Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2024, 13:41
Static task
static1
Behavioral task
behavioral1
Sample
b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe
-
Size
24KB
-
MD5
b9cbe0c25e9fd74799a976c1f75b8b87
-
SHA1
c3f8d8dccb6426041e68280424d56ebf71d4e04c
-
SHA256
7079f1604aae85be52c19b83e9660b7b484b1c9f114a41fdfcdb6d69f4dfbada
-
SHA512
9afed0b0b7b851499e7f02729ccc9242f5b110549ae99d55945dfdd94d855b6fdaefd9d33236adca01ce5da56f2e92fdceade4ad239cb6e9aa1a49799f7cfa2d
-
SSDEEP
384:E3eVES+/xwGkRKJ2ZlM61qmTTMVF9/q540:bGS+ZfbJ2ZO8qYoAB
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe" b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 1856 tasklist.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 2012 ipconfig.exe 3556 NETSTAT.EXE -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1856 tasklist.exe Token: SeDebugPrivilege 3556 NETSTAT.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4612 b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe 4612 b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4612 wrote to memory of 4208 4612 b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe 86 PID 4612 wrote to memory of 4208 4612 b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe 86 PID 4612 wrote to memory of 4208 4612 b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe 86 PID 4208 wrote to memory of 2660 4208 cmd.exe 88 PID 4208 wrote to memory of 2660 4208 cmd.exe 88 PID 4208 wrote to memory of 2660 4208 cmd.exe 88 PID 4208 wrote to memory of 2012 4208 cmd.exe 90 PID 4208 wrote to memory of 2012 4208 cmd.exe 90 PID 4208 wrote to memory of 2012 4208 cmd.exe 90 PID 4208 wrote to memory of 1856 4208 cmd.exe 91 PID 4208 wrote to memory of 1856 4208 cmd.exe 91 PID 4208 wrote to memory of 1856 4208 cmd.exe 91 PID 4208 wrote to memory of 2728 4208 cmd.exe 94 PID 4208 wrote to memory of 2728 4208 cmd.exe 94 PID 4208 wrote to memory of 2728 4208 cmd.exe 94 PID 2728 wrote to memory of 864 2728 net.exe 95 PID 2728 wrote to memory of 864 2728 net.exe 95 PID 2728 wrote to memory of 864 2728 net.exe 95 PID 4208 wrote to memory of 3556 4208 cmd.exe 96 PID 4208 wrote to memory of 3556 4208 cmd.exe 96 PID 4208 wrote to memory of 3556 4208 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b9cbe0c25e9fd74799a976c1f75b8b87_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\cmd.execmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log2⤵
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\cmd.execmd /c set3⤵PID:2660
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:2012
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1856
-
-
C:\Windows\SysWOW64\net.exenet start3⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start4⤵PID:864
-
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -an3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:3556
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13KB
MD5c6c9477328ed96c222bbf9656209c400
SHA17da7daecdd0709287848ed6fe5f3af9dbd37302f
SHA256fe5699ac6233f1801d78ac338b670e9be285332a1684331330080a00b1f44874
SHA512def0b312f8880085927d59e72fbde0bd59c23392f3a768cc2c62f4959b6f36ee07afaadcbf0e1ea8a90c5de961a121a0d97003299f2bd58b80d4a8d0f2937fad