Analysis
-
max time kernel
155s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 13:37
Static task
static1
Behavioral task
behavioral1
Sample
b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe
-
Size
244KB
-
MD5
b9b275c08efd0e570023ea72b87d11ca
-
SHA1
973e50e7a08a9a043c954d01b36e81d4b9e8971b
-
SHA256
a99d97ddfd8fe18d735e8f849a532558f3b6f71b105770d391957c160708bcbc
-
SHA512
660f8ad67dec852a057ab59c1dc5db45645637843800365f4566d6bce579e2491720f2e13832fa589f34ab65a24b77ffa82aa837606891419626ace32e32fbe8
-
SSDEEP
6144:ZqobsBIUj9y0NPe9DMm0biMLEJOY0+sSNmHP:ZlYBIUj9yZ9DMfiva+sx
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2396 autoPlay.exe 2512 ~677A.tmp 2612 cleaethc.exe -
Loads dropped DLL 3 IoCs
pid Process 1416 b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe 1416 b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe 2396 autoPlay.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\PATHhone = "C:\\Users\\Admin\\AppData\\Roaming\\RMAcerpt\\autoPlay.exe" b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\cleaethc.exe b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2572 1416 WerFault.exe 27 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2396 autoPlay.exe 2612 cleaethc.exe 1196 Explorer.EXE 2612 cleaethc.exe 1196 Explorer.EXE 2612 cleaethc.exe 1196 Explorer.EXE 2612 cleaethc.exe 1196 Explorer.EXE 2612 cleaethc.exe 1196 Explorer.EXE 2612 cleaethc.exe 1196 Explorer.EXE 2612 cleaethc.exe 1196 Explorer.EXE 2612 cleaethc.exe 1196 Explorer.EXE 2612 cleaethc.exe 1196 Explorer.EXE 2612 cleaethc.exe 1196 Explorer.EXE 2612 cleaethc.exe 1196 Explorer.EXE 2612 cleaethc.exe 1196 Explorer.EXE 2612 cleaethc.exe 1196 Explorer.EXE 2612 cleaethc.exe 1196 Explorer.EXE 2612 cleaethc.exe 1196 Explorer.EXE 2612 cleaethc.exe 1196 Explorer.EXE 2612 cleaethc.exe 1196 Explorer.EXE 2612 cleaethc.exe 1196 Explorer.EXE 2612 cleaethc.exe 1196 Explorer.EXE 2612 cleaethc.exe 1196 Explorer.EXE 2612 cleaethc.exe 1196 Explorer.EXE 2612 cleaethc.exe 1196 Explorer.EXE 2612 cleaethc.exe 1196 Explorer.EXE 2612 cleaethc.exe 1196 Explorer.EXE 2612 cleaethc.exe 1196 Explorer.EXE 2612 cleaethc.exe 1196 Explorer.EXE 2612 cleaethc.exe 1196 Explorer.EXE 2612 cleaethc.exe 1196 Explorer.EXE 2612 cleaethc.exe 1196 Explorer.EXE 2612 cleaethc.exe 1196 Explorer.EXE 2612 cleaethc.exe 1196 Explorer.EXE 2612 cleaethc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2396 autoPlay.exe Token: SeShutdownPrivilege 1196 Explorer.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1416 wrote to memory of 2396 1416 b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe 28 PID 1416 wrote to memory of 2396 1416 b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe 28 PID 1416 wrote to memory of 2396 1416 b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe 28 PID 1416 wrote to memory of 2396 1416 b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe 28 PID 1416 wrote to memory of 2396 1416 b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe 28 PID 1416 wrote to memory of 2396 1416 b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe 28 PID 1416 wrote to memory of 2396 1416 b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe 28 PID 2396 wrote to memory of 2512 2396 autoPlay.exe 29 PID 2396 wrote to memory of 2512 2396 autoPlay.exe 29 PID 2396 wrote to memory of 2512 2396 autoPlay.exe 29 PID 2396 wrote to memory of 2512 2396 autoPlay.exe 29 PID 2512 wrote to memory of 1196 2512 ~677A.tmp 21 PID 1416 wrote to memory of 2572 1416 b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe 31 PID 1416 wrote to memory of 2572 1416 b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe 31 PID 1416 wrote to memory of 2572 1416 b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe 31 PID 1416 wrote to memory of 2572 1416 b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe 31
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196 -
C:\Users\Admin\AppData\Local\Temp\b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b9b275c08efd0e570023ea72b87d11ca_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Users\Admin\AppData\Roaming\RMAcerpt\autoPlay.exe"C:\Users\Admin\AppData\Roaming\RMAcerpt"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\~677A.tmp1196 250376 2396 14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 2523⤵
- Program crash
PID:2572
-
-
-
C:\Windows\SysWOW64\cleaethc.exeC:\Windows\SysWOW64\cleaethc.exe -s1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5aac3165ece2959f39ff98334618d10d9
SHA1020a191bfdc70c1fbd3bf74cd7479258bd197f51
SHA25696fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974
SHA5129eb876812a6a13dd4b090788c2b1d9e9a2e25370598ed5c040f82e6f378edc4b78d58bc8f60d5a559ea57b1edcf3a144bfe09454a9928997173db8279d5b40cf
-
Filesize
244KB
MD5219f0b1f8afe41cd45c07cbc09a5e24e
SHA19bba33be75c3cd1268d41160979b828608d0602e
SHA2568b8055bb0ed200ddeb2832e6b3bc64d54b2a61ecc6840531fa5d96a0eb7e6a75
SHA51262d18ba97803d430804ed6bdb2444fbd5b5cf4fe2bea5b758c08a2cc5ca7ba64d3e60d8df18beb2b17d2d78f6a475c2ffe2c3688338066bf6777c019864f43f7