Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
04-04-2024 02:01
Static task
static1
Behavioral task
behavioral1
Sample
ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe
-
Size
58KB
-
MD5
ac8ca6a89c097ad5ebe2ed376e52637c
-
SHA1
b7fb1ba2ad4b892b37f731a0d77d897e12e1305e
-
SHA256
5c4dc0a7ee6eda98aa684c59f2d26882dc904ea617eee7f3125b5ce6929e3fe7
-
SHA512
3188f569330e670da2528259b035a869cb4acbdb46f59a1aca37e82b4a5bd715994286a4acdec8116dde05870cc8c6d35bfc833322d9983abeec4faace18e2c2
-
SSDEEP
768:32Xyttp4KlRamjIMEI6M8obwTtmfvg3RylG1Bc+goe:mXy/pjRbjZwtmwEloBrNe
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winver.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\D9D07F24 = "C:\\Users\\Admin\\AppData\\Roaming\\D9D07F24\\bin.exe" winver.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exedescription pid process target process PID 2220 set thread context of 1620 2220 ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winver.exepid process 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe 2284 winver.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
winver.exeExplorer.EXEpid process 2284 winver.exe 1272 Explorer.EXE 1272 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1272 Explorer.EXE 1272 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exepid process 2220 ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exeac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exewinver.exedescription pid process target process PID 2220 wrote to memory of 1620 2220 ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe PID 2220 wrote to memory of 1620 2220 ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe PID 2220 wrote to memory of 1620 2220 ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe PID 2220 wrote to memory of 1620 2220 ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe PID 2220 wrote to memory of 1620 2220 ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe PID 2220 wrote to memory of 1620 2220 ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe PID 2220 wrote to memory of 1620 2220 ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe PID 1620 wrote to memory of 2284 1620 ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe winver.exe PID 1620 wrote to memory of 2284 1620 ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe winver.exe PID 1620 wrote to memory of 2284 1620 ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe winver.exe PID 1620 wrote to memory of 2284 1620 ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe winver.exe PID 1620 wrote to memory of 2284 1620 ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe winver.exe PID 2284 wrote to memory of 1272 2284 winver.exe Explorer.EXE PID 2284 wrote to memory of 1124 2284 winver.exe taskhost.exe PID 2284 wrote to memory of 1224 2284 winver.exe Dwm.exe PID 2284 wrote to memory of 1272 2284 winver.exe Explorer.EXE PID 2284 wrote to memory of 840 2284 winver.exe DllHost.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1124
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1224
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ac8ca6a89c097ad5ebe2ed376e52637c_JaffaCakes118.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\winver.exewinver4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2284
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:840