Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
02-04-2024 02:52
Static task
static1
Behavioral task
behavioral1
Sample
819b5fb73253e7d3f28317e55d8abe50_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
819b5fb73253e7d3f28317e55d8abe50_JaffaCakes118.exe
-
Size
3.0MB
-
MD5
819b5fb73253e7d3f28317e55d8abe50
-
SHA1
7cf2d9e29f7920fbae1ef3b85de9acdf3a4aca92
-
SHA256
d74b85d646feda822c37e75a040d6f78c5bb77a2bff573cd1b979a6cee24e14a
-
SHA512
fd1a72f47c123db28581c4dd38dfe8a2beddee7d48bde58c73095b78e3d786af17313178655e61764a8fd60f64c99877e450d1d8cef5499d1addc89cacfde78d
-
SSDEEP
49152:sU4hts+ogRQExtgK2NQaovxFiTMboJz75izELu2JuqlVu222lgqvsAMLoTAeGaVU:ghtxoiQQacxLbQz75xTVu2YEAxax
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2600 Clickermann.exe 2816 чит.exe.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 api.ipify.org 4 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2728 819b5fb73253e7d3f28317e55d8abe50_JaffaCakes118.exe 2728 819b5fb73253e7d3f28317e55d8abe50_JaffaCakes118.exe 2728 819b5fb73253e7d3f28317e55d8abe50_JaffaCakes118.exe 2600 Clickermann.exe 2600 Clickermann.exe 2600 Clickermann.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2728 819b5fb73253e7d3f28317e55d8abe50_JaffaCakes118.exe Token: SeDebugPrivilege 2600 Clickermann.exe Token: SeDebugPrivilege 2816 чит.exe.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2728 wrote to memory of 2600 2728 819b5fb73253e7d3f28317e55d8abe50_JaffaCakes118.exe 28 PID 2728 wrote to memory of 2600 2728 819b5fb73253e7d3f28317e55d8abe50_JaffaCakes118.exe 28 PID 2728 wrote to memory of 2600 2728 819b5fb73253e7d3f28317e55d8abe50_JaffaCakes118.exe 28 PID 2600 wrote to memory of 2816 2600 Clickermann.exe 29 PID 2600 wrote to memory of 2816 2600 Clickermann.exe 29 PID 2600 wrote to memory of 2816 2600 Clickermann.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\819b5fb73253e7d3f28317e55d8abe50_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\819b5fb73253e7d3f28317e55d8abe50_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\Clickermann.exe"C:\Users\Admin\AppData\Local\Temp\Clickermann.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\чит.exe.exe"C:\Users\Admin\AppData\Local\Temp\чит.exe.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD58becb410816637816e135d434c7c1ba1
SHA15136b51d2e9c47d303653ab650678d7d4d23428d
SHA2565f7889777637e28831aa3c5516e6f004aa271a5a5be6693855c73429930b388d
SHA512c6d1e0f06a1986c8fa7c5dc2ee574670f572c176e47a60f72572326ecdd1b558a0a3465398ae1ccf7371c58f0207d6a1d358383bd1cd82dfb6610bbb4d482dc8
-
Filesize
1.0MB
MD5de95d010435edcb75114d1930ce382e9
SHA1bf31e42580476dd86db963b76762d33544c5a1e3
SHA256314578eea5e3c96f9e893b65c43646ac1304368a06dd7477413b13903d8e7eec
SHA5129862e9ce504f1addea1d467f0b4f0286d27fcb419d3f0ff71e9ddac12318903e186b82522224369c9e3c81a7b258bafac1e163239e94f52fe4919ac0bd367f6a