Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 13:41
Static task
static1
Behavioral task
behavioral1
Sample
b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe
-
Size
24KB
-
MD5
b9cbe0c25e9fd74799a976c1f75b8b87
-
SHA1
c3f8d8dccb6426041e68280424d56ebf71d4e04c
-
SHA256
7079f1604aae85be52c19b83e9660b7b484b1c9f114a41fdfcdb6d69f4dfbada
-
SHA512
9afed0b0b7b851499e7f02729ccc9242f5b110549ae99d55945dfdd94d855b6fdaefd9d33236adca01ce5da56f2e92fdceade4ad239cb6e9aa1a49799f7cfa2d
-
SSDEEP
384:E3eVES+/xwGkRKJ2ZlM61qmTTMVF9/q540:bGS+ZfbJ2ZO8qYoAB
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe" b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2968 tasklist.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 2864 ipconfig.exe 2792 NETSTAT.EXE -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2968 tasklist.exe Token: SeDebugPrivilege 2792 NETSTAT.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2020 b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe 2020 b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2020 wrote to memory of 2784 2020 b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe 28 PID 2020 wrote to memory of 2784 2020 b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe 28 PID 2020 wrote to memory of 2784 2020 b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe 28 PID 2020 wrote to memory of 2784 2020 b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe 28 PID 2784 wrote to memory of 2312 2784 cmd.exe 30 PID 2784 wrote to memory of 2312 2784 cmd.exe 30 PID 2784 wrote to memory of 2312 2784 cmd.exe 30 PID 2784 wrote to memory of 2312 2784 cmd.exe 30 PID 2784 wrote to memory of 2864 2784 cmd.exe 31 PID 2784 wrote to memory of 2864 2784 cmd.exe 31 PID 2784 wrote to memory of 2864 2784 cmd.exe 31 PID 2784 wrote to memory of 2864 2784 cmd.exe 31 PID 2784 wrote to memory of 2968 2784 cmd.exe 32 PID 2784 wrote to memory of 2968 2784 cmd.exe 32 PID 2784 wrote to memory of 2968 2784 cmd.exe 32 PID 2784 wrote to memory of 2968 2784 cmd.exe 32 PID 2784 wrote to memory of 2504 2784 cmd.exe 34 PID 2784 wrote to memory of 2504 2784 cmd.exe 34 PID 2784 wrote to memory of 2504 2784 cmd.exe 34 PID 2784 wrote to memory of 2504 2784 cmd.exe 34 PID 2504 wrote to memory of 2532 2504 net.exe 35 PID 2504 wrote to memory of 2532 2504 net.exe 35 PID 2504 wrote to memory of 2532 2504 net.exe 35 PID 2504 wrote to memory of 2532 2504 net.exe 35 PID 2784 wrote to memory of 2792 2784 cmd.exe 36 PID 2784 wrote to memory of 2792 2784 cmd.exe 36 PID 2784 wrote to memory of 2792 2784 cmd.exe 36 PID 2784 wrote to memory of 2792 2784 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\cmd.execmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log2⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\cmd.execmd /c set3⤵PID:2312
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:2864
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
C:\Windows\SysWOW64\net.exenet start3⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start4⤵PID:2532
-
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -an3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD54de58fe695a2469a2ae859b07cb20458
SHA12f6737e2ded9f5d804581fa284caba30bd6468d1
SHA2560bf2b778bfaace4c032ce479cb76328c77d86311d66e3776d56ad750271d09e9
SHA512dd28f0720292251f93083ab36062fdf612ddcb0b1d16773c42fbe973f3f27f3964e747952d388ad30bd98075dc2d10ce3f5c8f5b1a3baadb458d0c38edb71a25