3920234085-916416549-2700794571-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\76d6a3cdfe0225f3ce7e5917efc89fff = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system32.exe\" .." system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\76d6a3cdfe0225f3ce7e5917efc89fff = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system32.exe\" .." system32.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini JaffaCakes118_0743c67aedde35b9fe3dc919ef56e880.exe File opened for modification C:\Windows\assembly\Desktop.ini JaffaCakes118_0743c67aedde35b9fe3dc919ef56e880.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3056 set thread context of 1668 3056 Server.exe 93 PID 2000 set thread context of 3568 2000 Server.exe 92 PID 4732 set thread context of 2244 4732 system32.exe 104 PID 4592 set thread context of 1576 4592 system32.exe 113 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly JaffaCakes118_0743c67aedde35b9fe3dc919ef56e880.exe File created C:\Windows\assembly\Desktop.ini JaffaCakes118_0743c67aedde35b9fe3dc919ef56e880.exe File opened for modification C:\Windows\assembly\Desktop.ini JaffaCakes118_0743c67aedde35b9fe3dc919ef56e880.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 628 JaffaCakes118_0743c67aedde35b9fe3dc919ef56e880.exe Token: 33 628 JaffaCakes118_0743c67aedde35b9fe3dc919ef56e880.exe Token: SeIncBasePriorityPrivilege 628 JaffaCakes118_0743c67aedde35b9fe3dc919ef56e880.exe Token: SeDebugPrivilege 2244 system32.exe Token: 33 2244 system32.exe Token: SeIncBasePriorityPrivilege 2244 system32.exe Token: 33 2244 system32.exe Token: SeIncBasePriorityPrivilege 2244 system32.exe Token: 33 2244 system32.exe Token: SeIncBasePriorityPrivilege 2244 system32.exe Token: 33 2244 system32.exe Token: SeIncBasePriorityPrivilege 2244 system32.exe Token: 33 2244 system32.exe Token: SeIncBasePriorityPrivilege 2244 system32.exe Token: 33 2244 system32.exe Token: SeIncBasePriorityPrivilege 2244 system32.exe Token: 33 2244 system32.exe Token: SeIncBasePriorityPrivilege 2244 system32.exe Token: 33 2244 system32.exe Token: SeIncBasePriorityPrivilege 2244 system32.exe Token: 33 2244 system32.exe Token: SeIncBasePriorityPrivilege 2244 system32.exe Token: 33 2244 system32.exe Token: SeIncBasePriorityPrivilege 2244 system32.exe Token: 33 2244 system32.exe Token: SeIncBasePriorityPrivilege 2244 system32.exe Token: 33 2244 system32.exe Token: SeIncBasePriorityPrivilege 2244 system32.exe Token: 33 2244 system32.exe Token: SeIncBasePriorityPrivilege 2244 system32.exe Token: 33 2244 system32.exe Token: SeIncBasePriorityPrivilege 2244 system32.exe Token: 33 2244 system32.exe Token: SeIncBasePriorityPrivilege 2244 system32.exe Token: 33 2244 system32.exe Token: SeIncBasePriorityPrivilege 2244 system32.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 628 wrote to memory of 2000 628 JaffaCakes118_0743c67aedde35b9fe3dc919ef56e880.exe 90 PID 628 wrote to memory of 2000 628 JaffaCakes118_0743c67aedde35b9fe3dc919ef56e880.exe 90 PID 628 wrote to memory of 2000 628 JaffaCakes118_0743c67aedde35b9fe3dc919ef56e880.exe 90 PID 432 wrote to memory of 3056 432 cmd.exe 91 PID 432 wrote to memory of 3056 432 cmd.exe 91 PID 432 wrote to memory of 3056 432 cmd.exe 91 PID 2000 wrote to memory of 3568 2000 Server.exe 92 PID 2000 wrote to memory of 3568 2000 Server.exe 92 PID 2000 wrote to memory of 3568 2000 Server.exe 92 PID 3056 wrote to memory of 1668 3056 Server.exe 93 PID 3056 wrote to memory of 1668 3056 Server.exe 93 PID 3056 wrote to memory of 1668 3056 Server.exe 93 PID 3056 wrote to memory of 1668 3056 Server.exe 93 PID 3056 wrote to memory of 1668 3056 Server.exe 93 PID 2000 wrote to memory of 3568 2000 Server.exe 92 PID 2000 wrote to memory of 3568 2000 Server.exe 92 PID 1668 wrote to memory of 4732 1668 Server.exe 103 PID 1668 wrote to memory of 4732 1668 Server.exe 103 PID 1668 wrote to memory of 4732 1668 Server.exe 103 PID 4732 wrote to memory of 2244 4732 system32.exe 104 PID 4732 wrote to memory of 2244 4732 system32.exe 104 PID 4732 wrote to memory of 2244 4732 system32.exe 104 PID 4732 wrote to memory of 2244 4732 system32.exe 104 PID 4732 wrote to memory of 2244 4732 system32.exe 104 PID 2244 wrote to memory of 3088 2244 system32.exe 108 PID 2244 wrote to memory of 3088 2244 system32.exe 108 PID 2244 wrote to memory of 3088 2244 system32.exe 108 PID 3612 wrote to memory of 4592 3612 cmd.exe 112 PID 3612 wrote to memory of 4592 3612 cmd.exe 112 PID 3612 wrote to memory of 4592 3612 cmd.exe 112 PID 4592 wrote to memory of 1576 4592 system32.exe 113 PID 4592 wrote to memory of 1576 4592 system32.exe 113 PID 4592 wrote to memory of 1576 4592 system32.exe 113 PID 4592 wrote to memory of 1576 4592 system32.exe 113 PID 4592 wrote to memory of 1576 4592 system32.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0743c67aedde35b9fe3dc919ef56e880.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0743c67aedde35b9fe3dc919ef56e880.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp\Server.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\Server.exe1⤵
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp\Server.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp\Server.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\system32.exe"C:\Users\Admin\AppData\Local\Temp\system32.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Users\Admin\AppData\Local\Temp\system32.exeC:\Users\Admin\AppData\Local\Temp\system32.exe5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\system32.exe" "system32.exe" ENABLE6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3088
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\system32.exe" ..1⤵
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Users\Admin\AppData\Local\Temp\system32.exeC:\Users\Admin\AppData\Local\Temp\system32.exe ..2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Users\Admin\AppData\Local\Temp\system32.exeC:\Users\Admin\AppData\Local\Temp\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1576
-
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
223B
MD5cde6529abeea500fb852f29ba0da6115
SHA145f2f48492417ae6a0eade8aaa808d3d1d760743
SHA256d7f4964443470b6729865676d76f5f1f416da633033071c34ea5eb19cdea53b5
SHA512c95fa7faf6a90f32060dba70f79c4d66c68d6eec587306fb98f36fc3ba5d377ebf9dabf47298b71db208fb10f7ccb4e0ed82236c8f26bcc746552588bbb38234
-
Filesize
57KB
MD569e4e308c802ea0225be31138739279d
SHA195099c282b8833d38c2cc32a72eb6cc3ceef5cfa
SHA2560278015c57cf069583fa9b3396a9278aea01c16c4780b05f4817564463841a40
SHA512915a96622131b6ca87d6af3ee048247c9cf78f67ec6068fcdd01c3af2a938fdf319d44cdf0615042eb8f4a673cca953d63e0e325154c44d2741398abe510d04d