Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 17:45
Static task
static1
Behavioral task
behavioral1
Sample
beb0eae669952040b5a11956f9576b25_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
beb0eae669952040b5a11956f9576b25_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
beb0eae669952040b5a11956f9576b25_JaffaCakes118.exe
-
Size
24KB
-
MD5
beb0eae669952040b5a11956f9576b25
-
SHA1
dc4e7e23837c7fd756136d07e8208aece18baf7d
-
SHA256
2b7c38975c3299b22a69f71f762352fdd87a707dd38cb3b71f914b63e3ddbd2e
-
SHA512
373ef784e60cde7afbda1d84e410d9c811d5b4f299c2c505aa7fb5eb61255324b183af3a789ccc08d17399033d78b14380e6a4a84675449e20a74c68cca7ec75
-
SSDEEP
384:E3eVES+/xwGkRKJD+clM61qmTTMVF9/q5V0:bGS+ZfbJD9O8qYoA6
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Start GeekBuddy = "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\1033\\spoolsv.exe" beb0eae669952040b5a11956f9576b25_JaffaCakes118.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\Web Folders\1033\spoolsv.exe beb0eae669952040b5a11956f9576b25_JaffaCakes118.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2536 tasklist.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 2340 ipconfig.exe 2448 NETSTAT.EXE -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2536 tasklist.exe Token: SeDebugPrivilege 2448 NETSTAT.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2732 beb0eae669952040b5a11956f9576b25_JaffaCakes118.exe 2732 beb0eae669952040b5a11956f9576b25_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2732 wrote to memory of 2832 2732 beb0eae669952040b5a11956f9576b25_JaffaCakes118.exe 28 PID 2732 wrote to memory of 2832 2732 beb0eae669952040b5a11956f9576b25_JaffaCakes118.exe 28 PID 2732 wrote to memory of 2832 2732 beb0eae669952040b5a11956f9576b25_JaffaCakes118.exe 28 PID 2732 wrote to memory of 2832 2732 beb0eae669952040b5a11956f9576b25_JaffaCakes118.exe 28 PID 2832 wrote to memory of 2904 2832 cmd.exe 30 PID 2832 wrote to memory of 2904 2832 cmd.exe 30 PID 2832 wrote to memory of 2904 2832 cmd.exe 30 PID 2832 wrote to memory of 2904 2832 cmd.exe 30 PID 2832 wrote to memory of 2340 2832 cmd.exe 31 PID 2832 wrote to memory of 2340 2832 cmd.exe 31 PID 2832 wrote to memory of 2340 2832 cmd.exe 31 PID 2832 wrote to memory of 2340 2832 cmd.exe 31 PID 2832 wrote to memory of 2536 2832 cmd.exe 32 PID 2832 wrote to memory of 2536 2832 cmd.exe 32 PID 2832 wrote to memory of 2536 2832 cmd.exe 32 PID 2832 wrote to memory of 2536 2832 cmd.exe 32 PID 2832 wrote to memory of 2544 2832 cmd.exe 34 PID 2832 wrote to memory of 2544 2832 cmd.exe 34 PID 2832 wrote to memory of 2544 2832 cmd.exe 34 PID 2832 wrote to memory of 2544 2832 cmd.exe 34 PID 2544 wrote to memory of 2596 2544 net.exe 35 PID 2544 wrote to memory of 2596 2544 net.exe 35 PID 2544 wrote to memory of 2596 2544 net.exe 35 PID 2544 wrote to memory of 2596 2544 net.exe 35 PID 2832 wrote to memory of 2448 2832 cmd.exe 36 PID 2832 wrote to memory of 2448 2832 cmd.exe 36 PID 2832 wrote to memory of 2448 2832 cmd.exe 36 PID 2832 wrote to memory of 2448 2832 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\beb0eae669952040b5a11956f9576b25_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\beb0eae669952040b5a11956f9576b25_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\cmd.execmd /c ver >c:\windows\temp\flash.log & cmd /c set >>c:\windows\temp\flash.log & ipconfig /all >>c:\windows\temp\flash.log & tasklist >>c:\windows\temp\flash.log & net start>>c:\windows\temp\flash.log & netstat -an >>c:\windows\temp\flash.log2⤵
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\cmd.execmd /c set3⤵PID:2904
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:2340
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
-
C:\Windows\SysWOW64\net.exenet start3⤵
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start4⤵PID:2596
-
-
-
C:\Windows\SysWOW64\NETSTAT.EXEnetstat -an3⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5c9d9c5a73b656399aa503a73299cb29f
SHA1c7ee412aef37cfa0404d361c5db658aa9af2f845
SHA2563ba943c3c52226ad438b9ff37432999f4bf8b6576ce275a152fdae70dce2d58d
SHA5123ea6aebe50c5fb1aec9cd58edc93875a795d6214c3fc909609c9274ae60e170051a1928e23b6ffc568e7914996e56b887578bf87aa2f2b1974b7f6b06f78c894