Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
02-07-2024 17:36
Static task
static1
Behavioral task
behavioral1
Sample
203b73e808125cc0977ccf304ce317d5_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
203b73e808125cc0977ccf304ce317d5_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
203b73e808125cc0977ccf304ce317d5_JaffaCakes118.exe
-
Size
305KB
-
MD5
203b73e808125cc0977ccf304ce317d5
-
SHA1
35505f4fc885c4bda0562a0d63eacb5cc671e221
-
SHA256
571717302e5484af69e655f8a7c30bff4e5b75aa3040301dca16a08754f0ae6c
-
SHA512
8f2db3f75c261036b199be759adfa4f9672eb33a0a8b81bff15acc6025477361b2f84691a2083556f8a99931ac5866163ea51b34b672f5bed80d2ac40a5393be
-
SSDEEP
6144:YcHbIptSzgSFdPp1rFQ4qFPmVOx342sbLBW3mtA6ZwM6iOOyFt:XcpgzH/Pp1rH3VC4lzWO
Malware Config
Extracted
njrat
0.7d
HacKed
192.168.1.8:5050
4999afda9f0d69cc9d92a2163f1e945f
-
reg_key
4999afda9f0d69cc9d92a2163f1e945f
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 1112 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
203b73e808125cc0977ccf304ce317d5_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation 203b73e808125cc0977ccf304ce317d5_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1468 server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4999afda9f0d69cc9d92a2163f1e945f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4999afda9f0d69cc9d92a2163f1e945f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 1468 server.exe Token: 33 1468 server.exe Token: SeIncBasePriorityPrivilege 1468 server.exe Token: 33 1468 server.exe Token: SeIncBasePriorityPrivilege 1468 server.exe Token: 33 1468 server.exe Token: SeIncBasePriorityPrivilege 1468 server.exe Token: 33 1468 server.exe Token: SeIncBasePriorityPrivilege 1468 server.exe Token: 33 1468 server.exe Token: SeIncBasePriorityPrivilege 1468 server.exe Token: 33 1468 server.exe Token: SeIncBasePriorityPrivilege 1468 server.exe Token: 33 1468 server.exe Token: SeIncBasePriorityPrivilege 1468 server.exe Token: 33 1468 server.exe Token: SeIncBasePriorityPrivilege 1468 server.exe Token: 33 1468 server.exe Token: SeIncBasePriorityPrivilege 1468 server.exe Token: 33 1468 server.exe Token: SeIncBasePriorityPrivilege 1468 server.exe Token: 33 1468 server.exe Token: SeIncBasePriorityPrivilege 1468 server.exe Token: 33 1468 server.exe Token: SeIncBasePriorityPrivilege 1468 server.exe Token: 33 1468 server.exe Token: SeIncBasePriorityPrivilege 1468 server.exe Token: 33 1468 server.exe Token: SeIncBasePriorityPrivilege 1468 server.exe Token: 33 1468 server.exe Token: SeIncBasePriorityPrivilege 1468 server.exe Token: 33 1468 server.exe Token: SeIncBasePriorityPrivilege 1468 server.exe Token: 33 1468 server.exe Token: SeIncBasePriorityPrivilege 1468 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
203b73e808125cc0977ccf304ce317d5_JaffaCakes118.exeserver.exedescription pid process target process PID 2952 wrote to memory of 1468 2952 203b73e808125cc0977ccf304ce317d5_JaffaCakes118.exe server.exe PID 2952 wrote to memory of 1468 2952 203b73e808125cc0977ccf304ce317d5_JaffaCakes118.exe server.exe PID 2952 wrote to memory of 1468 2952 203b73e808125cc0977ccf304ce317d5_JaffaCakes118.exe server.exe PID 1468 wrote to memory of 1112 1468 server.exe netsh.exe PID 1468 wrote to memory of 1112 1468 server.exe netsh.exe PID 1468 wrote to memory of 1112 1468 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\203b73e808125cc0977ccf304ce317d5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\203b73e808125cc0977ccf304ce317d5_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
305KB
MD5203b73e808125cc0977ccf304ce317d5
SHA135505f4fc885c4bda0562a0d63eacb5cc671e221
SHA256571717302e5484af69e655f8a7c30bff4e5b75aa3040301dca16a08754f0ae6c
SHA5128f2db3f75c261036b199be759adfa4f9672eb33a0a8b81bff15acc6025477361b2f84691a2083556f8a99931ac5866163ea51b34b672f5bed80d2ac40a5393be
-
memory/1468-24-0x00000000746F0000-0x0000000074EA0000-memory.dmpFilesize
7.7MB
-
memory/1468-23-0x00000000746F0000-0x0000000074EA0000-memory.dmpFilesize
7.7MB
-
memory/1468-22-0x00000000746F0000-0x0000000074EA0000-memory.dmpFilesize
7.7MB
-
memory/2952-3-0x0000000005260000-0x0000000005804000-memory.dmpFilesize
5.6MB
-
memory/2952-5-0x0000000004BE0000-0x0000000004BEA000-memory.dmpFilesize
40KB
-
memory/2952-7-0x0000000004EB0000-0x0000000004F06000-memory.dmpFilesize
344KB
-
memory/2952-6-0x00000000746F0000-0x0000000074EA0000-memory.dmpFilesize
7.7MB
-
memory/2952-8-0x0000000005010000-0x000000000501C000-memory.dmpFilesize
48KB
-
memory/2952-4-0x0000000004CB0000-0x0000000004D42000-memory.dmpFilesize
584KB
-
memory/2952-0-0x00000000746FE000-0x00000000746FF000-memory.dmpFilesize
4KB
-
memory/2952-21-0x00000000746F0000-0x0000000074EA0000-memory.dmpFilesize
7.7MB
-
memory/2952-2-0x0000000004C10000-0x0000000004CAC000-memory.dmpFilesize
624KB
-
memory/2952-1-0x00000000001E0000-0x0000000000232000-memory.dmpFilesize
328KB