Analysis
-
max time kernel
149s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
04/04/2024, 17:53
Static task
static1
Behavioral task
behavioral1
Sample
bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe
-
Size
173KB
-
MD5
bedc21cc9bb6cc278ba47dee9f32dc27
-
SHA1
7c8d177753fcf3f1afb578895e8e852a6bd75c55
-
SHA256
4fbb6d84a1a7054724b491fe928c655b3bb7bb45c971f8126e6f39e0fc70ebfa
-
SHA512
46ad6477c4addaa0a464e02eefbd68e1c76a6d9794bbe820d36de67254b3198dba361769f67ef2ecc2958d160a2bfd8400095bf2c13b352a64c61b864e721216
-
SSDEEP
3072:fBI5ArKGCnhgU1XA+ArXjeaMoh6lgUaVwQ+/76bSSN+PS7VyoCeJ6ikXO:fK5ArKjbAxXSaegUqGeGpBohMX
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 948 cleaubst.exe 2220 ~1FA1.tmp 1884 ipcorver.exe -
Loads dropped DLL 3 IoCs
pid Process 1972 bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe 1972 bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe 948 cleaubst.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmdktend = "C:\\Users\\Admin\\AppData\\Roaming\\ciphtune\\cleaubst.exe" bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\ipcorver.exe bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2572 1972 WerFault.exe 27 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 948 cleaubst.exe 1376 Explorer.EXE 1884 ipcorver.exe 1376 Explorer.EXE 1884 ipcorver.exe 1376 Explorer.EXE 1884 ipcorver.exe 1376 Explorer.EXE 1884 ipcorver.exe 1376 Explorer.EXE 1884 ipcorver.exe 1376 Explorer.EXE 1884 ipcorver.exe 1376 Explorer.EXE 1884 ipcorver.exe 1376 Explorer.EXE 1884 ipcorver.exe 1376 Explorer.EXE 1884 ipcorver.exe 1376 Explorer.EXE 1884 ipcorver.exe 1376 Explorer.EXE 1884 ipcorver.exe 1376 Explorer.EXE 1884 ipcorver.exe 1376 Explorer.EXE 1884 ipcorver.exe 1376 Explorer.EXE 1884 ipcorver.exe 1376 Explorer.EXE 1884 ipcorver.exe 1376 Explorer.EXE 1884 ipcorver.exe 1376 Explorer.EXE 1884 ipcorver.exe 1376 Explorer.EXE 1884 ipcorver.exe 1376 Explorer.EXE 1884 ipcorver.exe 1376 Explorer.EXE 1884 ipcorver.exe 1376 Explorer.EXE 1884 ipcorver.exe 1376 Explorer.EXE 1884 ipcorver.exe 1376 Explorer.EXE 1884 ipcorver.exe 1376 Explorer.EXE 1884 ipcorver.exe 1376 Explorer.EXE 1884 ipcorver.exe 1376 Explorer.EXE 1884 ipcorver.exe 1376 Explorer.EXE 1884 ipcorver.exe 1376 Explorer.EXE 1884 ipcorver.exe 1376 Explorer.EXE 1884 ipcorver.exe 1376 Explorer.EXE 1884 ipcorver.exe 1376 Explorer.EXE 1884 ipcorver.exe 1376 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 1376 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1972 wrote to memory of 948 1972 bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe 28 PID 1972 wrote to memory of 948 1972 bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe 28 PID 1972 wrote to memory of 948 1972 bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe 28 PID 1972 wrote to memory of 948 1972 bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe 28 PID 948 wrote to memory of 2220 948 cleaubst.exe 29 PID 948 wrote to memory of 2220 948 cleaubst.exe 29 PID 948 wrote to memory of 2220 948 cleaubst.exe 29 PID 948 wrote to memory of 2220 948 cleaubst.exe 29 PID 2220 wrote to memory of 1376 2220 ~1FA1.tmp 21 PID 1972 wrote to memory of 2572 1972 bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe 31 PID 1972 wrote to memory of 2572 1972 bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe 31 PID 1972 wrote to memory of 2572 1972 bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe 31 PID 1972 wrote to memory of 2572 1972 bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe 31
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bedc21cc9bb6cc278ba47dee9f32dc27_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Users\Admin\AppData\Roaming\ciphtune\cleaubst.exe"C:\Users\Admin\AppData\Roaming\ciphtune\cleaubst.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Users\Admin\AppData\Local\Temp\~1FA1.tmp"C:\Users\Admin\AppData\Local\Temp\~1FA1.tmp"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 2603⤵
- Program crash
PID:2572
-
-
-
C:\Windows\SysWOW64\ipcorver.exeC:\Windows\SysWOW64\ipcorver.exe -k1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1884
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5dd82fd50b49849e5554a7edae2bb78bb
SHA163106cfe3d3a1d60be2d44e1218fb3ce9afe686c
SHA256c4bece33fde62ec6fa1fe0a6b4b23f7106d759134ed72794d8086fe68ace561c
SHA512af8b5b3b46af78d1382689cf7e92adfa78ef4326c3a96624970502f9955ed6c17917389d525918983fe88fae04f95ae533e4e9a20da161d599d17c48270e6b76
-
Filesize
173KB
MD5bedc21cc9bb6cc278ba47dee9f32dc27
SHA17c8d177753fcf3f1afb578895e8e852a6bd75c55
SHA2564fbb6d84a1a7054724b491fe928c655b3bb7bb45c971f8126e6f39e0fc70ebfa
SHA51246ad6477c4addaa0a464e02eefbd68e1c76a6d9794bbe820d36de67254b3198dba361769f67ef2ecc2958d160a2bfd8400095bf2c13b352a64c61b864e721216
-
Filesize
173KB
MD58f8632b957108d710d90dec7f3d02aab
SHA1acf3b1bcdfea0c49a1c8583950f113ef241ecb2b
SHA256864a91ece964b2d235ece6f79ee823f92404183ca12bcd2db457ddccce65d068
SHA51250da571536c63e1eaf334631ccb9575dd464283cec897d0d1b37d4d1fc0b10281a105fbae5f10cfb0aa61cbc9b6108829caf87bba804f4090626fec529f8d50e