Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2024, 17:34
Static task
static1
Behavioral task
behavioral1
Sample
be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe
-
Size
484KB
-
MD5
be76907382f73b8f9e962af193c82d53
-
SHA1
cf3c5a90877525faf8b5caf3c4808d75aa4ffdba
-
SHA256
c1ccafacd91f7483969270d48c71146359830cb1079e0b221b139b8fa2e997bf
-
SHA512
06911f11465f8644320a1f308a8991c1316318725af47de8d642d47ae6fc08417b64f4c5e3d98d453a062af645fe4d9d9da64ecea64adb5c3762286ae14cd744
-
SSDEEP
12288:E2JylsKTUHyjndvQSrrXvbGIqBGr1m+upBy:E2JyxgHyLJ5qMr1nyBy
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 4472 be76907382f73b8f9e962af193c82d53_JaffaCakes118.tmp 2032 be76907382f73b8f9e962af193c82d53_JaffaCakes118.mm 4716 SOS.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\SOS = "C:\\Windows\\SOS.exe" be76907382f73b8f9e962af193c82d53_JaffaCakes118.mm Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SOS = "C:\\Windows\\SOS.exe" be76907382f73b8f9e962af193c82d53_JaffaCakes118.mm Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\SOS = "C:\\Windows\\SOS.exe" SOS.exe Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SOS = "C:\\Windows\\SOS.exe" SOS.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened (read-only) \??\B: be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\dotnet\dotnet.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7zG.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7z.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\createdump.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\createdump.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\SOS.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.mm File opened for modification C:\Windows\SOS.exe be76907382f73b8f9e962af193c82d53_JaffaCakes118.mm File created C:\Windows\SOS.exe SOS.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\legend of mir2 SOS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\legend of mir2\WinX = "1" SOS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\legend of mir2\NowCount = "0" SOS.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2916 be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe 2916 be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe 4716 SOS.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2916 wrote to memory of 4472 2916 be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe 86 PID 2916 wrote to memory of 4472 2916 be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe 86 PID 2916 wrote to memory of 4472 2916 be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe 86 PID 2916 wrote to memory of 2032 2916 be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe 87 PID 2916 wrote to memory of 2032 2916 be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe 87 PID 2916 wrote to memory of 2032 2916 be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe 87 PID 2032 wrote to memory of 4716 2032 be76907382f73b8f9e962af193c82d53_JaffaCakes118.mm 90 PID 2032 wrote to memory of 4716 2032 be76907382f73b8f9e962af193c82d53_JaffaCakes118.mm 90 PID 2032 wrote to memory of 4716 2032 be76907382f73b8f9e962af193c82d53_JaffaCakes118.mm 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\be76907382f73b8f9e962af193c82d53_JaffaCakes118.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\be76907382f73b8f9e962af193c82d53_JaffaCakes118.tmpC:\Users\Admin\AppData\Local\Temp\be76907382f73b8f9e962af193c82d53_JaffaCakes118.tmp2⤵
- Executes dropped EXE
PID:4472
-
-
C:\Users\Admin\AppData\Local\Temp\be76907382f73b8f9e962af193c82d53_JaffaCakes118.mmC:\Users\Admin\AppData\Local\Temp\be76907382f73b8f9e962af193c82d53_JaffaCakes118.mm /zhj2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SOS.exeC:\Windows\SOS.exe /zhj3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4716
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471KB
MD51035ad53e28e46d2242043dc6eda251b
SHA1d76feb0a3afcaa8b7f5ad27cf9cd661037b52869
SHA2566890bc0e599ff54dd18cdbc9980b86dd20312d25452fabe0f2d808080bf549d1
SHA512636f95339bd43fd5ffaa240e50679cc48e38784c807a03bad905c297cffe05f0abea633b21d9889fed3b4f9e2b244df58d38d1e7f618e9911e28961a91559498
-
Filesize
13KB
MD55929f882ea0c71123fc41de8e26949d1
SHA1a3b2529823741beabef45301f3f50a9347438ac6
SHA256244fd7e7e9ed1f6fb5090c7f7a062272c9feb507281d1b8fe54650db5ec7796b
SHA512387259fc4c41b52be5eb426d3d26333faf3644d376e485cdad1222c4bbcdcd8596f2fd78d51dad4d0ee0d67dc374b1542017cc77ac1d8659923df0c5b0013cf0